Grass Valley NAS Security User Manual
Number: 510057.001
The Quality System of:
Thomson Broadcast & Media Solutions
TBMS TBMS
400 Providence Mine Road 17 rue du Petit Albi-BP 8244
Nevada City, CA 95945 95801 Cergy Pontoise
Cergy, France
TBMS
Weiterstadt, Germany TBMS
Brunnenweg 9 10 Presidential Way, 3rd Floor, Suite 300
D-64331 Weiterstadt, Germany Woburn, MA 08101
TBMS TBMS
15655 SW Greystone Ct. 2300 South Decker Lake Blvd.
Beaverton, OR 97006 Salt Lake City, UT 84119
TBMS TBMS - PCB
Nederland B.V. Rennes, France
4800 RP BREDA Rue du Clos Courtel
The Nederlands Cesson-Sevigne, Cedex
France
TBMS/Nextream TBMS/Nextream
Rennes, France Technopole Brest Iroise
Rue du Clos Courtel CS 73808
Cesson-Sevigne, Cedex 29238 Brest Cedex 3
France France
Including its implementation, meets the requirements of the standard:
ISO 9001:2000
Scope: The design, manufacture and support of video hardware and software products
and related systems.
This Certificate is valid until: June 14, 2006
Revision Date: September 9, 2003
Renewal Date: June 14, 2003
Issued for the first time: June 14, 2000
Copyright
Copyright © 2005 Thomson Broadcast and Media Solutions, Inc. All rights
reserved. Printed in the United States of America.
This document may not be copied in whole or in part, or otherwise reproduced
except as specifically permitted under U.S. copyright law, without the prior written
consent of Thomson Broadcast and Media Solutions, Inc., P.O. Box 59900,
Nevada City, California 95959-7900
Trademarks
Disclaimer
U.S. Government
Restricted Rights
Legend
Revision Status
FeedClip, Grass Valley, NewsEdit, NewsQ, and Profile are either registered
trademarks or trademarks of Thomson Broadcast and Media Solutions, Inc. in the
United States and/or other countries. Other trademarks used in this document are
either registered trademarks or trademarks of the manufacturers or vendors of the
associated products. Thomson Broadcast and Media Solutions, Inc. products are
covered by U.S. and foreign patents, issued and pending. Additional information
regarding Thomson Broadcast and Media Solution, Inc.’s trademarks and other
proprietary rights may be found at www.thomsongrassvalleygroup.com.
Product options and specifications subject to change without notice. The
information in this manual is furnished for informational use only, is subject to
change without notice, and should not be construed as a commitment by Thomson
Broadcast and Media Solutions, Inc. Thomson Broadcast and Media Solutions,
Inc. assumes no responsibility or liability for any errors or inaccuracies that may
appear in this publication.
Use, duplication, or disclosure by the United States Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data
and Computer Software clause at DFARS 252.277-7013 or in subparagraph c(1)
and (2) of the Commercial Computer Software Restricted Rights clause at FAR
52.227-19, as applicable. Manufacturer is Thomson Broadcast and Media
Solutions, Inc., P.O. Box 59900, Nevada City, California 95959-7900 U.S.A.
Rev Date Description
March 31, 2005 Release for Software Version 5.1A to 071-8396-00
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Step 1 Designing a Security Schema
Sample Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
NewsShare System Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . 11
Permissions and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 2 Setting Up a Domain Controller
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing Windows 2000 Server Software . . . . . . . . . . . . . . . . . . . . . . 16
Adding the Domain Controller to Your Network . . . . . . . . . . . . . . . . . . 16
Adding the New Machine to the Parent Domain. . . . . . . . . . . . . . . . . . 18
Configuring the Domain Controller with Active Directory . . . . . . . . . . . 19
Configuring a New Domain Tree With Integrated DNS . . . . . . . . . . 19
Configuring a Child Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring DNS With Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Assigning Users to Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Step 3 Discontinuing NAS Service
Step 4 Joining Machines to the New Domain
For Each DNP Workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
For the NAS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Step 5 Adding Security to the NAS Server
Step 6 Turning the System Back On
Step 7 Setting Security Permissions
Setting NewsEdit Root Level Permissions . . . . . . . . . . . . . . . . . . . . . . 46
Setting NewsEdit Bin Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Step 8 Testing
NewsEdit system operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
SmartBins. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Appendix Removing Security from the NAS Server
Digital News Production
3
Contents
4
Digital News Production
Grass Valley Product Support
To get technical assistance, check on the status of problems, or report new
problems, contact Grass Valley Product Support via e-mail, the Web, or by
phone or fax.
Web Technical Support
To access support information on the Web, visit the product support Web page
on the Grass Valley Web site. You can download software or find solutions to
problems by searching our Frequently Asked Questions (FAQ) database.
Grass Valley Product Support
World Wide Web:
Technical Support E-mail Address:
http://www.thomsongrassvalley.com/support/
gvgtechsupport@thomson.net.
