Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

ZEN Master features a multi-tier access control mechanism that enables granular control of the access privileges down to the object level. It manages access to all system objects, including Resources (e.g., ZECs, Broadcaster Clusters, Receivers, Licenses, Task Sets, Incidents, Live Events, Maps, etc.), Sources, Channels (e.g. adaptive channels, pass-through channels), Targets, and Reports.

The access control is managed through the following entities:

  • Tags – Each object (Resource, Source, Channel, Target, Report) is assigned one or more Tags. The assignment of the Tag is performed during the creation/configuration of the object. The same Tag can be assigned to several different objects.
  • Roles – A role defines a set of privileges in the system. A role is associated with one particular Tag, enabling access to objects associated with that Tag. The role also designates what actions can be performed on each object type (i.e. Resources, Sources, Channels, Targets, and Reports). Actions include Read (the ability to view data from the object), Write (the ability to edit the object’s configuration), Notifty (the ability to receive email notifications/alerts regarding the object). A Tag can be associated with one or multiple roles.
  • Users and User Groups – A user receives privileges in the system by being assigned one or multiple roles. Users can be assigned to User Groups. A user can be assigned a role either directly or through a user group to which he is assigned.
    One or multiple users are designated as Administrators. An Administrator can access and interact with all objects without need for assignment of specific roles. He can also manage SSH Keys, transcoding profiles and users.

Summary:

A user can only access a specific object in the system if he is assigned a role that -

  • is associated with the Tag that is assigned to that particular object, and
  • has privileges that allow access to that object type.

For Example:

The diagram above illustrates the access privileges model. Notice the following:

  • Users/User Groups and Roles relationships - a user can be assigned to multiple roles. Each role may have a different set of permissions (e.g., read, write, notify), but not necessarily as the role's relationship to tags will also determine the access to the various objects.  
    • User 1 is assigned to Role 1 directly and to Role 2 by being part of User Group 1, which is assigned to Role 2. 
    • User 2 is assigned to Role 2 by being part of User Group 1
    • User 3 is assigned to both Role 2 and Role 3. 
  • Roles and Tags relationships
  • User 1 and User 2 are part of a User Group 1 - If a Tag 'Content 1' is assigned to all objects relating to that content (e.g. Source 1, Adaptive Channel 1 and Pass-Through Channel 1). And that Tag is associated with a role Channel_Viewer_1 with privileges to Read (in the ZEN Master system) both Adaptive Channels and Pass-Through Channels but no privileges to Read Sources. Then, a user with the role Channel_Viewer_1 will be able to view Adaptive Channel 1 and Pass-Through Channel 1 but not Source 1. The user will not be able to edit the configuration for these channels since the role only has viewing privileges and not editing privileges. Also, the user will not be able to view Adaptive Channel 2 since the  Tag assigned to his/her role is not associated with Adaptive Channel 2.


  • No labels