Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

BSN.Cloud offers a robust set of permissions features that allow you to protect your content and maintain the efficiency of your digital - signage system—no matter how large it gets. These security features are scalable: you can choose exactly how complex you want your permissions system to be depending on the needs of your organization.

This page describes is an overview of the BSN.Cloud permissions system and how to use defaultSystem roles. By default, you will see only six predefined system roles having fixed permissions which you cannot edit. A separate Custom Roles page describes how to create additional roles with custom permissions.

Role or user access will be in one of the following states:

Permission Types

  • An editable permission for a specific principal, entity, or business operation.

    • For example, you created a custom Content Managers role and granted allowing/denying permission to execute just the Content - View Content operation under the selected Media File - this permission is displayed with enabled/disabled active colored toggle switch and a "remove" button.

  • An editable permission for a specific principal, entity, or parent business operation.

    • For example, you created a custom Content Managers role and granted allowing/denying permission to execute the Content (Full Control) operation under the selected Media File. In this case, the permission to execute the Content - View Content business operation is inherited from Content (Full Control) and is displayed with enabled/disabled active colored toggle switch but without the "remove" button.

Color Indicators

  • An editable permission is defined for this specific principal, parent entity.

    • For example, you created a custom Content Managers role and granted an allowing/denying permission to execute any business operation under any new content folder. In this case the permissions to execute all business operations under all content folders and media files down the hierarchy are inherited from the parent content folder and are displayed with enabled/disabled active but grey toggle switch without the "remove" button

  • An editable permission is defined for the parent principal.

    • For example, you created a custom Content Managers role and granted an allowing/denying permission to execute any business operation under any new content folder or media file. Then you assign a new user to this role and view his permissions. In this case the permissions to execute all business operations under all content folders (except of his personal folder) and media files are inherited from his role and are displayed with enabled/disabled active but grey toggle switch without the "remove" button, as in the previous case.

  • Permission is defined for this or parent Principal, this or parent Business Operation, this or parent Entity and is not editable (has '[bool] IsFixed' flag set). These are Permissions defined for System Roles, Personal Folders, Special Groups, etc. They must be displayed with enabled/disabled but inactive and grey toggle switch without the "remove" button. I think the mouse cursor also should be changing to denying icon when it is over the toggle switch.

  • Permission is not defined neither for this nor for parent Principal, neither this nor parent Business Operation, neither this nor parent Entity. This is possible in case when you have a Role with incompletely defined permissions and a user which doesn't extend and override them. Such state must be represented with disabled active grey toggle switch and without the "remove" button.

Permissions

You can view operations and object permissions while logged into BSN.Cloud. All business operations defined in bsn.Content are organized into a tree structure, where permission granted to the parent operation may be inherited or overridden on the child. To review the complete set of business operations, open BrightAuthor:connected and go to the Admin > Roles page.

...

In Image 1, you can see the difference between fixed and custom permissions. Fixed permissions are defined by the system and are updated automatically as BrightSign adds new features to bsn.Content. By default, all check boxes will be empty when you start defining operation permissions for a custom role. This means that a given custom role doesn’t have any defined permissions to execute the operation specified on the left side of the table. When you check the box, this allows all the members of a given role to execute that operation. If you expand the tree of operations, and change a state of a checkbox for a child operation, that will create a new, more granular, permission which overrides the parent one. For example, you can allow to execute the Presentation (Full Control) operation to a role responsible for content publishing and restrict their access to delete presentations by unchecking the box for Delete Presentations business operation.

Operation . Aspects of the system are described in more depth on these child pages:

System and Custom Roles

Each user must have a role. When you create a user, you must specify that role but you can change the role later. All bsn.Control and bsn.Content networks have the same System Roles: there are two in bsn.Control and six in bsn.Content. These roles are maintained by us and updated during BSN.Cloud releases. Each System Role has a set of operations permissions and their main purpose is to represent different job responsibilities within a company. If the default set of roles does not cover your needs, you can add Custom Roles, as described in Custom Roles and then manage their permissions as shown in the image below.

