Skip to main content
Skip table of contents

Group and Role Management

Management of Production Groups and Roles is performed using the Server Administration interface which is accessible via the Admin “cog” located in the top right corner of the menu bar.

Note the Admin “cog” is only visible if you are currently logged in with a user that has system administrator privileges.

It is advisable to define your Roles and Production Groups before you create your users.

Roles

The Roles page is accessed via the Roles Server Administration toolbar/menu item:

The page lists the existing Roles (initially just the System Administrator and Media role) and provides access to the functions for adding, editing and deleting roles.

Create/Edit New Role

To create a new Role click the Add button at the bottom right, or to edit an existing Role click on its name in the list. This will display the New/Edit Role Dialog:

The Edit/New Role dialog contains the following fields:

Name – short name for the Production Group.

Notes – longer informative description of the Production Group.

Advanced UI – currently non-active feature

Current Group

A user has a single Role. A Role gives them access to one or more Production Groups, with their permissions in each group determined by the permission set in the admin. Therefore a user can have access to more than one group.

Production Groups

The Production Groups page is accessed via the Groups Server Administration toolbar/menu item:

The page lists the existing Production Groups (initially just the System and Media Groups) and provides access to the functions for adding, editing and deleting groups and for setting the permissions of each Role within each Production Group.

Create New Production Group

To create a new Production Group click the Add button at the bottom right. This will display the New/Edit Production Group Dialog:

The Edit/New Production Group dialog contains the following fields:

Name – short name for the Production Group.

Description – longer informative description the Production Group.

Default Permissions – define the Permissions that will be assigned to new members of the group as they are added.

The definitions of the available permissions are:

Create new catalogs – allow role members to create a new catalog in this Production Group.

Edit others' catalogs – allow role members to edit any catalog belonging to the Production Group.

Edit pick lists – allow role members to edit pick list values for that Production Group

Create new clips – allow role members to import new clips or create new subclips within an existing catalog.

Delete own clips – allow role members to delete clips in catalogs they have published.

Edit locked fields – allow role members to edit fields that have been marked as locked in the user-defined fields section of Preferences; normally such fields are read-only.

Read others' catalogs – allow role members to open all catalogs in this Production Group, in addition to any owned by the user.

Delete own catalogs – allow role members to delete catalogs that they have published.

Tape management – allow role members to create and edit tape information

Edit own catalogs – allow role members to edit catalogs that they have published to the server – otherwise they become locked once they have been published.

Delete others' data – allow role members to delete other users’ clips and/or catalogs within this Production Group, in addition to those belonging to them.

System administration – allow role members to create new Production Groups and edit any permission, effectively the “super user”.

These permissions all apply to the currently selected Role/Production Group. A Role can have different permissions in different Production Groups, giving you great flexibility in setting up access control if you need it. You can also give a Role access to the special System Group; any permission set in this group will apply to the entire database, regardless of which production group the catalog belongs to.

Access Control List Editor

Clicking on the Edit ACL link in the Production Group list displays the Edit Access Control List Permission dialog:

An Access Control List is a list of Access Control Rules. Each Access Control Rule consists of three parts:

User Selector – specifies to which user this rule applies. This selector might specify one or more individual users, a Role (in which case the rule applies to all users that have that role), or a user field value (in which case the rule applies to all users who have the specified value in the specified field).

Permissions – specify what permissions the users defined by the User Selector have on the catalogs defined in the Catalog Selector.

Catalog Selector – specifies which catalogs within the current group the rule applies to. This selector might specify individual catalogs, or catalog groups or rules that select multiple catalogs based on specific criteria. If there is no Catalog Selector then the Access Rule applies to all catalogs within the current group.

NOTE: In the Access Control List Editor the Users/Role section lists the User Selectors for all the Access Control Rules in the current Access Control List. Selecting one of these User Selectors selects the related Access Control Rule and updates the Permissions and Catalogs sections to display the Permissions and Catalog Selectors for the selected Access Control Rule. If no User Selector is selected in the top section the Permissions and Catalogs sections are inactive.

User Selector Editor

Clicking Add in the Users/Roles section, or selecting an existing User Selector from the Users/Roles list and clicking Edit, opens the User Selector Editor.

NOTE: clicking Add to add a user selector creates a new Access Control Rule with the newly created user selector.

User Selectors can be one of a number of types:

User – a list of individually selected users

Role – users who belong to any of the selected Roles

Permissions

Having selected a User Selector the Permissions and Catalogs section of the ACL Editor are populated with the Access Control Rule associated with the selected User Selector.

The selected permissions are applicable to the users specified by the user selector and the catalogs specified by the catalog selectors (see below)

Catalog Selector Editor

There two types of Catalog Selectors:

Catalog – selects individual catalogs from the current catalog group

Rule – a rule that selects one or more catalogs from the current group based on specified criteria

Clicking Add Catalogs in the Catalogs section (or selecting an existing catalog selector and clicking Edit) opens the Catalogs Selector.

The list shows catalogs from the current group and one or more of these can be selected. The permissions defined by this Access Control Rule with then apply to those catalogs

Clicking Add Rule in the Catalogs section (or selecting an existing rule selector and clicking Edit) will open the Catalog Rule Selector:

A single catalog selector rule (there can be many in a single Access Control Rule) specifies the criteria that must be met for a catalog to be selected. It can be thought of as a simple query.

There are two elements to the rule:

Field – specifies the field on the catalog object that will be tested.

Value – the value that that field must have in order for the catalog to match.

Field

The Field drop down show the available catalog fields:

Value

The Value field is a free text field into which the value to be matched against is entered. It can contain a simple text value that must exactly match the selected catalog field, or it can contain a more complex expression that must evaluate to a value that matches the selected catalog field.

Wildcards

A wildcard (*) matches any sequence of characters.

For example if the selected catalog field was Catalog Name and the value was Forms/* then the selector would match all catalogs whose name begins with Forms/.

In Acorn a catalog’s name may be a path name that is used by the UI to present the catalogs in a tree. Therefore this pattern matches all catalogs in the Form folder.

User Field Expressions

The value field may also contain references to values from the User object that refer to the currently logged in user.

These expressions can refer either to build in fields – e.g.

${user.name} -- the user's name

${user.role} -- the user's Role

Or custom user-defined fields, such as those mentioned in the previous section – e.g.

${user[subject]} -- the custom 'subject' field on the user object

By combining these features very powerful rules can be created.

ACL Rule Example

Take a simple project scenario for example. The User object has a custom user-defined field called ‘project’ defined on it that contains the project the editor is editing.

Imagine that we wish to restrict that editor to only be able to access catalogs with the catalog folder that matches their project and that those catalogs all live in a catalog folder called Shows

This could be achieved by selecting ‘Catalog’ (i.e. catalog name) as the field and then setting the value to:

Shows/${user[project]}/*

That is – select all catalogs where the catalog name (path) starts with Shows/ followed by the editor's project.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close