Number: 510057.001
The Quality System of:
Thomson Broadcast & Media Solutions
TBMS TBMS
400 Providence Mine Road 17 rue du Petit Albi-BP 8244
Nevada City, CA 95945 95801 Cergy Pontoise
Cergy, France
TBMS
Weiterstadt, Germany TBMS
Brunnenweg 9 10 Presidential Way, 3rd Floor, Suite 300
D-64331 Weiterstadt, Germany Woburn, MA 08101
TBMS TBMS
15655 SW Greystone Ct. 2300 South Decker Lake Blvd.
Beaverton, OR 97006 Salt Lake City, UT 84119
TBMS TBMS - PCB
Nederland B.V. Rennes, France
4800 RP BREDA Rue du Clos Courtel
The Nederlands Cesson-Sevigne, Cedex
France
TBMS/Nextream TBMS/Nextream
Rennes, France Technopole Brest Iroise
Rue du Clos Courtel CS 73808
Cesson-Sevigne, Cedex 29238 Brest Cedex 3
France France
Including its implementation, meets the requirements of the standard:
ISO 9001:2000
Scope: The design, manufacture and support of video hardware and software products
and related systems.
This Certificate is valid until: June 14, 2006
Revision Date: September 9, 2003
Renewal Date: June 14, 2003
Issued for the first time: June 14, 2000
Copyright
Copyright © 2005 Thomson Broadcast and Media Solutions, Inc. All rights
reserved. Printed in the United States of America.
This document may not be copied in whole or in part, or otherwise reproduced
except as specifically permitted under U.S. copyright law, without the prior written
consent of Thomson Broadcast and Media Solutions, Inc., P.O. Box 59900,
Nevada City, California 95959-7900
Trademarks
Disclaimer
U.S. Government
Restricted Rights
Legend
Revision Status
FeedClip, Grass Valley, NewsEdit, NewsQ, and Profile are either registered
trademarks or trademarks of Thomson Broadcast and Media Solutions, Inc. in the
United States and/or other countries. Other trademarks used in this document are
either registered trademarks or trademarks of the manufacturers or vendors of the
associated products. Thomson Broadcast and Media Solutions, Inc. products are
covered by U.S. and foreign patents, issued and pending. Additional information
regarding Thomson Broadcast and Media Solution, Inc.’s trademarks and other
proprietary rights may be found at www.thomsongrassvalleygroup.com.
Product options and specifications subject to change without notice. The
information in this manual is furnished for informational use only, is subject to
change without notice, and should not be construed as a commitment by Thomson
Broadcast and Media Solutions, Inc. Thomson Broadcast and Media Solutions,
Inc. assumes no responsibility or liability for any errors or inaccuracies that may
appear in this publication.
Use, duplication, or disclosure by the United States Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data
and Computer Software clause at DFARS 252.277-7013 or in subparagraph c(1)
and (2) of the Commercial Computer Software Restricted Rights clause at FAR
52.227-19, as applicable. Manufacturer is Thomson Broadcast and Media
Solutions, Inc., P.O. Box 59900, Nevada City, California 95959-7900 U.S.A.
Rev Date Description
March 31, 2005 Release for Software Version 5.1A to 071-8396-00
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Step 1 Designing a Security Schema
Sample Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
NewsShare System Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . 11
Permissions and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 2 Setting Up a Domain Controller
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing Windows 2000 Server Software . . . . . . . . . . . . . . . . . . . . . . 16
Adding the Domain Controller to Your Network . . . . . . . . . . . . . . . . . . 16
Adding the New Machine to the Parent Domain. . . . . . . . . . . . . . . . . . 18
Configuring the Domain Controller with Active Directory . . . . . . . . . . . 19
Configuring a New Domain Tree With Integrated DNS . . . . . . . . . . 19
Configuring a Child Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring DNS With Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Assigning Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Step 3 Discontinuing NAS Service
Step 4 Joining Machines to the New Domain
For Each DNP Workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
For the NAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Step 5 Adding Security to the NAS Server
Step 6 Turning the System Back On
Step 7 Setting Security Permissions
Setting NewsEdit Root Level Permissions . . . . . . . . . . . . . . . . . . . . . . 46
Setting NewsEdit Bin Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Step 8 Testing
NewsEdit system operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
SmartBins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appendix Removing Security from the NAS Server
Digital News Production
3
Contents
4
Digital News Production
Grass Valley Product Support
To get technical assistance, check on the status of problems, or report new
problems, contact Grass Valley Product Support via e-mail, the Web, or by
phone or fax.
Web Technical Support
To access support information on the Web, visit the product support Web page
on the Grass Valley Web site. You can download software or find solutions to
problems by searching our Frequently Asked Questions (FAQ) database.
