Active Directory and LDAP integration is enabled using a separate module available to purchase through your system provider. Please contact your local sales representative for details.
The following are the general MEDIAL security settings.
- Allow Anonymous Access – If this is set to No, all content on the library is protected by a log-on screen. Enabling anonymous (guest) access allows administrators to assign public access to categories by giving the HMLGuest account rights to it.
- Anonymous User – The anonymous user is called HMLGuest. The name is hardcoded into the system and cannot be changed.
- Enable Secure Categories – If this setting is enabled, individual categories can be secured.
- Allow Access Without Group –When enabled, a user who doesn’t have upload rights to any of the categories on the system will be able to access their personal category through the My Account section
- Allow Local Groups and Users when AD/LDAP Used – Setting this option to Yes enables the use of local users and groups in MEDIAL when the AD/LDAP plugin is in use.
- Restrict Iframe Domains Play – It is possible to restrict where the play page is embedded with an iframe by changing the value:
- ALL allows play page links to be embedded in an iframe anywhere.
NONE allows links to be embedded in an iframe nowhere outside of MEDIAL. You can then select a specific domain where it can be embedded.
- Restrict Iframe Domains Other – The options for this setting are the same as the field above, however it applies to all links other than player links in MEDIAL.
In the Local Users section, you can add, modify, and delete MEDIAL users created locally. In the AD/LDAP Users section, you can modify and delete the users who log into the system with their directory services account. Both security sections function the same way.
The Directory Services integration module is required to use the AD/LDAP Users section functionality. For more information on how AD/LDAP integration works see LDAP/Active Directory .
Clicking the Add New button brings up the Add User screen. Complete the form with the user’s details, supplying and confirming a password. In the list of groups, check the boxes to assign the user to at least one group. Click Save to save the user information.
A user must be a member of at least one group to be able to log in to the MEDIAL portal.
Groups are listed in the same way as users under the Groups accordion. Groups can be searched, edited, and deleted in the same way as users.
Click Edit next to a group to edit the group.
You can change the following options under Details:
Group Name – Name of the group, which can be changed.
When you use authentication directory services, the groups need to have the same name as the Organizational Units or Security Groups within your AD/LDAP infrastructure, depending on which is being used for authentication.
- Administrator – Checking this box makes the group an administrative group. All users in the group will have full administrator rights to the library.
Upload Limit – Sets an upload limit on each group member. Once this limit is reached, the user cannot upload more content until they delete existing content or wait until the next calendar month, depending on the personal upload limit type in the system settings.
If a user is a member of multiple groups that have upload limits, the user's absolute upload limit is the aggregate value of the member group limits.Local group - checking this box will make the group local, if it is currently an AD/LDAP group. Doing this will move it into the Local Groups area. Unchecking the box will turn it back into an AD/LDAP group, and move it back into the AD/LDAP Groups Area.
Changing an AD/LDAP group to a local one may prevent users who previously accessed MEDIAL via membership of this group from accessing the system
- Live channel access - Checking the box to allow access to live channels provides all members of the group with the ability to create live channels. Enabling this option at the group level overrides the setting for user accounts individually if access is disabled
- MEDIALecture - Checking the box to allow access to MEDIALecture will allow all members of the group access to the MEDIALecture application. Enabling this option at the group level overrides the setting for user accounts individually if access is disabled
The Group Access area lists the categories in the media library. You can give a group the following access to categories:
- None – Group members cannot view or upload to this category.
- View – Group members can play the media in the category but cannot upload content to the category.
- View and Upload – Group members can view and upload media to the category.
View, Upload and Administer – Group members can view and upload media to the category. They can also delete clips in the category and edit the content of other users in the category. They may also move content to any of the other categories that they have administration privileges for.
Category administrators can manage content in their categories using the My Content area of their accounts.
The learning tools interoperability section allows MEDIAL to integrate with third-party learning tools such as Moodle and Blackboard. This section defines the information that MEDIAL uses to authenticate itself with the learning system. The same values must also be defined in the Moodle and Blackboard plugins. In the administrator settings area, you can also customize LTI global settings.
- Key and Secret – MEDIAL provides these credentials to the learning tool to access it. The same key and secret must also be entered in the Moodle or Blackboard interface.
- The Access Level drop-down indicates the type of authentication used with the learning system:
- LTI and AD/LDAP
- LTI Only
- AD/LDAP Only
- AD/LDAP and Local Account
LTI, AD/LDAP and Local Account
MEDIAL provides different ways for learning tool users to access the media library. It supports Learning Tool Interoperability (LTI), which is supported natively in the learning environments. If you are using AD/LDAP to authenticate MEDIAL users, you can use the AD/LDAP setup alone or in combination with LTI. The following sections describe these authentication methods.
All types of authentication simply allow access to MEDIAL from within the learning tool. Once content is selected and subsequently displayed on the LMS Course page it is, in most cases, viewable by users with access to that Course Page. However if AD/LDAP is used for authentication and a user not registered with directory services tries to view the content, the access is denied.
Choose LTI Only if you are not using directory services authentication through AD/LDAP. In this scenario, Blackboard or Moodle users are automatically and seamlessly registered as new MEDIAL users the first time they use the learning tool. MEDIAL populates its user records from information sent by the tool, such as the first time, last name, and e-mail address. The learning system account is thereafter associated with the MEDIAL user account so that personal media uploads are available to the user on each subsequent use of the learning tool.
With LTI Only, users can upload media into and select media only from their personal category. No other categories are exposed to them when searching for content.
With AD/LDAP Only, Blackboard and Moodle users are prompted to log in using their AD or LDAP credentials when they access MEDIAL from the learning tool. MEDIAL populates its user records from information sent from AD/LDAP about the user, such as the first name, last name, and e-mail address. The learning system account is thereafter associated with the MEDIAL user account so that personal media uploads are available to the user on each subsequent use of the learning tool.
The benefit of this method is that existing MEDIAL users have access to their existing account and content. Also, it provides users access to the MEDIAL categories they would normally have access to through the portal, allowing them to upload to the categories for which they have upload rights, not just their own personal categories.
This method of authentication requires that users log in on first use of the learning tool so that their account in Blackboard or Moodle can be tied to a MEDIAL account and inherit that account's group privileges. The following figure demonstrates the log-in screen.
- If the user selects Yes, they are prompted to enter their AD or LDAP credentials. Their Blackboard or Moodle account is then associated to the matching MEDIAL account as with AD/LDAP Only.
- If the user selects No, they will be auto-registered as a new MEDIAL user as with LTI Only.
This allows users that have either an AD/LDAP account with permissions to access MEDIAL, or a local account in MEDIAL to use the plugin.
This option allows LTI accounts to be used in the plugin so that users who don’t have access to MEDIAL can register in the LMS. Those users who do have access with either an AD/LDAP or local account can also use the plugin.