Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

BSN.Cloud offers a robust set of permissions features that allow you to protect your content and maintain the efficiency of your digital signage system—no matter how large it gets. These security features are scalable: you can choose exactly how complex you want your permissions system to be depending on the needs of your organization.

This page describes is an overview of the BSN.Cloud permissions system and how to use the six predefined System Roles, which have fixed permissions that you cannot edit. A separate Custom Roles page describes how to create additional roles with custom permissions.

Object and Operations Permissions

You can view operations and object permissions while logged into BSN.Cloud.

bsn.Content operations are organized in a tree structure that lets parent permissions be either inherited or overridden on child operations in the BrightAuthor:connected Admin > Roles page:

...

Image 1 shows both System and Custom Roles and the permissions granted to them. . Aspects of the system are described in more depth on these child pages:

System and Custom Roles

Each user must have a role. When you create a user, you must specify that role but you can change the role later. All bsn.Control and bsn.Content networks have the same System Roles: there are two in bsn.Control and six in bsn.Content. These roles are maintained by us and updated during BSN.Cloud releases. Each System Role has a set of operations permissions and their main purpose is to represent different job responsibilities within a company. If the default set of roles does not cover your needs, you can add Custom Roles, as described in Custom Roles and then manage their permissions as shown in the image below.

You must be a bsn.Content user to view this page. It is available in under the Admin tab in the Roles section.

...

Image 1 shows a table where each row represents operations that users can execute in bsn.Content. Each operation is associated with one specific entity type (for example, Content or Presentation), on the first level you can see Full Control operations and when expanding the rows, you can find the child operations linked to them. System and Custom Roles are shown in the columns. You can choose which System Roles to display, or delete Custom Roles by clicking the gear button and choosing Delete Role.

The permissions granted to System Roles are not editable and are updated automatically as BrightSign adds new features to bsn.Content. Custom Roles (see Custom Roles for details) have no permissions by default, but you can grant full control under some operations by entity or you can expand the roles in the table to grant more granular permissionscopy permissions from any existing role and adjust them for your needs. In order to edit Custom Role permissions, you can expand the rows of this table to find the specific operation you are looking for. Each time you click on a checkbox in the main area, a system creates a new permission for an operation in that current row and a role in that current column. When the checkbox is set, members of the current role are given permission to execute that operation. When the checkbox is unchecked, the permission to execute that operation is denied. Both allowing and denying permissions are inherited by child from the parent operation and may be overridden. For example, you can give Presentation (Full Control) permissions to a content publishing role but ensure that they cannot delete presentations by unchecking Delete Presentations.

When reviewing the check boxes in the main area, you may notice the following statuses:

  • Active checkbox with a check means that permission has been granted for this operation

  • Active checkbox with a dash means that some permissions have been granted for child operations but not this operation

  • Grey checkbox with a check means that permission have been granted for this operation and are not editable

  • Grey checkbox with a dash means that some permissions have been granted for the child operations and are not editable

  • Grey checkbox without a check means that permission is denied for this operation and this cannot be changed

  • No check at all means that permission is denied for this operation

Note

Unfortunately Player Activation, Setup Package, and Provisioning cannot be controlled by user permissions. This means that any user, regardless of their role, will be able to see all setup packages, create and manage provisions, and register players. If this is not appropriate for your needs, consider creating separate networks for users who should not share this functionality.

Operation and Object Permissions

Operation permissions affect all entities of a given type, but have lower priority than object permissions. They are useful for defining a baseline security policy which then can be adjusted by more granular object permissions.

Object permissions are accessible in the object Properties (under Security). For example, you can select the Network, Content, or Presentations tab, chose a player, content, or presentation, and view or change the permissions as shown in Image 2. For

...

To get more information about creating object permissions, see the Object Permissions page.

...

Object Permissions

Object permissions can be granted to users and roles to allow or deny execution of certain business operations and the specific instances of a given entity type. They are typically used for overriding operation permissions which describe a general security policy. You can manage object permissions for the entities of content, dynamic and tagged playlist, live text and media feed, presentation, group and player types. In order to do that, see Object Permissions.

Role and User Access States

Permissions granted to users on the object level have the highest priority but the narrowest scope. Permissions granted to roles on the object level have second priority and may be overridden by user permissions. Permissions granted to roles on the operation (Admin-Roles page) level have the lowest priority but the widest scope.

Role and user access can be in one of the following states:

  • An editable permission for a specific principal, entity, or operation has an enabled/disabled active toggle switch and a "remove" button.

    • For example, a custom Content Managers role with permission to execute just the Content - View Content operation under the selected Media File

  • An editable permission for a specific principal, entity, or parent operation has an enabled/disabled active toggle switch but without the "remove" button.

    • For example, a custom Content Managers role with permission to execute the Content (Full Control) operation under the selected Media File. In this case, permission to execute Content - View Content is inherited from Content (Full Control).

...

An editable permission is defined for a specific principal, parent entity. These permissions are displayed with enabled/disabled active. The toggle switch is grey and does not have a "remove" button.

  • For example, a custom Content Managers role has permission to execute any operation under any new content folder. These permissions are inherited from the parent content folder.

...

An editable permission is defined for a parent principal. It is displayed with enabled/disabled active and the toggle switch is grey and does not have a "remove" button.

  • For example, a custom Content Managers role has permission to execute any operation under any new content folder or media file. If you assign a new user to this role, permissions to execute all operations under all content folders (except their personal folder) and media files are inherited from their role.

...

If permissions are defined for a parent principal, operation, or parent entity and are not editable, they will be displayed with enabled/disabled but inactive and a grey toggle switch without the "remove" button.

  • These are permissions defined for System Roles, Personal Folders, Special Groups, etc.

If permissions are not defined for a parent principal, operation, or parent entity, the toggle switch is disabled and grey. There is no "remove" button.

...

object permission management, see Object Permissions.