Grass Valley Product Support
World Wide Web:
Technical Support E-mail Address:
http://www.thomsongrassvalley.com/support/
gvgtechsupport@thomson.net.
Phone Support
Use the following information to contact product support by phone during
business hours. Afterhours phone support is available for warranty and contract
customers.
United States (800) 547-8949 (Toll Free) France +33 (1) 34 20 77 77
Latin America (800) 547-8949 (Toll Free) Germany +49 6155 870 606
Eastern Europe +49 6155 870 606 Greece +33 (1) 34 20 77 77
Southern Europe +33 (1) 34 20 77 77 Hong Kong +852 2531 3058
Middle East +33 (1) 34 20 77 77 Italy +39 06 8720351
Australia +61 1300 721 495 Netherlands +31 35 6238421
Belgium +32 2 3349031 Poland +49 6155 870 606
Brazil +55 11 5509 3440 Russia +49 6155 870 606
Canada (800) 547-8949 (Toll Free) Singapore +656379 1390
China +86 106615 9450 Spain + 34 91 512 03 50
Denmark +45 45968800 Sweden +46 87680705
Dubai + 971 4 299 64 40 Switzerland +41 (1) 487 80 02
Finland +35 9 68284600 UK +44 870 903 2022
Digital News Production
5
Preface
Authorized Support Representative
Profile Users Group
A local authorized support representative may be available in your country. To
locate the support representative for your country, visit the product support
Web page on the Grass Valley Web site.
You can connect with other Profile XP Media Platform users to ask questions
or share advice, tips, and hints. Send e-mail to profile-users@thomson.net to
join the community and benefit from the experience of others.
6
Digital News Production
Introduction
With NAS security, you can control the visibility and access for users and
groups within NewsEdit bins by associating the bins and assets with file system
permissions. NAS security uses the overlapping modes of exclusivity,
propagation of granted permissions, and group membership to establish file
system security. These principals apply:
• Selective access—You create groups of users, such as Editors or Producers,
and set permissions for each group.
• Partial control—You control access to branches of the Bin tree for users and
groups.
• Administrative control—The Administrator has exclusive access to a tool in
the top-level bin that allows the setting of permissions in the top-level bins.
Steps 1-2 can be completed at any time in preparation for NAS Security. Steps
3-8 must be done with the NewsShare system off line, during a maintenance
window.
To use NAS security in your newsroom, follow these steps:
Step: Description Refer to...
1 Design a security schema Page 9
2 Create and configure a Domain Controller Page 13
3 Discontinue NAS Service and disconnect DNP workstations
from the drive mapped to the NAS Server
4 Join computers to the new domain Page 33
5 Add security to the NAS Server Page 37
6 Map DNP workstations to the secure network drive on the NAS
Server
7 Set permissions for the shared volume Page 45
8 Test to make sure that security is working Page 49
The rest of this manual discusses each of these steps in detail.
Digital News Production
Page 31
Page 43
7
8
Digital News Production
1
Step
Designing a Security Schema
The first step in setting up security in your NAS system is to determine a schema
for permissions. The schema determines which groups you create, and which
permissions you give each group.
Thomson Grass Valley has created a typical schema for use in illustrating
security principles in this document. You may use this schema if it is
appropriate for your newsroom, or create your own. For the examples in this
manual, we’ll assume that the newsroom has five groups: Editors, Producers,
Archivists, Ingestors, and Viewers.
The NAS security principles are agnostic to these groups, though the use of
groups greatly simplifies the establishment of the security schema. We picked
these names as exemplary; you do not need to use them in your operation. You
can have as many or as few groups as you like, named however you wish. If
your domain has a tree hierarchy, you may assign permissions to global groups
as well.
It’s important to establish a simple, consistent group structure. As with any
large, shared file system, permissions are best applied for groups, not users.
Individual user rights are then determined by administering group membership.
The core of Thomson Grass Valley’s Serial ATA NAS product is a highly
customized and tuned Linux-based Samba server. This knowledge will help you
as you work with the security features which derive more from Samba than
Windows. There are some particular differences to note. The Windows features
of inheritance and denial are not identically supported or defined in Samba;
these functions are effected, respectively, by the limited, automatic propagation
upon setting of allowed permissions to descendants in the file tree, and by the
strict use of the Allow control as the inverse of Deny. There is no explicit Delete
permission; this is bound to the Write permission.
The discussion in this chapter pertains to planning groups, users, and
permissions. The actual creation of domain entities and setting of permissions
are done in Step 7.
