BSN.Cloud offers a robust set of security and permissions features that allow you to protect your content and maintain the efficiency of your digital-signage system—no matter how large it gets. These security features are scalable: you can choose exactly how complex you want your permissions system to be depending on the needs of your organization.
This page will walk you through describes the BSN.Cloud permissions system using the scenario of a hypothetical chain of donut shops. As the company expands and more locations are added, you will be gradually introduced to the more complex, more powerful permissions features offered by BrightSign.
Here is a quick overview of what will be covered in each chapter:
...
how to use default System Roles to maintain an up-to-date digital menu board and announcement system for a chain of five hypothetical donut shops using networked BrightSign players
...
Intermediate: You will learn how to create and edit Custom Roles for a digital-signage system of 25 shops spread out over a large geographical area.
...
.
Permissions Overview
You can view the permissions of a user or role at any time while logged into BSN.Cloud:
...
A checkmark by a category indicates that the user or group has complete access to all options in that category, but an “X” by a category may not mean that all actions in the category are restricted. Click on the + symbol to expand a category and view the permissions for every possible action within it.
...
System Roles
This section will introduce you to common applications of various System Roles. These default roles are great for BSN.Cloud accounts with a small amount of users who have clearly defined roles and responsibilities within the organization.
The System Roles for BSN.Cloud correspond to the user permissions system in BrightAuthor:connected.
Overview
You are the systems administrator for a small chain of five donut shops located around the city. The chain has just replaced all of their chalkboards used for menus, special offers, and announcements with digital displays powered by BrightSign players, which are linked to the company’s BSN.Cloud account. There are many employees who need to use the network in order to keep the store menus and special offers up-to-date. You are faced with several personnel and security challenges when configuring the network, all of which can be solved using the System Roles provided with every BSN.Cloud account.
...
Users who are assigned to the Viewers role can view almost all aspects of a digital-signage system: content, groups, hardware statuses, and schedules. However, they cannot affect anything on the company’s BSN.Cloud account.
Intermediate
This chapter will explain how to create and edit Custom Roles. The roles outlined here are used as examples to explain how to conceptualize and create a Custom Role. The needs of your organization may be different from the examples included in this section.
In order to create a Custom Role, you will first need to check the Show Advanced Security Settings and Enable Custom Roles Management check boxes located in the Advanced section of the Account page.
Overview
Your company now has 25 donut shops in multiple states, and the central office has many more employees. Though BSN.Cloud’s default System Roles have worked well up until this point, they are no longer able to serve a large group of users with diverse roles and responsibilities.
...
Creating Custom Roles
Since there are nearly 70 individual permissions, it is often easiest to base a Custom Role on one of the preexisting System Roles:
Click the Account button at the top right of the page.
Navigate to the Permissions tab on the right-hand side of the page.
Click the Create New Roles button beside the Roles List.
Enter a name and (optional) description for the Custom Role.
Check the Copy Permissions From checkbox to base the permissions of your Custom Role on a preexisting role. As long as you have the advanced settings enabled on the Account page, you will be able to change all copied permissions.
If you do not copy permissions, you will need to set up permissions manually by dragging and dropping the role name into each Operations category. When you do this, the permissions will be automatically set to “Allow.” If you don’t add the role to an Operations category, the permissions for that category remain set to “Deny” by default.
Example Custom Roles
Accountants
The accountant in charge of accounts payable needs to keep track of the invoices that are automatically generated by BSN.Cloud. He is not involved in the digital signage network in any other way.
In this case, it would be best to create a Custom Role without copying permissions from a default System Role. As stated above, all permissions are set to “Deny” by default if you choose not to copy permissions from another role. Therefore, all you need to do is create a new role and leave the Copy Permissions From box unchecked. You can then drag the new Custom Role into the Subscription category.
Presentation Creators/Live Text Creators
The responsibility for creating and editing menu boards is now split between two employees. The graphic designer is still in charge of uploading new editions of the menu boards, but the Live Text feeds used for special deals are maintained by an employee from the marketing department. The graphic designer integrates Live Text into the menus, but does not update the Live Text herself. The default Creators role no longer reflects how their responsibilities are divided.