Phone Support
Use the following information to contact product support by phone during
business hours. Afterhours phone support is available for warranty and contract
customers.
United States (800) 547-8949 (Toll Free) France +33 (1) 34 20 77 77
Latin America (800) 547-8949 (Toll Free) Germany +49 6155 870 606
Eastern Europe +49 6155 870 606 Greece +33 (1) 34 20 77 77
Southern Europe +33 (1) 34 20 77 77 Hong Kong +852 2531 3058
Middle East +33 (1) 34 20 77 77 Italy +39 06 8720351
Australia +61 1300 721 495 Netherlands +31 35 6238421
Belgium +32 2 3349031 Poland +49 6155 870 606
Brazil +55 11 5509 3440 Russia +49 6155 870 606
Canada (800) 547-8949 (Toll Free) Singapore +656379 1390
China +86 106615 9450 Spain + 34 91 512 03 50
Denmark +45 45968800 Sweden +46 87680705
Dubai + 971 4 299 64 40 Switzerland +41 (1) 487 80 02
Finland +35 9 68284600 UK +44 870 903 2022
Digital News Production
5
Preface
Authorized Support Representative
Profile Users Group
A local authorized support representative may be available in your country. To
locate the support representative for your country, visit the product support
Web page on the Grass Valley Web site.
You can connect with other Profile XP Media Platform users to ask questions
or share advice, tips, and hints. Send e-mail to profile-users@thomson.net to
join the community and benefit from the experience of others.
6
Digital News Production
Introduction
With NAS security, you can control the visibility and access for users and
groups within NewsEdit bins by associating the bins and assets with file system
permissions. NAS security uses the overlapping modes of exclusivity,
propagation of granted permissions, and group membership to establish file
system security. These principals apply:
• Selective access—You create groups of users, such as Editors or Producers,
and set permissions for each group.
• Partial control—You control access to branches of the Bin tree for users and
groups.
• Administrative control—The Administrator has exclusive access to a tool in
the top-level bin that allows the setting of permissions in the top-level bins.
Steps 1-2 can be completed at any time in preparation for NAS Security. Steps
3-8 must be done with the NewsShare system off line, during a maintenance
window.
To use NAS security in your newsroom, follow these steps:
Step: Description Refer to...
1 Design a security schema Page 9
2 Create and configure a Domain Controller Page 13
3 Discontinue NAS Service and disconnect DNP workstations
from the drive mapped to the NAS Server
4 Join computers to the new domain Page 33
5 Add security to the NAS Server Page 37
6 Map DNP workstations to the secure network drive on the NAS
Server
7 Set permissions for the shared volume Page 45
8 Test to make sure that security is working Page 49
The rest of this manual discusses each of these steps in detail.
Digital News Production
Page 31
Page 43
7
8
Digital News Production
1
Step
Designing a Security Schema
The first step in setting up security in your NAS system is to determine a schema
for permissions. The schema determines which groups you create, and which
permissions you give each group.
Thomson Grass Valley has created a typical schema for use in illustrating
security principles in this document. You may use this schema if it is
appropriate for your newsroom, or create your own. For the examples in this
manual, we’ll assume that the newsroom has five groups: Editors, Producers,
Archivists, Ingestors, and Viewers.
The NAS security principles are agnostic to these groups, though the use of
groups greatly simplifies the establishment of the security schema. We picked
these names as exemplary; you do not need to use them in your operation. You
can have as many or as few groups as you like, named however you wish. If
your domain has a tree hierarchy, you may assign permissions to global groups
as well.
It’s important to establish a simple, consistent group structure. As with any
large, shared file system, permissions are best applied for groups, not users.
Individual user rights are then determined by administering group membership.
The core of Thomson Grass Valley’s Serial ATA NAS product is a highly
customized and tuned Linux-based Samba server. This knowledge will help you
as you work with the security features which derive more from Samba than
Windows. There are some particular differences to note. The Windows features
of inheritance and denial are not identically supported or defined in Samba;
these functions are effected, respectively, by the limited, automatic propagation
upon setting of allowed permissions to descendants in the file tree, and by the
strict use of the Allow control as the inverse of Deny. There is no explicit Delete
permission; this is bound to the Write permission.
The discussion in this chapter pertains to planning groups, users, and
permissions. The actual creation of domain entities and setting of permissions
are done in Step 7.
Digital News Production
9
Step 1 Designing a Security Schema
Sample Security Schema
The following table lists the groups and permissions being used as an example
in this document:
News Group Bin Permissions
Domain Administrator All Full control
News Admins All Full control
Editors Monday-Sunday Read/Write
Feeds Read only
HFR Read/Write
Archive Read/Write
Producers Monday-Sunday Read/Write
Feeds Read only
HFR Full control
10
Archive Read/Write
Archivists Monday-Sunday Read only
Feeds Read/Write
HFR Read only
Archive Full control
Ingestors Monday-Sunday Read only
Feeds Full control
HFR None (permission denied)
Archive Read/Write
Viewers Monday-Sunday Read only
Feeds Read only
HFR Read only
Archive Read only
Digital News Production
NewsShare System Users and Groups
***** Contact Grass Valley
Support for password.