Digital News Production
9
Step 1 Designing a Security Schema
Sample Security Schema
The following table lists the groups and permissions being used as an example
in this document:
News Group Bin Permissions
Domain Administrator All Full control
News Admins All Full control
Editors Monday-Sunday Read/Write
Feeds Read only
HFR Read/Write
Archive Read/Write
Producers Monday-Sunday Read/Write
Feeds Read only
HFR Full control
10
Archive Read/Write
Archivists Monday-Sunday Read only
Feeds Read/Write
HFR Read only
Archive Full control
Ingestors Monday-Sunday Read only
Feeds Full control
HFR None (permission denied)
Archive Read/Write
Viewers Monday-Sunday Read only
Feeds Read only
HFR Read only
Archive Read only
Digital News Production
NewsShare System Users and Groups
***** Contact Grass Valley
Support for password.
*****
NewsShare System Users and Groups
At a minimum, you need to create a user-group set for use by certain
components of the NewsShare system:
Group User Members Password
Vibrint Services VibrintService
Permissions and Groups
In addition to the groups you’ll create for your newsroom, you need to set
permissions for two built-in groups—Domain Admins and Everyone. Based on
our security schema, the following table illustrates how groups and permissions
are set for the various NewsEdit folders and bins:
Domain Admins
Everyone
Archivists
Editors
Ingestors
Producers
Viewers
News Admins
Use
NewsEdit
Tools | Set
Root
Permissions
Use Bin
Security
Properties
V:\VibrintAVFiles
Monday-Sunday
Bins
Feeds Bin
HFR Bin
Archive Bin
F
= Full Control
L
= List Folder Contents
R
= Read
= Write
W
FL RL RL RL RL R L R F
F R W R W L R
FWRWRL R
FRW WL R
F WWWWL R
Digital News Production
11
Step 1 Designing a Security Schema
12
Digital News Production
2
Step
Setting Up a Domain Controller
A Domain Controller is a separate machine running Windows 2000 Server
software and configured with Active Directory. If purchased from Thomson
Grass Valley, an XRE is used. If the sole responsibility of the machine is to act
as a domain controller, SMG- or customer-furnished equipment may be used,
provided that it meets the specifications necessary to host Windows 2000
Server.
In general, you need to follow these guidelines for the Domain Controller:
• The Domain Controller cannot be an FSM nor a DSM.
• A separate Domain Controller and related domain node should be allocated
to the technical LAN subnet. This Domain Controller should also have
sufficient access to all related LANs to establish trusts and provide
authentication services.
• An XRE can be used to host another NewsEdit product, SmartBins.
• The domain controller may be remote to the NAS, but needs high availability
and direct configurability by your newsroom engineering department.
• Consistent with the Windows domain model, the domain controller may also
use a backup within the NAS subnet.
• You can either create a Domain Controller as a new domain tree or as a child
domain to an existing Domain Controller on your network.
• For normal newsroom operation, if the domain controller is a member of a
forest or tree, the Domain Controller can be subordinate: trusting but not
trusted.
The configuration of Microsoft Windows domains with Active Directory is a
broad and deep topic that is documented extensively by a variety of resources,
including Microsoft’s website. Each news organization has different
infrastructure and policies regarding the configuration of domains. What
NewsShare NAS security requires is an Active Directory zone with at least one
dedicated Windows 2000 Server domain controller; there are several ways to
achieve this, and the choice appropriate for your organization depends on your
organization’s culture, infrastructure, and IT policies.
Digital News Production
13
Step 2 Setting Up a Domain Controller
In planning, you need to determine the relationship of the new domain to its
tree; whether it will use integrated, delegated, or standalone DNS; and whether
the domain controller’s mode will be mixed, in order to interoperate with preWindows 2000 domain controllers, or native, allowing advanced features,
particularly greater opportunity in configuring user groups. The recommended
configuration to effect the most flexible control of the technical domain is to
run integrated DNS on a native-mode domain controller.
This guide details two of the many ways to set up a domain controller with
Active Directory:
• First node in a domain tree, integrated DNS, (mixed-mode) permissions
compatible with pre-Windows 2000 servers.
• Child node in an existing domain tree, (integrated) DNS in the parent,
(native-mode) permissions compatible with Windows 2000 servers and
higher.
As an adjunct step, depending on the trust relationship between the domain
controllers for NewsShare and those of the larger organization, the use of a
standalone DNS with forwarding may be necessary to achieve a highly isolated
domain. This configuration step is detailed as well.
14
Digital News Production
Overview
To create a Domain Controller, follow these steps:
Install Windows 2000 Server software page 16
Add the Domain Controller to the network page 16
Overview
What to do Refer to...
Add the new machine to the parent domain (if creating a child
domain)
Configure Active Directory page 19
Create new groups page 24
Create users as necessary page 26
Assign users to the new groups page 28
page 18
Digital News Production
15
Step 2 Setting Up a Domain Controller
Installing Windows 2000 Server Software
Install the Windows 2000 Server software following the network configuration
for your news station.
