GRASS VALLEY AURORA EDIT SECURITY - APPLICATION NOTE 01-2011, Aurora Edit Security Application Note

APPLICATION

NOTE

Aurora Edit Security

Controlling asset visibility and access

Patrick Thompson, Senior Software Engineer

January 2011

Using the Aurora Edit Security feature, you can
control which users and groups have which
permissions (read, write, delete, etc.) on which

assets in the Aurora Edit bin tree.

www.grassvalley.com

AurorA Edit SEcurity

Introduction

With Aurora™ Edit Security from Grass Valley™, you can control the visibility and access for users and groups working within Aurora
Edit bins by controlling the file system permissions for the bins and assets. Aurora Edit Security uses the overlapping modes of
inheritance, exclusivit y, and group membership as implemented by Windows Active Directory (AD) to establish and enforce asset
security. These principles apply:

Selective access.• You create groups of users, such as Editors, Producers, and Interns, and set permissions for each group.

Partial control.• You control access to subbranches of the bin tree for users and groups.

Administrative control.• The administrator has exclusive access to a tool in the top-level bin that allows the setting of

permissions on the bin-tree root. At all levels of bins (as a feature of Active Directory), you control who can control access.

Technical Background

As part of its open architecture, the Aurora suite of products stores media on Windows-compatible file system volumes, notably
the Grass Valley K2 Summit
leverage Active Directory, particularly in a large, multi-user, domain-controlled environment, to effect fine-grained access control of
the Aurora Edit assets, including master clips, subclips, sequences, graphics, and bins. (Subclips and sequences are controlled by
their containing bins.) Aurora Edit security is essentially the application of Active Directory controls to Aurora Edit assets.

™

shared storage system. These volumes support Windows Active Directory; thus, Aurora Edit is able to

Example

As an elementary example, suppose that your organization has
the bins and groups shown in the table below. The day-named
and Investigative bins are sub-bins of the top-level Work in
Progress bin.

Read, Write, and Delete permissions are abbreviated to R, W,
and D. Permissions are set on top-level bins and are allowed to
automatically flow by inheritance (indicated by parentheses) to
descendent bins. (Active Directory permissions and inheri­tances are in fact more nuanced, but they can be effectively
discussed as RWD.)

Not listed here are several user members in the groups. In par­ticular, Bob (a member of group Editors) and Alice (a member
of group Producers) are working exclusively on a secret inves­tigative report. On the Investigative bin, inheritance is blocked
such that no user automatically has access to the bin; permis­sion must be explicitly granted, and it is only for Bob and Alice,
who both enjoy full RWD privilege. Note that in other bins,
Bob’s and Alice’s permissions are automatically established by
their group membership, such that permissions for these (or
any other) individual users need not be explicitly set.

1

www.grassvalley.com