Starting in version 4.6, security in Ensemble video is available at every level. Content can be secured and controlled individually, or rules can be set and enforced from libraries, organizations, and institutions. Additionally, new access control options are now available, including restricting content to specific users.
Security is divided into two sections: Library Options and Content Security Settings. The Library Options section allows administrators to limit access to functions like publishing and downloading videos. The Content Security Settings section allows administrators and end-users to set playback restrictions that prevent content from reaching undesired environments and viewers.
- Library Options
- Content Security Settings
End-User Options control the features available to users in the Ensemble web application.
- Delete: controls the Delete button in the Media Library and the Manage Content screen
- Download: controls the Download button in the Media Library and the Manage Content screen, and also for publishing points like permalinks and embed codes
- Edit Security: determines if users can set security restrictions for their content
- Publish: controls the ability to publish content, as well as other functions that rely on publishing.
When publishing is disabled, embed codes, permalinks, and social sharing cannot be used.
- Embed Code: controls the Embed option for content and playlists
- Permalink: controls the Permalink option for content and playlists
When the Permalink option is disabled, Social Sharing cannot be used
- Social Sharing: controls direct sharing to social media publishing points
Org. Admin Options control whether Organization Administrators can set security rules and edit Library Options inside their organization(s).
System Administrators can visit Administration > System > Security to edit the default security settings for new institutions.
In the screenshot above, Download, Embed Code, Social Sharing, and Edit Library Options have been disabled by a system administration. If a new institution is created in this system, these are the settings that will be used by default. Settings for the institution can later be enabled or disabled by an institution administrator or system administrator.
Institution Administrators and System Administrators can manage security rules at the institution level. Visit Administration > Institution > Security to start.
In the image above, all options have been left at the normal Enabled state.
Toggle the state for an option to disable it:
With the Download option disabled but not enforced, new organizations inside this institution will start with the Download option disabled by default.
To push this change to current organizations, and to lock the option from being changed at a lower level, select Enforce:
Some Library Options are dependent on others. Disabling the Publish option will also disable Embed Code, Permalink, and Social Sharing:
Disabling the Permalink option will also disable Social Sharing, but the other publishing options are unaffected:
In the same manner, Social Sharing can be disabled without affecting the Permalink option:
To prevent Organization Administrators from changing security settings, disable and enforce Edit Access Control and Edit Library Options:
Organization security works just like Institution Security (above), except that some settings might be locked and enforced by settings from the institution.
Visit Administration > Organization > Security to start.
In the example above, no library options have been changed for the organization, and no settings have been enforced from the institution.
In the example below, no library options have been changed for the organization, but Social Sharing was disabled and enforced at the Institution’s Library Options setting. The option is marked as locked, which means it cannot be changed at this level.
Options for organizations can be changed in bulk. To do so, activate the Organization field, then select multiple institutions, or select All Organizations:
When multiple (or all) organizations are selected, an additional checkbox is utilized in the State column. Only options with this checkbox enabled will be overwritten. In the example below, the Delete and Download options have their state checkbox selected; those options will be overwritten for the selected Organizations. The other options will not overwrite the Organizations’ existing settings.
The Library Options table controls the functions available to users of a single library:
In the example above, all options are enabled, except for Social Sharing, which was disabled and locked by an administrator.
To change options for multiple libraries, select the desired libraries or All Libraries in the Library field. Then, activate the checkbox in the State column for each option that will be changed. For any option that does not have the State checkbox activated, the existing settings for each library will be maintained.
Click Save to finalize the changes, or cancel to discard changes.
Org. Admin Options are not available at the library level. That control should be set at the Organization or Institution.
Content Security Options
In addition to controlling what feature are available to Ensemble users, playback security can also be set at any level. Options include:
- Restrict with a Login Form
- Restrict to a Domain/IP Address
- Restrict to a Web Address
- Restrict to Specified User(s)
- Restrict with a Password
Security restrictions can be set for an entire system, an institution, organization, library, or for a playlist or a single streaming file.
- The security tab for a single streaming file is found in the Publish step of the Add/Edit Wizard.
- Security for a single playlist is set in Playlist Access Control for that playlist.
- Security for all other levels is found in the administration tab. Example: security for a library is found under Administration > Library > Security.
By default, no security restrictions are configured. Security can be added to the player for video or audio content (content security), and/or for playlists.
To add a playback restriction, visit the content or administration level where you want to set a restriction. In this example, we will restrict playback to a specific web address for an entire institution. First, browse to Administration > Institution > Security.
Click Add, then select the desired restriction.
When prompted, enter a Web Address, then Save.
Entering www.ensemblevideo.com would prevent content from being embedded on an external website, and prevent playback inside an external LMS. Only permalinks and embed codes from the specified web address will be allowed to play.
Once entered, the restriction will be displayed. The restriction can be disabled, edited or deleted:
Playlist Options can be enforced by administrators. Toggle the Allow Download state to disable the download option for playlists in this institution, and select Enforce to lock that setting at lower security levels:
Next, visit an organization in this institution to see the changes. Visit Administration > Organization > Security and edit security for an organization inside of the institution we just adjusted:
The Restrict to a Web Address rule that we set is enabled, and can’t be edited or deleted from here since the restriction was set at a higher level. The Allow Download option is disabled and locked, since the option was enforced.
Restrictions can be set at multiple levels. If this organization’s security requires a login form, that restriction can stack with the Web Address requirement from the institution. When both options are enabled, viewers would be required to play content on the specified web address, and log in to their account to view content in this organization:
Adding Multiple Security Settings
You can set multiple restriction rules to secure your content, and restrictions can be set at multiple levels. This gives you great flexibility for protecting your content.
For example, if an organization’s security requires a login, that can be stack with a Web DNS restriction at the Institution level.
With restrictions set at Institution, Organization or Library levels, viewers must satisfy at least one of the restrictions for a given Type (e.g., IP Address Range or Login with LDAP group) and also satisfy ALL types Types within a level. In this example, an Organization Administrator has set an IP address range restriction and two Login restriction. Viewers must be using a device that is on the specified IP address range AND must login and be in one of the two LDAP groups specified.
Viewers must satisfy security restrictions set at a higher level, and those settings cannot be un-done by content owner (Contributor). Also, Organization Administrators cannot undo restrictions set at the Institution level. When adding restrictions at the Media Item or Playlist level, you have the option of using OR across different types of restrictions. In this example, the content MUST be embedded on blackboard.company.com and viewers need to be on a specific IP address range OR they must be logged in.