See the
2000 Server Online Help
Microsoft Windows 2000 Security Configuration Guide
for more information.
or the
Windows
Adding the Domain Controller to Your Network
You need to add the new Domain Controller to your existing network:
1. Right-click on My Network Places and select
The Network and Dial-up Connections window opens.
2. Right-click on the Ethernet Adapter icon and select
3. Select
4. Click
Internet Protocol
Advanced
The Advanced TCP/IP Settings window opens:
.
and click
Properties
Properties
.
.
Properties
.
16
Digital News Production
Adding the Domain Controller to Your Network
5. Click the
6. Click
Add
DNS
.
tab.
The TCP/IP DNS Server window opens:
7. Add the IP Address of the DNS server and click
Add
.
If this domain controller is also a DNS server, enter its own IP Address.
8. Click
OK
and close all windows.
Digital News Production
17
Step 2 Setting Up a Domain Controller
Adding the New Machine to the Parent Domain
If you are creating a child domain, you need to add the Domain Controller to
the parent domain. If you are creating a new domain tree, you can skip this step.
To add a machine to the Parent Domain:
1. Right-click on My Computer and select
2. Select the Network Identification tab and click
The Identification Changes window appears:
3. Click
Domain
and type the new domain name.
Properties
.
Properties
.
18
4. Click
5. Enter the username and password for the administrator account on the
6. At the Welcome message, click
7. Reboot the computer.
Digital News Production
OK
.
The Domain Username And Password window appears.
domain tree root system, and click OK.
OK
.
Configuring the Domain Controller with Active Directory
Configuring the Domain Controller with Active
Directory
The next step is to configure your Domain Controller using the Windows
Active Directory wizard. Follow one set of instructions below for the type of
domain you are configuring—either a new domain tree or a child domain.
Configuring a New Domain Tree With Integrated DNS
1. If the Windows 2000 Configure Your Server screen doesn’t appear
automatically after your computer restarts, click
Administrative Tools | Configure Your Server
Start | Programs |
.
2. At the Windows 2000 Configure Your Server screen, click
Active Directory
in the left pane.
3. Click
Start the Active Directory Wizard
.
4. Configure the Domain Controller following these instructions:
On this screen... Do this...
Welcome Click
Domain Controller Type Select
Create Tree or Child Domain Select
Create or Join Forest Select
New Domain Name Enter the name of the new domain, and click
NetBIOS Domain Name Leave set at the default value and click
Database and Log Locations Leave set at default values and click
Shared System Volume Leave set at default value and click Next.
Configure DNS Select
and click Next.
<<message>> If you see a message that the DNS server can’t find the new
domain name, click
It means the domain name isn’t yet part of the system.
.
Next
Domain controller for a new domain
Create a new domain tree
Create a new forest of domain trees
Yes, install and configure DNS on this computer
OK and continue with the installation.
and click
. Click
Next
; click
Next
Next.
Next.
.
Next
Next
.
.
.
Digital News Production
19
Step 2 Setting Up a Domain Controller
***** Contact Grass Valley
Support for password.
On this screen... Do this...
Permissions Select Permissions compatible with pre-Windows 2000
servers and click Next.
This selection sets up the domain controller in mixedmode.
Directory Services Restore
Enter ***** twice and click
Next.
Mode Administrator Password
Summary Review your choices and click
Next. Your summary
should look like this:
Configure this server as the first domain
controller in a new forest of domain trees.
The new domain is named “xxxx”. This is also
the name of the new forest.
The NetBIOS name of the domain is “xxxx”
Database location: C:\WINNT\NTDS
Log file location: C:\WINNT\NTDS
Sysvol folder location: C:\WINNT\SYSVOL
The DNS Service will be installed and configured on
this computer.
Permissions compatible with pre-Windows
2000 servers will be used with this domain; this
will allow anonymous access to domain
information.
Completing the Active
Directory Installation Wizard
Click Finish. The computer prompts you to reboot so the
new settings take effect.
20 Digital News Production
Configuring a Child Domain
1. If the Windows 2000 Configure Your Server screen doesn’t appear
automatically after your computer restarts, click
Administrative Tools | Configure Your Server.
Configuring a Child Domain
Start | Programs |
2. At the Windows 2000 Configure Your Server screen, click
Active Directory
in the left pane.
3. Click
Start the Active Directory Wizard.
4. Configure the Domain Controller following these instructions:
On this screen... Do this...
Welcome Click Next.
Domain Controller Type Select
Create Tree or Child Domain Select
Network Credentials Enter the User name and Password of the Domain tree
Domain controller for a new domain.
Click Next.
Create a new child domain in an existing domain
tree and click Next.
root, the name of the Domain, and click
Next.
