Access Rights for Assets [GL OG]
Administrators may be tasked or required to be able to specify the rights available to groups in relation to assets. This can be achieved by specifying both the group and right in workflows with the aid of User Group Rights tasks.
How to Assign or Remove Access Rights
The different access right types are defined as "NONE", "READ," WRITE" or "ALL".
It is possible to assign and remove access right to assets in workflows in the respective tasks:
Add User Group Rights
Remove User Group Rights
Please note that availability of groups is based on those specified under Mapped Groups.
These tasks would then have to be used in appropriate workflows. A good example of which would be a Watchfolder Ingest workflow in which necessary standard groups are assigned with the appropriate rights to the new item.
By using the "Add User Group Rights" task, one can add an already mapped group to an item, along with one of the following rights:
NONE: Group will not have access rights to the item.
READ: Group will only have read rights for the item.
WRITE: Group will have write rights for the item.
ALL: Group will have all the rights, including the ability to delete, for the item.
Specifying which of the groups is included can be done so via the Workflow Designer via the dropdown for the input value "Group"
Specifying which of the rights is assigned can also by assigned the dropdown for "Rights":
Each user who is logged into a system via Authentication Service belongs to one or more AD groups. Users only have access to assets, if that asset has a group assigned in which they are a member of. The rights level is determined by the type. Access right types are defined as "NONE", "READ," WRITE" or "ALL". If a workflow is started within the scope of the user, also access rights apply. Normally workflows are started by other applications, such as would be the case for MediaPortal. The workflow is started with global "admin" rights, which means the workflow has all rights on all Items.
Context: MediaPortal via Connector
For items synchronized to MediaPortal via the Connector access rights apply as follows:
To MediaPortal, only AD Groups are synchronized. Meaning that the mapped groups will be "resolved" to assigned AD groups which are finally synchronized.
If no mapped group is assigned to an item, the asset in MediaPortal gets permission assigned to the "DefaultGroup".
"DefaultGroup" should be available as AD Group in a connected Active Directory with corresponding users.
If mapped groups are assigned to an item:
If Mapped Group has at least "READ" rights all its AD groups will be synchronized to MediaPortal as permission group for that item.
Only users that belong to at least one of the AD permission groups that were synchronized to an asset, will see the asset in MediaPortal.
The AD group "DefaultGroup" is be available.