BSN Roles and Permissions Guide

Owned by BrightSign TechDocs
Last updated: Aug 12, 2024Version comment
11 min read

The BrightSign Network offers a robust set of security and permissions features that allow you to protect your content and maintain the efficiency of your digital-signage system—no matter how large it gets. These security features are scalable: you can choose exactly how complex you want your permissions system to be depending on the needs of your organization.

This page will walk you through the BrightSign Network permissions system using the scenario of a hypothetical chain of donut shops. As the company expands and more locations are added, you will be gradually introduced to the more complex, more powerful permissions features offered by BrightSign.

Here is a quick overview of what will be covered in each chapter: 

  • Beginner: You will learn how to use default System Roles to maintain an up-to-date digital menu board and announcement system for a chain of five donut shops using networked BrightSign players.

  • Intermediate: You will learn how to create and edit Custom Roles for a digital-signage system of 25 shops spread out over a large geographical area.

  • Advanced: You will learn how to create and edit Object Permissions in conjunction with Custom Roles for a national chain of 100 shops with diverse content and pricing needs.

Permissions Overview

You can view the permissions of a user or role at any time while logged into the BrightSign Network:

  1. Click the Account button at the top right of the page.

  2. Navigate to the Users and Roles tab on the right of the page.

  3. Click on the properties underneath either the desired role or desired user.

The Permissions tab displays whether the user or group is permitted to carry out a certain action. Every possible user action in the BrightSign Network is listed here, divided by category.

A checkmark by a category indicates that the user or group has complete access to all options in that category, but an “X” by a category may not mean that all actions in the category are restricted. Click on the symbol to expand a category and view the permissions for every possible action within it.

Beginner

This section will introduce you to common applications of various System Roles. These default roles are great for BrightSign Network accounts with a small amount of users who have clearly defined roles and responsibilities within the organization.

The System Roles for the BrightSign Network correspond to the user permissions system in BrightAuthor.

Overview

You are the systems administrator for a small chain of five donut shops located around the city. The chain has just replaced all of their chalkboards used for menus, special offers, and announcements with digital displays powered by BrightSign players, which are linked to the company’s BrightSign Network account. There are many employees who need to use the network in order to keep the store menus and special offers up-to-date. You are faced with several personnel and security challenges when configuring the network, all of which can be solved using the System Roles provided with every BrightSign Network account.

Assigning Roles

  1. Click the Account button at the top right of the page.

  2. Navigate to the Users and Roles tab on the right-hand side of the page.

  3. Click the role to which you wish to add the user.

  4. Drag and drop a User Card from the User List into the gray field under Assigned Users.

A user can only have a single role at any time. 

Using System Roles

Administrators

In order to keep everything running smoothly, you want to make sure that, as the systems administrator for the account, you are the only one who can add or delete users. If other users have full permissions, they might accidentally delete a user, add a user who is not a member of the company, or change the permissions settings for a user or role.

Being assigned to the Administrators role gives you access to all the features offered on the BrightSign Network. This is the only role that allows you to edit the account status of other users: as a member of Administrators, you can add new users, delete existing users, and assign users to different roles; furthermore, you can create and edit Custom Roles, a feature that will be explained in the Intermediate section of this document.

The first user of a BrightSign Network account will automatically be assigned to the Administrators role. If you are not the first user on your account, you will need to have the user who is assign you to the Administrators role.

Creators

The company employs a graphic designer to create the digital menus for the stores. She is also frequently updating the content and layout of the menus, so she will be logging into the company’s BrightSign Network account often. She doesn’t know which menu will be displayed where, nor is she in charge of deciding how the devices and groups should be organized. You don’t want her to accidentally delete a group or reassign a device while she is uploading content. 

The Creators role will give the graphic designer complete control of content, including presentations, dynamic playlists, and Live Text feeds. She will not have the ability to view or change schedules, groups, or devices. This role is best suited for those tasked solely with creating content for BrightSign players.

General Managers

The co-owners of the company want to log in to the network whenever they wish to check that pricing and product information is correct. They also want the ability to change, reassign, or reschedule presentations at any location.

Assigning the co-owners to the General Managers role gives them full control of content creation and distribution. The only permissions they won’t have are the user and account features that are unique to Administrators

Network Managers

Another systems administrator is assigned to maintaining all of the BrightSign players, as well as purchasing and setting up additional players when a new store location is opened. He is also tasked with periodically clearing the network of old presentations and drafts.

The Network Managers role gives him control of the company’s digital-signage infrastructure: a user assigned to this role can add, remove, maintain, and group together networked BrightSign players. In addition, he can view and delete (but not add or edit) certain kinds of content such as Dynamic Playlists, Live Text feeds, and presentations. 

Publishers

Members of the marketing department determine when promotions and deals will be announced, as well as what day of the week certain specials will be offered.

Being assigned to the Publishers role, the marketing department can schedule when and where BrightSign presentations will be played. They also have the ability to upload content. Otherwise, they do not have access to content that is uploaded to the company’s BrightSign Network account.

Viewers

There are other members of the company who are not directly involved with the digital signage system, but who may need to view presentations, schedules, playlists, or logs as part of their job.

Users who are assigned to the Viewers role can view almost all aspects of a digital-signage system: content, groups, hardware statuses, and schedules. However, they cannot affect anything on the company’s BrightSign Network account.

Intermediate

This chapter will explain how to create and edit Custom Roles. The roles outlined here are used as examples to explain how to conceptualize and create a Custom Role. The needs of your organization may be different from the examples included in this section.

Overview

Your company now has 25 donut shops in multiple states, and the central office has many more employees. Though the BrightSign Network’s default System Roles have worked well up until this point, they are no longer able to serve a large group of users with diverse roles and responsibilities.