Digital News Production 21
Step 2 Setting Up a Domain Controller
***** Contact Grass Valley
Support for password.
On this screen... Do this...
Child Domain Installation Enter the name of the Parent domain; enter the name of the
Child domain, and click Next.
NetBIOS Domain Name Leave set at default value and click
Next.
Database and Log Locations Leave set at default values and click Next.
Shared System Volume Leave set at default value and click Next.
Permissions Select
Directory Services Restore
Permissions compatible only with Windows 2000
servers and click Next.
Enter ***** twice and click
Next.
Mode Administrator Password
22 Digital News Production
Summary Review your choices and click
should look like this:
Configure this server as the first domain controller in a new
domain.
The new domain is named “tgv.DOMAIN.gvg”
The NetBIOS name of the domain is “TGV”
This new domain is a child domain of the domain
“DOMAIN.gvg”
Database location: C:\WINNT\NTDS
Log file location: C:\WINNT\NTDS
Sysvol folder location: C:\WINNT\SYSVOL
Completing the Active
Directory Installation Wizard
Click Finish. The computer prompts you to reboot so the
new settings take effect.
Next. Your summary
Configuring DNS With Forwarder
If your installation must function in isolation from the enterprise DNS, yet have
access to machines outside the technical LAN, e.g., if you have an experimental
setup that must access a newsroom computer system, a useful alternative to
joining the enterprise domain is to establish an independently-rooted forest
with isolated DNS.
In this case, you need to configure a DNS forwarder as follows:
Configuring DNS With Forwarder
1. Select
2. Select your Domain Controller, right-click and select
3. On the Forwarders tab, check
Start | Programs | Administrative Tools | DNS.
Properties.
Enable forwarders.
4. Type the IP address for the DNS Server where you want to forward and click
Add.
5. Click
Apply.
6. Close the window.
Digital News Production 23
Step 2 Setting Up a Domain Controller
Creating Groups
You create groups on your Domain Controller according to the security schema
you created in Step 1. Use this table as a guideline for creating your groups:
Group Name Group Scope Group Type Required?
Vibrint Services The Group Scope is dependent on what
News Admins Security Yes
Archivists Security Optional
Editors Security
Ingestors Security
Producers Security
Viewers Security
Other groups as necessary for your newsroom
type of Domain Controller you are
configuring.
a
Security Yes
a. If you are working in a mixed-mode domain, your only practical scope choice
is Global, which is what is documented here. In a native-mode domain, other
choices are available. Consult the Windows Active Directory documentation on
group scopes.
1. Select
Start | Programs | Administrative Tools | Active Directory Users
and Computers.
2. In the console tree, double-click the domain node.
3. Right-click the Users folder, select
New and then select Group.
24 Digital News Production
The New Object - Group window appears:
4. Type the name of the new group.
Creating Groups
5. Click
6. Click
7. Click
Global for the Group Scope.
Security for the Group Type.
OK.
The new group appears in the list.
8. Repeat steps 3-7 to create additional groups.
Digital News Production 25
Step 2 Setting Up a Domain Controller
***** Contact Grass Valley
Support for password.
*****
*****
Creating Users
You need to create the users who will become members of the groups you just
created. Users represent each person who logs on to a NewsEdit computer. If
you are creating a new domain tree, you need to create each user using the
directions below. If you are creating a child domain, and will get your users
from the parent domain, you can skip this step.
Regardless of the type of Domain Controller you are configuring, you need to
create these two users:
Full name User logon name Password
VibrintService VibrintService
NewsAdmin News Admins
1. Select
Start | Programs | Administrative Tools | Active Directory Users
and Computers.
2. In the console tree, double-click the domain node.
3. In the details pane, right-click the User folder, select
The New Object - User window opens:
New then select User.
26 Digital News Production
Creating Users
4. Enter the user’s first name, initials (if desired), last name, and full name.
5. In
User logon name, enter the name that the user will log on with and, from
the drop-down list, select the correct domain for the user.
6. Click
7. In
Next.
Password and Confirm Password, enter the user’s password.
8. Select the appropriate password options.
9. Click
10. Review the summary of the new user and click
Next.
Finish.
The new user is added to the User folder.
11. Repeat steps 3-10 to create additional users.
Digital News Production 27
Step 2 Setting Up a Domain Controller
Assigning Users to Groups
Once you’ve created groups and users, you can add the users to their respective
groups and assign a Primary Group. If you are configuring a child domain, you
may select users from the parent domain.
You also need to add the VibrintService user to the Vibrint Services group and
the NewsAdmin user to the News Admins group.
This table illustrates how users fit into groups you previously defined:
User Group Name Primary Group Required?
