The most important feature to any Video Streaming for Enterprise (VSE) account are the options available to you for securing your content. This is done either on a channel by channel basis, or by setting security for a VSE landing page for your content. Your security can be set for your entire account from Integration & Apps > Security settings.
You have 2 main choices for how you want your content secure: either through 2 step email verification, or through SSO.
2 step email verification
If you choose 2 step email verification, you will need to determine what individual email addresses or email domains can have access to any given channel. First, go to your Video Streaming for Enterprise dashboard, then click on Channels in the left hand column. Then click on the name of the channel you wish to set access permissions for, then click on Access Control.
If you wish to make your player only available through an embed on your own website, click 'Turn off' for Channel page. This will prevent your channel page from being accessed directly, and will also remove the channel from your VSE Portal page.
To set email permissions for the channel, click 'Settings' for Secure Content. This will open the Secure content settings tab for this particular channel.
On this page, you can set what individual email addresses should have access to your channel page, or what email domains should have access, or a combination of both. In this particular case, firstname.lastname@example.org has been granted access to the channel. We can also see that one domain also has access- in this case, @advanced-sales.com. This means that email@example.com will be able to get access to the channel, and also anyone with an @advanced-sales.com email address.
In order to add emails or domains, simply click the 'add' button on the appropriate tab and enter the information. Be sure to click 'Save' after making any changes.
When a potential viewer attempts to go to the link of your individual channel, or your Portal page, they will first be asked to enter an email address.
If an email that does not meet the criteria set for access, the user will be denied. In the case of firstname.lastname@example.org, email@example.com has not been whitelisted as an individual email address and @yahoo.com has not been whitelisted as a domain, so access is denied.
If the email meets the criteria set, the viewer will receive confirmation that an email has been sent to their email address.
The email will allow them to either open the channel directly in a new browser tab, or to copy the code in the email into the browser tab that is already open. Note that the code sent to the viewer does not expire. The same code will be resent if the viewer does not use this code and requests a new one.
After an email has been verified the user will have access for 12 hours before the login time expires, however if one checkmarks the "Remember me" function the user will be granted access up to 7 days before the login expiration.
SSO (Single Sign On) authentication allows you to use a 3rd party identity provider to control access to your Video Streaming for Enterprise content. Information on how to set up SSO for your Video Streaming for Enterprise account can be found here.
SSO authentication is set up for your entire account, but each individual channel can be set to take anyone from the domain authorized by the SSO, or selected users, or nobody. Selecting between 2 step authentication or SSO is done fromIntegration & Apps > Security Settings tab:
In this example, we have set Google Apps as our SSO provider. Once the SSO is put in place, you can control access channel by channel. To set access to a channel, open the Channels > Access Control tab.
On the access control tab, you have the ability to set access to nobody in your organization, anyone with the correct email address (anyone who is authenticated by the SSO), or specific email addresses within the organization.
In this example, we will give Jill access to the Sales team channel.
If Jill were to enter the direct URL for the channel page, thereby trying to access the content, the page would first require her to pass the SSO check in the case of a service provider initiated SSO. She will see this:
Since she is the only user we have given access to, another email address, even if eligible for access via the SSO, would not have access to the page:
Granular access and the Video Streaming for Enterprise (VSE) page
Granular access will also determine how different users see and experience your VSE Portal page. A user who has access to channel A but not channel B will only see channel A available on your Portal. Channel B would be hidden from them.
For example, we can see two Channels in this IBM Video Streaming for Enterprise account: the sales team channel, and the support team channel.
Jeff is on the sales team, and Mary is on the support team. We want them both to access content through our Portal page, but not to have access to the other team's content.
In this case, we can add firstname.lastname@example.org in the individual access for the sales channel and email@example.com for the support channel. When each user goes to access the portal, they will only see those channels that they have access to.
Video Access Control
In order to restrict access to a video within your corporate team, first navigate to the Video Manager and select the video you would like to restrict, then press the Edit button. Then, select the Access tab.
The Access tab provides a direct URL link to the video, which can be given to viewers so they can gain direct access. The default setting is that anyone who can normally access the channel could watch the content from the link (in the example above, the video is published and therefore can be seen by anyone with access to this channel). However, access can be more granularly limited as well to a smaller group or even a few individuals.
To do this, select “specific people” option. Then, the content owner can enter specific email addresses, each of which will be granted access to the video.
Once access granted, the user will be sent an email notifying them:
- Telling them who approved the access
- Display a thumbnail for video
- Display the title of the video
When clicking on the URL, the viewer will be asked to authenticate in (if they haven’t already) and can then access the video.
Any email address can be entered into the “specific people” option, but they can only access the content if they can successfully authenticate in. In addition, it should be noted that the individual video access controls will override the channel access controls as well. For example, if you have a channel that’s been setup so that only those in marketing can see the content, but setup access control on an individual video so that a product manager can see it, those settings will be overridden so the product manager can watch it.