*****
NewsShare System Users and Groups
At a minimum, you need to create a user-group set for use by certain
components of the NewsShare system:
Group User Members Password
Vibrint Services VibrintService
Permissions and Groups
In addition to the groups you’ll create for your newsroom, you need to set
permissions for two built-in groups—Domain Admins and Everyone. Based on
our security schema, the following table illustrates how groups and permissions
are set for the various NewsEdit folders and bins:
Domain Admins
Everyone
Archivists
Editors
Ingestors
Producers
Viewers
News Admins
Use
NewsEdit
Tools | Set
Root
Permissions
Use Bin
Security
Properties
V:\VibrintAVFiles
Monday-Sunday
Bins
Feeds Bin
HFR Bin
Archive Bin
F
= Full Control
L
= List Folder Contents
R
= Read
= Write
W
FL RL RL RL RL R L R F
F R W R W L R
FWRWRL R
FRW WL R
F WWWWL R
Digital News Production
11
Step 1 Designing a Security Schema
12
Digital News Production
2
Step
Setting Up a Domain Controller
A Domain Controller is a separate machine running Windows 2000 Server
software and configured with Active Directory. If purchased from Thomson
Grass Valley, an XRE is used. If the sole responsibility of the machine is to act
as a domain controller, SMG- or customer-furnished equipment may be used,
provided that it meets the specifications necessary to host Windows 2000
Server.
In general, you need to follow these guidelines for the Domain Controller:
• The Domain Controller cannot be an FSM nor a DSM.
• A separate Domain Controller and related domain node should be allocated
to the technical LAN subnet. This Domain Controller should also have
sufficient access to all related LANs to establish trusts and provide
authentication services.
• An XRE can be used to host another NewsEdit product, SmartBins.
• The domain controller may be remote to the NAS, but needs high availability
and direct configurability by your newsroom engineering department.
• Consistent with the Windows domain model, the domain controller may also
use a backup within the NAS subnet.
• You can either create a Domain Controller as a new domain tree or as a child
domain to an existing Domain Controller on your network.
• For normal newsroom operation, if the domain controller is a member of a
forest or tree, the Domain Controller can be subordinate: trusting but not
trusted.
The configuration of Microsoft Windows domains with Active Directory is a
broad and deep topic that is documented extensively by a variety of resources,
including Microsoft’s website. Each news organization has different
infrastructure and policies regarding the configuration of domains. What
NewsShare NAS security requires is an Active Directory zone with at least one
dedicated Windows 2000 Server domain controller; there are several ways to
achieve this, and the choice appropriate for your organization depends on your
organization’s culture, infrastructure, and IT policies.
Digital News Production
13
Step 2 Setting Up a Domain Controller
In planning, you need to determine the relationship of the new domain to its
tree; whether it will use integrated, delegated, or standalone DNS; and whether
the domain controller’s mode will be mixed, in order to interoperate with preWindows 2000 domain controllers, or native, allowing advanced features,
particularly greater opportunity in configuring user groups. The recommended
configuration to effect the most flexible control of the technical domain is to
run integrated DNS on a native-mode domain controller.
This guide details two of the many ways to set up a domain controller with
Active Directory:
• First node in a domain tree, integrated DNS, (mixed-mode) permissions
compatible with pre-Windows 2000 servers.
• Child node in an existing domain tree, (integrated) DNS in the parent,
(native-mode) permissions compatible with Windows 2000 servers and
higher.
As an adjunct step, depending on the trust relationship between the domain
controllers for NewsShare and those of the larger organization, the use of a
standalone DNS with forwarding may be necessary to achieve a highly isolated
domain. This configuration step is detailed as well.
14
Digital News Production
Overview
To create a Domain Controller, follow these steps:
Install Windows 2000 Server software page 16
Add the Domain Controller to the network page 16
Overview
What to do Refer to...
Add the new machine to the parent domain (if creating a child
domain)
Configure Active Directory page 19
Create new groups page 24
Create users as necessary page 26
Assign users to the new groups page 28
page 18
Digital News Production
15
Step 2 Setting Up a Domain Controller
Installing Windows 2000 Server Software
Install the Windows 2000 Server software following the network configuration
for your news station.
See the
2000 Server Online Help
Microsoft Windows 2000 Security Configuration Guide
for more information.
or the
Windows
Adding the Domain Controller to Your Network
You need to add the new Domain Controller to your existing network:
1. Right-click on My Network Places and select
The Network and Dial-up Connections window opens.
2. Right-click on the Ethernet Adapter icon and select
3. Select
4. Click
Internet Protocol
Advanced
The Advanced TCP/IP Settings window opens:
.
and click
Properties
Properties
.
.
Properties
.
16
Digital News Production
Loading...