NewsAdmin Domain Admins News Admins Yes
Domain Users Yes
News Admins Yes
VibrintService Vibrint Services Vibrint Services Yes
joe edit 1 Editors Editors Optional
joe edit 2
joe edit 3
joe producer
To assign a user to a group:
1. In Active Directory Users and Computers, select the User folder from the left
pane.
2. In the details pane, right-click the user you want to assign and select
Properties.
The user_name Properties window appears.
3. Click the
28 Digital News Production
Members of tab and then click Add.
The Select Groups window opens:
Assigning Users to Groups
4. Click
Look in to display a list of domains from which users and computers
can be added to the group, and then click the domain containing the users you
want to add.
5. Click the group(s) to be added and click
Add.
The group appears in the lower box.
6. Click
OK to close the Select Groups window.
7. In the Members of tab, highlight the Primary Group for this user and click
Set Primary Group.
Digital News Production 29
Step 2 Setting Up a Domain Controller
8. Click OK to close the window.
9. Repeat steps 2-8 to assign groups to all of your new users.
30 Digital News Production
Step
3
Discontinuing NAS Service
In order to modify configurations and make other changes, you need to
discontinue all activity on the NAS system.
To discontinue NAS service:
1. Close all DNP workstation applications, such as NewsEdit, FeedClip, and
NewsQ.
2. Unmap the NAS shared drive you are making secure:
a. Open Windows Explorer.
b. Choose
c. Click the drive to remove and click
3. Stop SmartBin Service, if running.
Tools | Disconnect Network Drive.
OK.
Digital News Production 31
Step 3 Discontinuing NAS Service
32 Digital News Production
Step
4
Joining Machines to the New Domain
Once you’ve set up the Domain Controller, you need to join each computer in
your newsroom network to the new domain. Computers in the DNP system are
one of two types of Windows machines—DNP workstations run Windows 2000
Professional or Windows XP Professional system software, and the NAS Server
runs Linux. Follow the instructions below for each type of computer in your
NAS system.
For Each DNP Workstation
To join a DNP workstation computer to the new domain:
1. If you’re using the new domain controller as a DNS server, make sure that
the DNS configuration for each machine’s ethernet connection has the new
Domain Controller as its priority DNS Server.
2. Right-click on My Computer and select
3. Select the Network Identification tab and click
4. Click Domain and type
5. Click
6. Enter the domain name and password for the domain tree root and click
7. At the Welcome message, click
8. Reboot the computer.
OK.
TGV as the domain name.
OK.
Properties.
Properties.
Digital News Production 33
OK.
Step 4 Joining Machines to the New Domain
For the NAS Server
The NAS server must join the Windows domain serviced by the Domain
Controller you created.
To join the domain:
1. On the Domain Controller, choose
Directory Users and Computers.
2. Right-click on the
Computer.
Computers folder in the left pane and select New |
Start | Programs | Admin Tools | Active
The New Object - Computer window opens:
3. Configure the New Object as follows:
Computer name Enter the name of your NAS Server.
User or group Leave set at
Allow pre-Windows 2000 computers
to use this account
4. Click
34 Digital News Production
OK to create the object.
Default:DomainAdmins.
Check to select.
The NAS Server displays as a member of the Computers folder.
For the NAS Server
5. Right-click on the NAS Server object and select
6. Check
Trust computer for delegation and click OK.
Properties.
Digital News Production 35
Step 4 Joining Machines to the New Domain
36 Digital News Production
Step
5
Adding Security to the NAS Server
Once you’ve set up the Domain Controller and joined all of your computers to
the new domain, you need to configure the NAS Server for security. This
involves modifying the configuration of the server using the NAS Server
software and running a shell script, which enables security for the shared
volume and sets up the permissions on the NewsroomSuite folders and files.
Digital News Production 37
Step 5 Adding Security to the NAS Server
To add security to the NAS Server:
1. From a NewsEdit workstation on the network, open the NewsShare NAS
software in a Web browser (such as Netscape, Internet Explorer, or Mozilla)
by entering the following IP address in the browser address bar:
https://192.168.50.20:9890
Notice the s in the https: address. Make sure your browser allows cookies
and Java Script (or JIT)—see the Network Attached Storage User Guide for
details.
2. Configure the NAS Server for Domain Security:
a. Choose
System | System Services | SMB/CIFS from the left pane menu.
NOTE: If you see a message regarding the Java plug-in, follow the
instructions to install it.
38 Digital News Production
b. Add information about the new domain as follows:
Workgroup/Domain Enter the name of the new domain.
WINS Server (Optional) If you use a WINS server, enter its IP address.
Security User Level/Domain Level Select
Automap/Manual Select
PDC Name Enter the name of the Primary
Automatically mapping user/group
between NFS and CIFS
Group ID range: Leave set as is.
User ID range: Leave set as is.
Guest Account Leave set as is.
