The Groups workspace in the Admin Core allows admins to create and edit groups and ACLs.
Groups in MediaBeacon are organizational objects that users can be assigned to. Each group can impart specific privileges to users, such as access to certain functionalities, or access to specific assets. Conceptually, MediaBeacon groups are roughly analogous to the groups that an identity provider (IdP) defines.
MediaBeacon adds an additional layer of configuration for flexibility: the Access Control List or ACL. ACLs control a key set of users' capabilities in the system. ACLs are not inherited from Identity Management systems, being a MediaBeacon-exclusive configuration.
ACL configuration will be covered in the [Configuring ACLs] article, but organizationally, they are subordinate to groups.
Group Asset Metadata
- Name: The label used for the current group.
- The Group name is usually not visible to users, except when sharing a Saved Search or Saved Selection.
- Hidden?: Enabling this option hides the group in the Group workspace's List View. When groups are hidden, the Search Filter will display the Hidden facet, and clicking True will show the hidden groups. This setting is often used when an IdP imports a large number of unused groups into the system.
- LDAP DN: Although labeled "LDAP", this field inherits the Domain Name that is supplied when importing a group from an IdP.
- Description: A text description of the group, only visible in the Admin Core.
- Login Message: This field is used to add text to the Login component shown on the login workspace. It has a number of limitations:
- As this is a group-based property, it will only be displayed after a user logs out from a specific group.
- A record of what group the user was in when they logged out is stored in a browser cookie.
- If a user has never logged into MediaBeacon, or has removed browser cookie, this message will not be displayed.
- Users: Displays the current members of the group. Users may also be added to a group by adding their usernames here.
- This is bidirectional with a user's group metadata. When a user is added to or removed from this field, this group will be added or removed from the user's Group Membership field. If the user has only one group (that one group being present in both Primary Group and Group Membership), the "Default" group will be automatically added.
- Loading Dock Type: Assign the loading dock type for the group. All ACLs within this group will share this setting. See the [Loading Dock Type] section for more information.
- Loading Dock Quota: Set the maximum number of megabytes that a group user's Loading Dock can hold. All ACLs within this group will share this setting. See the [Loading Dock Type] section for more information.
- Default Language: Sets the default language the WebUI will use upon initial login. All ACLs within this group will share this setting. See the [Languages] section for more information.
- Edit Level and View Level: These settings control what metadata fields can be edited or viewed by users in a given group. The levels range from 0 (lower) to 9 (higher). All ACLs within this group will share this setting.
- These levels carry no inherently different functions, instead being relative to the corresponding settings defined for each field. If a group's Edit level is 5, all users (using that group at the time) will be able to edit fields at levels 0 through 5. The same goes for the View level, a field is visible to a user if the ratings correspond.
- Edit Levels are overridden by the [Edit Metadata] permission restriction. When set, the user cannot write metadata.
- It is important to remember that the view and edit levels do not provide access as much as they limit it. These settings are of limited use if the user is not first granted the ability to see a given field via the [Visible Metaforms] setting.
- Below are some examples of caveats with these levels. The examples assume the field edit/view levels are set higher than the user's current group's levels.
- Fields on a metaforms will be non-writable or hidden, respectively.
- List View columns (defined by fields) will not be hidden by View level. Edit level will prevent writing to these fields.
- Fields used in the Search Filter will be hidden.
- A field used in the Taxonomy component is always visible and editable.
- Priority: A ranking system of 1-20 (20 being the highest) to determine a user's "login destination", that is, the Group, ACL and workspace the user is automatically directed to upon login.
- The system also ranks groups differently based upon the Default ACL setting. If this field is blank, that group will always be considered lower priority than any group that has a defined Default ACL. For example, a group with Priority 1 and a Default ACL defined will be the login destination even if that user has access to a group with Priority 20 and no Default ACL.
- Default ACL: The ACL to which the user is directed upon login by default if there is more than 1 ACL. This is contingent upon the user's group's Priority setting.
- ACLs section: This area lists the ACLs that have been defined for the current group. Click the "Add" button to add an ACL section. See the [ACL Metadata] article for information on these settings.
Managing Groups with an IdP
When using an IdP with MediaBeacon, group management will have some differences.
Upon user authenticates against the IdP:
- A user account configur ation asset is created if it does not already exist. The user account configuration asset will then sync metadata the IdP supplies.
- Group configuration assets are created for all groups of which the user is a member, if they do not already exist. Those group's configuration assets will then sync metadata the IdP supplies.
- The metadata synced to groups is limited: "Name" is always present, "LDAP DN" maybe supplied, and any users who have previously authenticated who are part of the IdP group will be listed in the "Users" field. The IdP supplies no other metadata fields or ACLs, so these will need to be added in MediaBeacon.
- Pre-Existing MediaBeacon groups can be synced to an IdP after they have been created. All that is required is to match the names of the MediaBeacon groups to those of the corresponding IdP groups prior to user authentication.
- User's membership in groups must be managed in the IdP system.
User / Group Assignment with IdP
In default configuration, MediaBeacon does not have the ability to change the assignment of users to groups, as this is wholly managed via the IdP itself.
Using an optional configuration, MediaBeacon can be allowed to edit user membership of IdP groups.
If an ACL is not configured for a group, the user will be shown a dialog: "Warning, No ACLs available. Please contact your administrator."