The easiest way to deal with slight variations in System Roles is to use the Copy Permissions From feature when creating Custom Roles. In this case, you can create both a Presentation Creators and a Live Text Creators role based on the default Creators role. To create Presentation Creators, copy permissions from the Creators System Role and deny full control to Live Text Feeds. To create Live Text Creators, copy permissions from the Creators System Role and deny full control to Content, Dynamic Playlist, and Presentation.
Senior Network Managers
You need to expand the role of the Network Manager so that he can add and edit schedules in addition to maintaining the network of BrightSign players. He is not involved with the daily activity of menu revisions and updates, so you don’t want him to have control of adding or removing the presentations on a schedule.
...
Because actions like adding and editing schedules are a composite of different operations, you will also need to enable “Change Schedule” in the Group category and “Add Presentation” and “Remove Presentation” in the Presentation category. You have now expanded the permissions of your Network Manager without having to enable full control of an operations category.
Expert
This section will explain how to use object permissions in conjunction with Custom Roles to meet the organizational needs of a large digital signage network.
In order to create Custom Roles and edit object permissions, you need to have the Show Advanced Security Settings and Enable Custom Roles Management boxes checked. They are located in the Advanced section of the Account page.
Overview
...
Your company has now expanded to over 100 donut shops across the country. Menu pricing and offerings vary widely depending on region and availability: new donut recipes are introduced to certain test markets; different regions have different pricing structures; and certain stores offer regional favorites that are not offered elsewhere. Custom Roles are no longer enough to keep the network functional for the employees who use it. You need to limit or allow access according to the objects (media files, dynamic playlists, etc.) themselves.
Editing Object Permissions
The permissions for any object are accessed through the properties button, which is usually located below the name of the object.
...
Click on the Security tab in the Properties window.
...
In the Assigned Roles tab, click the Add button and select the desired role. Remember that you can only edit permissions for Custom Roles.
In the Assigned Users tab, click the Add button and select the desired user.
You can now choose whether to “Allow” or “Deny” certain actions for a specific Dynamic Playlist, Live Text feed, etc.
...
.
...
Using Object Permissions
Store Managers
...
The company wants to give individual store managers some leeway in deciding which deals they want to promote—after all, they have the best idea what donuts are most popular in their neighborhood. Store managers need the ability to view various presentations and schedule them for the BrightSign players located in their store. However, assigning them a Custom Role based on Publishers does not completely solve this problem: they have access to the presentation schedules of every store in the nation, not just their own, and they might accidentally delete or modify them.
Create a Custom Role based on Publishers.
Assign all of the store managers to this role.
Change the role so that the actions “View Groups” and “Change Schedule” in the Group category are denied.
Make sure that each group of players reflects a different store location.
Change the object permissions of each group on the network so that each user assigned to the custom Publishers role can only view and modify the group corresponding to his or her store.
You can also assign object permissions based on individual BrightSign players. This is helpful if you already organize groups in some other way (by region, by store type, etc.).
You have now created a system of object permissions that allows store managers to schedule menus and special offers only at their own store locations. You can customize this system even more: for example, if you want certain store managers to have access to certain menus or promotions depending on region or store type, you can use the object permissions for presentations to deny or allow access as you see fit.
Prototypes
The marketing department wants to upload an announcement for a new flavor of donut in order to test how it will look on a digital display. However, the board of directors is worried that the competition will get wind of this new flavor before it is rolled out across the nation. To minimize the risk of a leak, you want to make sure that, for the moment, only the employees directly involved with testing the announcement have the ability to view, edit, or schedule the presentation.
In order for this scenario to work, most or all users need to be assigned to Custom Roles. Just like operations permissions, the object permissions for the default System Roles cannot be edited.
You can limit access to this presentation either by role or by individual user. You can also allow access to a user who is working on this project but who doesn’t normally have access to presentations.
Keep in mind that there are other factors beside object permissions that can limit access to a presentation or other object. For example, you can give a user full permissions for a Dynamic Playlist object, but that user will not be able to save content changes to that Dynamic Playlist if the role restricts the “Assign Content” action in the Content permissions category.