This chapter describes how to secure resources on Mediasite, including presentations and Management Portal features and operations. You will learn how to manage users and groups in Mediasite Directory, add roles from a directory connected to Mediasite, use built-in roles, and assign permissions to resources on Mediasite using Management Portal.
You will also learn how to set up Mediasite trust relationships, which will allow users on your Mediasite to move content to another Mediasite.
Security for resources on Mediasite
Resources on Mediasite are secured using Windows forms authentication and one or more directories connected to Mediasite. Permissions are assigned to roles and user profiles. Roles are database objects that map to groups and users in directories connected to Mediasite. User profiles are mapped to each user in Mediasite system and are associated with email addresses and system preferences.
Before others can use resources on Mediasite, you must give them access by assigning permissions. If you are using Mediasite Directory, you must add roles, users, and groups before you can assign permissions. You will then assign permissions to resources on a role-by-role basis to give groups and users varying levels of access to the web applications and presentations. In the case of user profiles, you can assign permissions to an email address and a user profile is created using that address. You can also import validated user profiles from directories corrected to Mediasite. You will then assign permissions to the user profiles.
Users must log in to use the web applications and to play, record, or edit presentations on Mediasite and the system authenticates them using credentials stored in the directory. Users are then granted access to resources based on the permissions assigned to their corresponding roles and user profiles.
Considerations when securing your Mediasite system
Before you begin securing Mediasite, consider the following:
•Mediasite security should be managed by someone with a solid background in role-based security and how it is implemented in their network, especially if an external directory is used with Mediasite. Without this background, we strongly advise you to find a more qualified IT professional to secure Mediasite.
•Mediasite is secure by default, which means that you can lock yourself out if you do not know the credentials of the built-in user, MediasiteAdmin. MediasiteAdmin has full permissions to all features and operations. This built-in user’s credentials are specified during deployment. If you are responsible for securing the system but do not know these values, contact the person who deployed Mediasite.
•We recommend assigning permissions at a group level because managing permissions for each user can be tedious. Security settings assigned through a group will take effect even for users in that group who have not yet validated their profile.
•The security settings you apply to an individual profile (rather than to a group) will not take effect until the profile is validated by the user. For example, if you assign each of the students in your class permissions individually to view a presentation, they will not be able to view it until they validate their profiles.
•When assigning permissions, deny entries take precedence over allow entries. So if a user is a member of two groups, one that is allowed permission to a resource and another that is denied permission to the same resource, the user will not have permission for that resource.
•You can give Portal user limited security management access by denying them access to the “Advanced Security” Portal resources. Users denied read permissions to this resource will secure items (folders, presentations, system policies, and system components) by selecting permission templates from a drop-down list for users, groups, or email addresses mapping to a user profile. They will not be able to set custom permissions. For more information, see Assign permissions to Portal resources.