You must be a bsn.Content user to view this page. It is available in under the Admin tab in the Roles section.

...

Image 1 shows a table where each row represents operations that users can execute in bsn.Content. Each operation is associated with one specific entity type (for example, Content or Presentation), on the first level you can see Full Control operations and when expanding the rows, you can find the child operations linked to them. System and Custom Roles are shown in the columns. You can choose which System Roles to display, or delete Custom Roles by clicking the gear button and choosing Delete Role.

The permissions granted to System Roles are not editable. Custom Roles have no permissions by default, but you can copy permissions from any existing role and adjust them for your needs. In order to edit Custom Role permissions, you can expand the rows of this table to find the specific operation you are looking for. Each time you click on a checkbox in the main area, a system creates a new permission for an operation in that current row and a role in that current column. When the checkbox is set, members of the current role are given permission to execute that operation. When the checkbox is unchecked, the permission to execute that operation is denied. Both allowing and denying permissions are inherited by child from the parent operation and may be overridden. For example, you can give Presentation (Full Control) permissions to a content publishing role but ensure that they cannot delete presentations by unchecking Delete Presentations.

When reviewing the check boxes in the main area, you may notice the following statuses:

  • Active checkbox with a check means that permission has been granted for this operation

  • Active checkbox with a dash means that some permissions have been granted for child operations but not this operation

  • Grey checkbox with a check means that permission have been granted for this operation and are not editable

  • Grey checkbox with a dash means that some permissions have been granted for the child operations and are not editable

  • Grey checkbox without a check means that permission is denied for this operation and this cannot be changed

  • No check at all means that permission is denied for this operation

Note

Unfortunately Player Activation, Setup Package, and Provisioning cannot be controlled by user permissions. This means that any user, regardless of their role, will be able to see all setup packages, create and manage provisions, and register players. If this is not appropriate for your needs, consider creating separate networks for users who should not share this functionality.

Operation and Object Permissions

Operation permissions affect all entities of a given type, but have lower priority than object permissions. They are useful for defining a baseline security policy which then can be adjusted by more granular object permissions.

Object permissions are accessible in the object Properties (under Security), . For example, you can select the Network, Content, or Presentations tab, chose a player, content, or presentation, and view or change the permissions as shown in Image 2. For

...

To get more information about creating object permissionspermission management, see the Object Permissions page.

...

System Roles

These default roles have clearly defined roles and responsibilities and are provided with every BSN.Cloud account. You can hide specific or all system roles by clicking on the gear icon at the top right and selecting them under the Show System Roles menu item.

These are the default System Roles:

Administrators

Systems administrators are responsible for keeping things running and should have sole permissions to add or delete users. If other users have this permission, they might accidentally delete a user, add a user who is not a member of the company, or change the permissions settings for a user or role.Administratorshave access to all BSN.Cloud features. This is the only role that allows you to edit the account status of other users: as a member of Administrators, you can add new users, delete existing users, and assign users to different roles; and create and edit Custom Roles.

The first user of a BSN.Cloud account will automatically be assigned to the Administrators role. If you are not the first user on your account, you will need to have that user assign you to the Administrators role.

Creators

...

General Managers

...

The only permissions they don’t have are the user and account features that are unique to Administrators. 

Network Managers

...

Someone assigned to this role might maintain BrightSign players, buy and set up additional players, and periodically clear the network of old presentations and drafts.

Publishers

Publishers can schedule when and where BrightSign presentations will be played and upload content. They do not have access to content that is uploaded to the company’s BSN.Cloud account.

For example, this role could be assigned to a member of the marketing department, who determines when sales will be announced, as well as what day of the week certain specials will be offered.

Viewers

Viewers can view almost all aspects of a digital-signage system: content, groups, hardware statuses, logs, and schedules. However, they cannot affect anything on the company’s BSN.Cloud account.

Assigning System Roles

  1. Go to Admin > Roles in BrightAuthor:connected (you must be signed in to BSN.cloud).

  2. Select the column at the top of the listing and select/deselect the type of permissions to add or delete.

...