Creating Custom Roles

Since there are nearly 70 individual permissions, it is often easiest to base a Custom Role on one of the preexisting System Roles:

  1. Click the Account button at the top right of the page.

  2. Navigate to the Permissions tab on the right-hand side of the page.

  3. Click the Create New Roles button beside the Roles List.

  4. Enter a name and (optional) description for the Custom Role.

  5. Check the Copy Permissions From checkbox to base the permissions of your Custom Role on a preexisting role. As long as you have the advanced settings enabled on the Account page, you will be able to change all copied permissions.

Example Custom Roles

Accountants

The accountant in charge of accounts payable needs to keep track of the invoices that are automatically generated by the BrightSign Network. He is not involved in the digital signage network in any other way.

In this case, it would be best to create a Custom Role without copying permissions from a default System Role. As stated above, all permissions are set to “Deny” by default if you choose not to copy permissions from another role. Therefore, all you need to do is create a new role and leave the Copy Permissions From box unchecked. You can then drag the new Custom Role into the Subscription category.

Presentation Creators/Live Text Creators

The responsibility for creating and editing menu boards is now split between two employees. The graphic designer is still in charge of uploading new editions of the menu boards, but the Live Text feeds used for special deals are maintained by an employee from the marketing department. The graphic designer integrates Live Text into the menus, but does not update the Live Text herself. The default Creators role no longer reflects how their responsibilities are divided.

The easiest way to deal with slight variations in System Roles is to use the Copy Permissions From feature when creating Custom Roles. In this case, you can create both a Presentation Creators and a Live Text Creators role based on the default Creators role.  To create Presentation Creators, copy permissions from the Creators System Role and deny full control to Live Text Feeds. To create Live Text Creators, copy permissions from the Creators System Role and deny full control to Content, Dynamic Playlist, and Presentation.

Senior Network Managers

You need to expand the role of the Network Manager so that he can add and edit schedules in addition to maintaining the network of BrightSign players. He is not involved with the daily activity of menu revisions and updates, so you don’t want him to have control of adding or removing the presentations on a schedule.

You will need to modify the default permissions of the Network Manager in a more minute way than allowing or denying “full control” of a category. On the permissions page, click the arrow symbols next to the operations categories to expand the list of permissions. These expanded menus enable you to allow or deny specific actions within an operations category. Enable “Add Presentation” and “Remove Presentation” in the Schedule category. Since BrightAuthor automatically creates a new schedule upon adding an existing one, you will also need to enable “Create Schedule” in the Schedule category.

Because actions like adding and editing schedules are a composite of different operations, you will also need to enable “Change Schedule” in the Group category and “Add Presentation” and “Remove Presentation” in the Presentation category. You have now expanded the permissions of your Network Manager without having to enable full control of an operations category.

Expert

This section will explain how to use object permissions in conjunction with Custom Roles to meet the organizational needs of a large digital signage network. 

Overview

Your company has now expanded to over 100 donut shops across the country. Menu pricing and offerings vary widely depending on region and availability: new donut recipes are introduced to certain test markets; different regions have different pricing structures; and certain stores offer regional favorites that are not offered elsewhere. Custom Roles are no longer enough to keep the network functional for the employees who use it. You need to limit or allow access according to the objects (media files, dynamic playlists, etc.) themselves.

Editing Object Permissions

The permissions for any object are accessed through the properties button, which is usually located below the name of the object.

  1. Click on the Security tab in the Properties window.

  2. Assign permissions for the object by role or by individual user.

    1. In the Assigned Roles tab, click the Add button and select the desired role. Remember that you can only edit permissions for Custom Roles.

    2. In the Assigned Users tab, click the Add button and select the desired user.

    3. You can now choose whether to “Allow” or “Deny” certain actions for a specific Dynamic Playlist, Live Text feed, etc.

Using Object Permissions

Store Managers

The company wants to give individual store managers some leeway in deciding which deals they want to promote—after all, they have the best idea what donuts are most popular in their neighborhood. Store managers need the ability to view various presentations and schedule them for the BrightSign players located in their store. However, assigning them a Custom Role based on Publishers does not completely solve this problem: they have access to the presentation schedules of every store in the nation, not just their own, and they might accidentally delete or modify them.

  1. Create a Custom Role based on Publishers.

  2. Assign all of the store managers to this role.

  3. Change the role so that the actions “View Groups” and “Change Schedule” in the Group category are denied.

  4. Make sure that each group of players reflects a different store location.

  5. Change the object permissions of each group on the network so that each user assigned to the custom Publishers role can only view and modify the group corresponding to his or her store.

You have now created a system of object permissions that allows store managers to schedule menus and special offers only at their own store locations. You can customize this system even more: for example, if you want certain store managers to have access to certain menus or promotions depending on region or store type, you can use the object permissions for presentations to deny or allow access as you see fit.

Prototypes

The marketing department wants to upload an announcement for a new flavor of donut in order to test how it will look on a digital display. However, the board of directors is worried that the competition will get wind of this new flavor before it is rolled out across the nation. To minimize the risk of a leak, you want to make sure that, for the moment, only the employees directly involved with testing the announcement have the ability to view, edit, or schedule the presentation.

You can limit access to this presentation either by role or by individual user. You can also allow access to a user who is working on this project but who doesn’t normally have access to presentations.

Keep in mind that there are other factors beside object permissions that can limit access to a presentation or other object. For example, you can give a user full permissions for a Dynamic Playlist object, but that user will not be able to save content changes to that Dynamic Playlist if the role restricts the “Assign Content” action in the Content permissions category.