Security

The security features control access to the media library and determine the level of access each user has. You create and manage user accounts in the User section, groups in the Groups section.

Active Directory and LDAP integration is enabled using a separate module available to purchase through your system provider. Please contact your local sales representative for details.

Security Settings

The following are the general MEDIAL security settings.

  • Allow Anonymous Access – If this is set to No, all content on the library is protected by a log-on screen. Enabling anonymous (guest) access allows administrators to assign public access to categories by giving the HMLGuest account rights to it.
  • Anonymous User – The anonymous user is called HMLGuest. The name is hardcoded into the system and cannot be changed.
  • Enable Secure Categories – If this setting is enabled, individual categories can be secured.
  • Allow Access Without Group –When enabled, a user who doesn’t have upload rights to any of the categories on the system will be able to access their personal category through the My Account section
  • Allow Local Groups and Users when AD/LDAP Used – Setting this option to Yes enables the use of local users and groups in MEDIAL when the AD/LDAP plugin is in use.
  • Restrict Iframe Domains Play – It is possible to restrict where the play page is embedded with an iframe by changing the value:
    • ALL allows play page links to be embedded in an iframe anywhere.
    • NONE allows links to be embedded in an iframe nowhere outside of MEDIAL. You can then select a specific domain where it can be embedded.

  • Restrict Iframe Domains Other – The options for this setting are the same as the field above, however it applies to all links other than player links in MEDIAL.

Users

In the Local Users section, you can add, modify, and delete MEDIAL users created locally. In the AD/LDAP Users section, you can modify and delete the users who log into the system with their directory services account. Both security sections function the same way.

The Directory Services integration module is required to use the AD/LDAP Users section functionality. For more information on how AD/LDAP integration works see LDAP/Active Directory .

Adding Users

Clicking the Add New button brings up the Add User screen. Complete the form with the user’s details, supplying and confirming a password. In the list of groups, check the boxes to assign the user to at least one group. Click Save to save the user information.

A user must be a member of at least one group to be able to log in to the MEDIAL portal.

Merging Users

Sometimes there may be cases when there is more than one account that has been created for a user in MEDIAL. An example of this might be that a user has a local account on the system but then AD/LDAP integration was enabled and now that person logs on with domain credentials. In this situation it is possible to merge the accounts together. By locating both of the accounts in the Users area and checking the box for each of them, the accounts can be merged together to create one account.

In this example, it might be that the user wants to log in using their domain account ongoing, but has uploaded content items into their local account. These items won't be available to the user when they log in using their domain account, and it is no longer necessary to keep the local account. By selecting the two accounts to merge and clicking on 'Merge Users', the domain account would be selected as the account to keep, meaning once the merge takes place all of the users' content from the local account is moved into their domain one and their local account is deleted.

In the below screen shot it shows a local account being merged with a domain account. It is also possible to merge local accounts with local accounts, and domain accounts with domain accounts.

To merge user accounts find and select the accounts to be merged by checking the boxes next to each of them, then click on Merge Users.

Check the box for the user account which is to be kept and click on Merge.

Once the merge has been done the other account will no longer exist on the system and all of the content from it will now belong to the domain account that has been kept.

Any number of accounts can be merged. Check the boxes next to more accounts in the Local Users and/or AD/LDAP users accordions in order to merge multiple accounts.

Groups - Local and AD/LDAP

Groups are listed in the same way as users under the Groups accordion. Groups can be searched, edited, and deleted in the same way as users.

Click Edit next to a group to edit the group.

Group Details

You can change the following options under Details:

  • Group Name – Name of the group, which can be changed.

    When you use authentication directory services, the groups need to have the same name as the Organizational Units or Security Groups within your AD/LDAP infrastructure, depending on which is being used for authentication.

  • Administrator – Checking this box makes the group an administrative group. All users in the group will have full administrator rights to the library.
  • Upload Limit – Sets an upload limit on each group member. Once this limit is reached, the user cannot upload more content until they delete existing content or wait until the next calendar month, depending on the personal upload limit type in the system settings.

    If a user is a member of multiple groups that have upload limits, the user's absolute upload limit is the aggregate value of the member group limits.

    Local group - checking this box will make the group local, if it is currently an AD/LDAP group. Doing this will move it into the Local Groups area. Unchecking the box will turn it back into an AD/LDAP group, and move it back into the AD/LDAP Groups Area.

    Changing an AD/LDAP group to a local one may prevent users who previously accessed MEDIAL via membership of this group from accessing the system

  • Live channel access - Checking the box to allow access to live channels provides all members of the group with the ability to create live channels. Enabling this option at the group level overrides the setting for user accounts individually if access is disabled
  • MEDIALecture - Checking the box to allow access to MEDIALecture will allow all members of the group access to the MEDIALecture application. Enabling this option at the group level overrides the setting for user accounts individually if access is disabled

 

Group Access

The Group Access area lists the categories in the media library. You can give a group the following access to categories:

  • None – Group members cannot view or upload to this category.
  • View – Group members can play the media in the category but cannot upload content to the category.
  • View and Upload – Group members can view and upload media to the category.
  • View, Upload and Administer – Group members can view and upload media to the category. They can also delete clips in the category and edit the content of other users in the category. They may also move content to any of the other categories that they have administration privileges for.

    Category administrators can manage content in their categories using the My Content area of their accounts.

Permissions

The Permissions area allows you to assign permissions to users and groups in bulk. This can be done to allow users and/or groups access to use MEDIALecture, use live channels, or to assign rights to categories.

To begin, select the appropriate radio button at the top of the section to set the permissions for either MEDIALecture, Live channel or Categories.

At the top of the Available and Selected areas, there is a search box and Users and Groups check boxes. These can be used to narrow down the results in each of the areas. Locate the user(s) and/or group(s) in the Available area on the left-hand side which require permissions to be assigned. Check the boxes for the necessary results and then click on the right arrow button to move them over into the Selected area.

Adding users and groups in this way for MEDIALecture and Live Channels will give those users and groups access to use them. When using the Permissions area for assigning rights to Categories, there are additional options. When the Categories radio button is selected, two drop-down boxes are displayed. The top one is to select the category for which the permissions will be granted. The one below is used for setting the level of access to the category. Either View, View and Upload or View, Upload and Administer can be selected.

Once any permissions changes have been made, click on Save at the bottom of the page to apply them.

Learning Tools Interoperability

The learning tools interoperability section allows MEDIAL to integrate with third-party learning tools such as Moodle and Blackboard. This section defines the information that MEDIAL uses to authenticate itself with the learning system. The same values must also be defined in the Moodle and Blackboard plugins. In the administrator settings area, you can also customize LTI global settings.

  • Key and SecretMEDIAL provides these credentials to the learning tool to access it. The same key and secret must also be entered in the Moodle or Blackboard interface.
  • The Access Level drop-down indicates the type of authentication used with the learning system:
    • None
    • LTI and AD/LDAP
    • LTI Only
    • AD/LDAP Only
    • AD/LDAP and Local Account
    • LTI, AD/LDAP and Local Account

Learning Tool Authentication Types

MEDIAL provides different ways for learning tool users to access the media library. It supports Learning Tool Interoperability (LTI), which is supported natively in the learning environments. If you are using AD/LDAP to authenticate MEDIAL users, you can use the AD/LDAP setup alone or in combination with LTI. The following sections describe these authentication methods.

All types of authentication simply allow access to MEDIAL from within the learning tool. Once content is selected and subsequently displayed on the LMS Course page it is, in most cases, viewable by users with access to that Course Page. However if AD/LDAP is used for authentication and a user not registered with directory services tries to view the content, the access is denied.