File Create Mask Leave set at default value.
Directory Mask Leave set at default value.
Comments Add if desired.
c. Click
Save, and observe a message that confirms that your changes were
successful.
3. Make the NAS share secure:
a. Choose
Storage | Shares | Modify from the left pane menu.
Domain Level.
Automap, then enter
the PDC Administrator’s
login and password.
Domain Controller (PDC).
Check to select.
Digital News Production 39
Step 5 Adding Security to the NAS Server
b. Select the share that you want to make secure and click Next.
c. In the CIFS Share window, uncheck the
Public checkbox.
d. Note the name of the File System Mount Point—you’ll need it for Step 5b.
e. Click
Save, and observe a message that confirms that your changes were
successful.
4. Using Explorer, copy the shell script file
3.0\Security\vbrGVNASGoSecure.sh to the NAS volume.
C:\Program Files\Vibrint
5. Run the shell script from the NAS Server:
You need to go to the NAS Server console directly in order to run the script.
If you don’t have a monitor attached to the server, attach one for this step.
a. At the console prompt, login to the NAS Server as
root.
Contact Grass Valley Technical Support for the root password.
b. Change to the file system directory (the File System Mount Point from
Step 3d) for the share you’re making secure using this format:
cd/base/
<file system folder>
c. Type ls at the command prompt and verify that the file
vbrGVNASGoSecure.sh is present.
40 Digital News Production
d. Execute the script by typing sh vbrGVNASGoSecure.sh.
e. When prompted, enter the share name to be configured.
Make sure you do not get any error messages. Once the script is finished,
it displays
Done… and prompts you to reboot the NAS Server. DO NOT
reboot the NAS Server from this machine; see step 5 for instructions.
f. Logout of the NAS Server by typing
exit at the command prompt.
6. From the NewsShare NAS software, reboot the computer by choosing
System | System Administration | Shutdown, selecting Reboot from the
combo box, and clicking
OK.
7. Once the computer restarts, update the Disk Volume Configuration:
a. Choose
C:\Program Files\Vibrint 3.0 \Utilities\DiskVolumeConfig.exe.
Digital News Production 41
Step 5 Adding Security to the NAS Server
b. Under the Disk Volume field, enter the drive letter for the NAS share you
are making secure.
c. Under Security Options, select
d. Click
Save Changes and then click OK.
8. Using Explorer, delete the file
volume.
Supported.
vbrGVNASGoSecure.sh from the NAS
42 Digital News Production
Step
6
Turning the System Back On
Before you set permissions on the NewsEdit machines, you need to turn the
system back on:
1. Reboot all client machines.
2. On the DNP workstations, re-map the shared drive:
a. Open Windows Explorer.
b. Choose
c. In the Drive field, select the drive letter to map to the shared resource.
d. In the Folder field, type the server and share name of the resource, in the
form of
You can also click Browse to locate the resource.
e. Click
Tools | Map Network Drive.
\\servername\sharename.
Finish.
Digital News Production 43
Step 6 Turning the System Back On
44 Digital News Production
Step
7
Setting Security Permissions
The last step in setting up security for your DNP system is to set permissions for
the NewsEdit folders and bins. You again use the security schema you created
in Step 1 to determine permissions for users and groups.
You can set all permissions from one NewsEdit machine. You need to set
permissions in two different places—in NewsEdit options and in the NewsEdit
bins.
You need to be logged in as News Admin in order to set security permissions.
Digital News Production 45
Step 7 Setting Security Permissions
Setting NewsEdit Root Level Permissions
Permissions for V:\VibrintAVFiles are set in NewsEdit options. First you add
the group(s) and the NewsAdmin user to the drive and then set security
permissions for that group. You need to login to this machine as News Admin
to set root permissions.
Domain Admins
Everyone
Archivists
Editors
Ingestors
Producers
Viewers
Vibrint Services
News Admins
NewsAdmin
V:\VibrintAVFiles
F = Full Control
L = List Folder Contents
R = Read
To set permissions for VibrintAVFiles:
1. Open NewsEdit and select
The Permissions for V:\VibrintAVFiles opens:
FL RL RL RL RL R L R FFF
Tools | Set Root Permissions.
46 Digital News Production
Setting NewsEdit Bin Permissions
2. Add each of the groups you created for your newsroom (if you are using the
typical security schema, add the groups Archivists, Editors, Ingestors,
Producers, and Viewers).
3. Set permissions for each group according to the chart on page 46.
4. Click
OK.
Setting NewsEdit Bin Permissions
Permissions for the NewsEdit bins are set in the Properties tab for each Bin.
Follow the instructions below and set the permissions for each bin in your toplevel NewsEdit bin.
