Skip to main content
MediaBeacon University

Basics to Consider When Creating Groups and ACLs

Abstract

Determining the boundaries of access for users in MediaBeacon takes some thought and planning. Each business unit, department, or user group may have different functions and needs.

Groups in MediaBeacon represent a collection of users that share access to one or more ACLs. These groups are analogous to the groups defined in an Identity Management (IM) solution. Users are attached to Groups, but do not see them.

ACLs (Access Control Lists) control the abilities users have in the system, what assets they have access to, and what metadata they can see or edit. ACLs are not inherited from IM systems, being defined entirely within MediaBeacon. ACLs are a subordinate "object" to Groups:

  • Group A > ACL 1
  • Group B > ACL 2
  • Group B > ACL 3

In most cases, it's best to keep a 1:1 relationship between Groups and ACLs, but MediaBeacon does accommodate multiple ACLs per Group.

Users accounts are not attached directly to ACLs, but to groups. For example, if a user was part of Group B, above, that user would have access to ACL 2 and ACL 3. Users also have a User Level. This is usually set to "General User" or "Global Administrator".

Methodology

The below outlines some information to gather as you consider MediaBeacon Group and ACL creation.

Identity Management

If your company is using an Identity Management (IM) source with MediaBeacon's Single Sign-On functionality, groups may already be organized by your IT department, in order to be able to access certain network resources. These groups are imported to MediaBeacon automatically when users are authenticated against an IM system.

Business Units

When considering Group and ACL configuration, it is useful to identify the "business units" that a customer currently uses. These might be defined by brands, individual products, or company identities. When defined entirely within MediaBeacon, business units may also represent collections of MediaBeacon Groups.

How many MediaBeacon Groups and ACLs are needed to represent your Business Groups will often be revealed by defining Roles, User Stories, Asset Access, and Asset Life Cycle information.

Roles

As a general concept, a role is a set of tasks, responsibilities, and capabilities that a company's employees share.These requirements may differentiate similar ACLs, and translate into specific sets of Permissions within ACLs.

For example, a graphic designer may be one role, and a brand manager may be another. Often these roles are subordinate to a given business unit, and disparate business units may have similar roles within them.

User Stories

Sometimes referred to as "workflows", user stories represent a sequence of tasks (or "use cases") performed by a user role.

An example of an overview user story might be: "As a              , my responsibilities include performing on files, and then sending my new files to              ."

Often, a user will have multiple user stories, describing an array of interconnected tasks. User Stories help to define what interface elements, metadata flags, and metaforms are required in MediaBeacon Workspaces.

Asset Life Cycle

Another perspective that can inform how MediaBeacon should be configured is the expected life cycle of an asset. This includes all steps in the use of the asset, from procurement, ingestion, tagging, approval, review, collection, collaboration, production, and archiving. Asset Life Cycle helps to define what metadata fields, and folder structure are required in MediaBeacon.

Asset Access

Many organizations require segmenting assets into multiple sets with exclusive access requirements, but still require some sharing between sets when the situation allows. Defining Asset Access informs many aspects of MediaBeacon configuration, often playing a key role in differentiating Groups and ACLs themselves, as well as metadata fields, ACL root folders, and searches.

MediaBeacon Functionalities

ACLs are often differentiated by the abilities of their users. Below are some broad categories of abilities to understand about each ACL.

Metadata Viewing and Editing

Metadata is information about an asset that is attached to the asset. This metadata can assist in finding and categorizing the asset, as well as defining how it is to be used in User Stories. Because these are fundamental functions, it is important to consider who will be allowed to make changes to or view certain metadata. Metadata rights can range from simply being able to edit the data in a single metaform, to a more complex ability to edit any metadata that exists in the entire system.

Asset Manipulation

Some users may need to be able to manipulate the assets in certain ways. Some users may need to add annotations or change file names, while others may need to create or delete files. Permissions can be very granular so it is important to consider the specifics of how a given user type or group interacts with assets before assigning asset manipulation capabilities.

Download Capabilities

An ACL controls the download capabilities of the user or groups. A specific user or group may only need to download images in a Web PNG format, while a creative design group may need the ability to download the original Photoshop or Illustrator files. Some user groups may only need to view or manipulate assets within MediaBeacon without the need to download anything. These are all potential use cases that can and should be managed via ACL permissions.

Administration

Each company will need to assign at least one administrator. This is something that should only be given to a limited selection of certified users who have been trained to configure the various elements of MediaBeacon. Consider who will need to configure components and workspaces. If certain power users need to have that ability, ACL permissions will need to be set accordingly.

The admin will also have the ability to edit user accounts, groups, and ACL configurations, so make sure your admin is qualified and has been trained to complete these actions.

Enterprise File Sync and Share (M4sterPlan)

If purchased, Enterprise File Sync and Share is another element to consider. This allows users to sync assets to their desktop for projects they have been assigned to within the M4sterPlan Administration console in MediaBeacon. Decide which users will need to have files synced directly to and from their machine based on how they work. If a user will be constantly uploading and downloading specific assets numerous times a day, they may be a good candidate to use enterprise file sync and share.

  • Was this article helpful?