Access control with Enterprise Video Streaming

The most important features to any Enterprise Video Streaming (EVS) account are the options available to you for securing your content. This is done either on a channel by channel basis, or by setting security for a EVS landing page for your content. Your security can be set for your entire account from Integration & Apps > Security settings.AC1.png

 

You have 2 main choices for how you want your content secure: either through 2 step email verification, or through SSO.

2 step email verification

If you choose 2 step email verification, you will need to determine what individual email addresses or email domains can have access to any given channel. First, go to your Enterprise Video Streaming dashboard, then click on Channels in the left hand column. Then click on the name of the channel you wish to set access permissions for, then click on Access Control.

AC2.png

 

If you wish to make your player only available through an embed on your own website, click 'Turn off' for Channel page. This will prevent your channel page from being accessed directly, and will also remove the channel from your EVS Portal page.

To set email permissions for the channel, click 'Settings' for Secure Content. This will open the Secure content settings tab for this particular channel.

On this page, you can set what individual email addresses should have access to your channel page, or what email domains should have access, or a combination of both. In this particular case, mary@ustream.tv has been granted access to the channel. We can also see that one domain also has access- in this case, @advanced-sales.com. This means that mary@ustream.tv will be able to get access to the channel, and also anyone with an @advanced-sales.com email address.

AC3.png

AC4.png

In order to add emails or domains, simply click the 'add' button on the appropriate tab and enter the information. Be sure to click 'Save' after making any changes.

When a potential viewer attempts to go to the link of your individual channel, or your Portal page, they will first be asked to enter an email address.

AC5.png

If an email that does not meet the criteria set for access, the user will be denied.  In the case of jeff@yahoo.com, jeff@yahoo.com has not been whitelisted as an individual email address and @yahoo.com has not been whitelisted as a domain, so access is denied.

AC6.png

If the email meets the criteria set, the viewer will receive confirmation that an email has been sent to their email address. 

AC7.png

The email will allow them to either open the channel directly in a new browser tab, or to copy the code in the email into the browser tab that is already open. Note that the code sent to the viewer does not expire. The same code will be resent if the viewer does not use this code and requests a new one. 

AC8.png

After an email has been verified the user will have access for 12 hours before the login time expires, however if the web browser is closed before the 12 hrs, the token will be deleted and a new request for a code will be needed.

SSO authentication

SSO (Single Sign On) authentication allows you to use a 3rd party identity provider to control access to your Enterprise Video Streaming content. Information on how to set up SSO for your  Enterprise Video Streaming account can be found here.

SSO authentication is set up for your entire account, but each individual channel can be set to take anyone from the domain authorized by the SSO, or selected users, or nobody. Selecting between 2 step authentication or SSO is done fromIntegration & Apps > Security Settings tab:

AC9.png

 

In this example, we have set Google Apps as our SSO provider. Once the SSO is put in place, you can control access channel by channel. To set access to a channel, open the Channels > Access Control tab.

AC10.png

 

AC11.png

On the access control tab, you have the ability to set access to nobody in your organization, anyone with the correct email address (anyone who is authenticated by the SSO), or specific email addresses within the organization.

AC12.png

In this example, we will give Jill access to the Sales team channel.

If Jill were to enter the direct URL for the channel page, thereby trying to access the content, the page would first require her to pass the SSO check in the case of a service provider initiated SSO. She will see this:

AC13.png

Since she is the only user we have given access to, another email address, even if eligible for access via the SSO, would not have access to the page:

AC14.png

Granular access and the  Enterprise Video Streaming (EVS) page

Granular access will also determine how different users see and experience your EVS Portal page. A user who has access to channel A but not channel B will only see channel A available on your Portal. Channel B would be hidden from them.

For example, we can see two channels in this IBM Enterprise Video Streaming account: the sales team channel, and the support team channel.

AC15.png

Jeff is on the sales team, and Mary is on the support team. We want them both to access content through our Portal page, but not to have access to the other team's content.

In this case, we can add jeff@ustream.tv in the individual access for the sales channel and mary@ustream.tv for the support channel. When each user goes to access the portal, they will only see those channels that they have access to.

Jeff's view:

AC16.png

Mary's view:

AC17.png

AC18.png

 

Channel Access Control

In order to restrict access to a channel within your corporate team, first navigate to Channel > Access Control > Secure content Settings > Specific People from your Organization.

AC19.png

 

You will have three options and the combination of these to manage access.

  • Specific people – Any email address can be People with these email addresses can access the content on the channel after successfully logging in with their SSO credentials.
  • Groups – Any SSO group name can be added. Viewers in these SSO groups can access the content on the channel after successfully logging in with their SSO credentials.
  • Advanced – Multiple SSO groups can be selected and combined to create an advanced access rule. People in the selected combination of SSO groups can access the content on the channel after successfully logging in with their SSO credentials.

Video Access Control

In order to restrict access to a video within your corporate team, first navigate to the Video Manager and select the video you would like to restrict, then press the Edit button. Then, select the Sharing tab.

AC20.png

The Sharing tab provides a direct URL link to the video, which can be given to viewers so they can gain direct access. The default setting is that anyone who can normally access the channel could watch the content from the link (in the example above, the video is published and therefore can be seen by anyone with access to this channel). However, access can be more granularly limited as well to a smaller group or even a few individuals by selecting the “Specific people” option.


To do this, select “specific people” option. Then, the content owner can enter specific email addresses, each of which will be granted access to the video.

AC21.png

You will have three options and the combination of these to manage access.

  • Specific people – Any email address can be People with these email addresses can access the video after successfully logging in with their SSO credentials.

    Once access granted, the user will be sent an email notifying them:
    • Telling them who approved the access
    • Display a thumbnail for video
    • Display the title of the video

When clicking on the URL, the viewer will be asked to authenticate in (if they haven’t already) and can then access the video.

  • Groups – Any SSO group name can be added. Viewers in these SSO groups can access the video after successfully logging in with their SSO credentials.
  • Advanced – Multiple SSO groups can be selected and combined to create an advanced access rule. People in the selected combination of SSO groups can access the video after successfully logging in with their SSO credentials.

Any email address can be entered into the “specific people” option, but they can only access the content if they can successfully authenticate in. In addition, it should be noted that the individual video access controls will override the channel access controls as well. For example, if you have a channel that’s been setup so that only those in marketing can see the content, but setup access control on an individual video so that a product manager can see it, those settings will be overridden so the product manager can watch it.

 

Advanced Access Rules

The Advanced option is displayed if one or two lists containing SSO group names have been uploaded via API.

  • In case of a single list, users will be able to select one or more items from the list. Viewers will have to be part of at least one of the selected SSO Groups to view content when the advanced access rule is applied.
  • In case of two lists administrators will have an option to use one or both lists to define an advanced access rule. Viewers will have to be part of at least one of the selected SSO Groups from both lists.

AC22.png

 

Powered by Zendesk