Domain Admins
Monday-Sunday
Bins
Feeds Bin
HFR Bin
Archive Bin
F = Full Control
L = List Folder Contents
R = Read
W = Write
Everyone
FL RRWRWL RFF
FL RWRWRL RFF
FL R R W W L R FF
FL RWWWWL RFF
Archivists
Editors
Ingestors
Producers
Viewers
News Admins
NewsAdmin
Digital News Production 47
Step 7 Setting Security Permissions
To set permissions for NewsEdit bins:
1. In the NewsEdit bin, right-click on the first bin and select
The Bin Properties window for that bin opens:
Properties.
2. Click the Security tab.
3. Change permissions for each group listed based on the chart on page 47.
4. Click
48 Digital News Production
OK when you are done setting permissions.
Step
Testing
8
After creating and configuring the Domain Controller and setting permissions
for NewsEdit bins, you should test the system to make sure that the security is
working:
NewsEdit system operation
• Basically, check that permissions exist functionally where they should and
that permissions are not granted functionally where they should not be
granted, as follows:
- A Viewer user should not be able to write or delete in a Bin where they
have read-only permission.
- Significantly, where a user is not granted any permissions (as might be the
case for an investigative report that should be editable by only a small
group) make sure that users outside the permitted group have no access
and no availability in the private group.
- Check that read only users in a particular bin cannot write or delete.
• Check that permissions are working correctly across users:
1. Create a sequence and add a dissolve between two clips.
2. Render the sequence and save it.
3. On another NewsEdit workstation, login as another user.
4. Open the saved sequence and play it, observing the dissolve within the
sequence.
SmartBins
Check that a clip recorded on a GXF SmartBin appears in the associated
NewsEdit SmartBin and vice-versa.
Digital News Production 49
Step 8 Testing
50 Digital News Production
Appendix
Removing Security from the NAS Server
If you need to remove security from the NAS Server and go back to a public
share, follow these instructions. You need to change the configuration of the
server using the NAS Server software and run a shell script, which makes the
shared volume public and resets the permissions on the NewsroomSuite folders
and files.
Digital News Production
51
Step 9 Removing Security from the NAS Server
To remove security from the NAS Server:
1. From a NewsEdit workstation on the network, open the NewsShare NAS
software in a Web browser by entering the following IP address in the
browser address bar:
https://192.168.50.20:9890
2. Configure the NAS Server for public use:
a. Choose
System | System Services | SMB/CIFS from the left pane menu.
b. Change the window as follows:
Security User Level/Domain Level Select User Level.
Guest Account Select
c. Click
Save, and observe a message that confirms that your changes were
successful.
52 Digital News Production
nfsnobody.
3. Make the NAS share public:
a. Choose
Storage | Shares | Modify from the left pane menu.
b. Select the share that you want to make public and click
Next.
c. In the CIFS Share window, check the
Public checkbox.
d. Note the name of the File System Mount Point—you’ll need it for Step 5b.
e. Click
Save, and observe a message that confirms that your changes were
successful.
4. Using Explorer, copy the shell script file
3.0\Security\vbrGVNASGoPublic.sh
C:\Program Files\Vibrint
to the NAS volume.
Digital News Production 53
Step 9 Removing Security from the NAS Server
5. Run the shell script from the NAS Server:
You need to go to the NAS Server console directly in order to run the script.
If you don’t have a monitor attached to the server, attach one for this step.
a. At the console prompt, login to the NAS Server as
root.
Contact Grass Valley Technical Support for the root password.
b. Change to the file system directory (the File System Mount Point from
Step 3d) for the share you’re making secure using this format:
cd/base/
<file system folder>
c. Type ls at the command prompt and verify that the file
vbrGVNASGoPublic.sh is present.
d. Execute the script by typing
sh vbrGVNASGoPublic.sh.
e. When prompted, enter the share name to be configured.
Make sure you do not get any error messages. Once the script is finished,
it displays
Done… and prompts you to reboot the NAS Server. DO NOT
reboot the NAS Server from this machine; see step 5 for instructions.
f. Logout of the NAS Server by typing
6. From the NewsShare NAS software, reboot the computer by choosing
System | System Administration | Shutdown, selecting Reboot from the
combo box, and clicking
54 Digital News Production
exit at the command prompt.
OK.
7. Once the computer restarts, update the Disk Volume Configuration:
a. Choose
C:\Program Files\Vibrint 3.0 \Utilities\DiskVolumeConfig.exe.
b. Under the Disk Volume field, enter the drive letter for the NAS share you
are making public.
c. Under Security Options, select
d. Click
Save Changes and then click OK.
8. Using Explorer, delete the file
Not Supported.
vbrGVNASGoPublic.sh from the NAS
volume.
Digital News Production 55
Step 9 Removing Security from the NAS Server
56 Digital News Production
Loading...