Grass Valley Open SAN Security User Manual
Number: 510057.001
The Quality System of:
Thomson Broadcast & Media Solutions
TBMS TBMS
400 Providence Mine Road 17 rue du Petit Albi-BP 8244
Nevada City, CA 95945 95801 Cergy Pontoise
Cergy, France
TBMS
Weiterstadt, Germany TBMS
Brunnenweg 9 10 Presidential Way, 3rd Floor, Suite 300
D-64331 Weiterstadt, Germany Woburn, MA 08101
TBMS TBMS
15655 SW Greystone Ct. 2300 South Decker Lake Blvd.
Beaverton, OR 97006 Salt Lake City, UT 84119
TBMS TBMS - PCB
Nederland B.V. Rennes, France
4800 RP BREDA Rue du Clos Courtel
The Nederlands Cesson-Sevigne, Cedex
France
TBMS/Nextream TBMS/Nextream
Rennes, France Technopole Brest Iroise
Rue du Clos Courtel CS 73808
Cesson-Sevigne, Cedex 29238 Brest Cedex 3
France France
Including its implementation, meets the requirements of the standard:
ISO 9001:2000
Scope: The design, manufacture and support of video hardware and software products
and related systems.
This Certificate is valid until: June 14, 2006
Revision Date: September 9, 2003
Renewal Date: June 14, 2003
Issued for the first time: June 14, 2000
Copyright
Copyright © 2004 Thomson Broadcast and Media Solutions, Inc. All rights
reserved. Printed in the United States of America.
This document may not be copied in whole or in part, or otherwise reproduced
except as specifically permitted under U.S. copyright law, without the prior written
consent of Thomson Broadcast and Media Solutions, Inc., P.O. Box 59900,
Nevada City, California 95959-7900
Trademarks
Disclaimer
U.S. Government
Restricted Rights
Legend
Revision Status
FeedClip, Grass Valley, NewsEdit, NewsQ, and Profile are either registered
trademarks or trademarks of Thomson Broadcast and Media Solutions, Inc. in the
United States and/or other countries. Other trademarks used in this document are
either registered trademarks or trademarks of the manufacturers or vendors of the
associated products. Thomson Broadcast and Media Solutions, Inc. products are
covered by U.S. and foreign patents, issued and pending. Additional information
regarding Thomson Broadcast and Media Solution, Inc.’s trademarks and other
proprietary rights may be found at www.thomsongrassvalleygroup.com.
Product options and specifications subject to change without notice. The
information in this manual is furnished for informational use only, is subject to
change without notice, and should not be construed as a commitment by Thomson
Broadcast and Media Solutions, Inc. Thomson Broadcast and Media Solutions,
Inc. assumes no responsibility or liability for any errors or inaccuracies that may
appear in this publication.
Use, duplication, or disclosure by the United States Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data
and Computer Software clause at DFARS 252.277-7013 or in subparagraph c(1)
and (2) of the Commercial Computer Software Restricted Rights clause at FAR
52.227-19, as applicable. Manufacturer is Thomson Broadcast and Media
Solutions, Inc., P.O. Box 59900, Nevada City, California 95959-7900 U.S.A.
Rev Date Description
November 30, 2004 Release 071-8369-00 for Software Version 5.1
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Step 1 Designing a Security Schema
Sample Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
NewsShare System Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . 11
Permissions and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Step 2 Setting Up a Domain Controller
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installing Windows 2000 Server Software . . . . . . . . . . . . . . . . . . . . . . 16
Adding the Domain Controller to Your Network . . . . . . . . . . . . . . . . . . 16
Adding the New Machine to the Parent Domain. . . . . . . . . . . . . . . . . . 18
Configuring the Domain Controller with Active Directory . . . . . . . . . . . 19
Configuring a New Domain Tree With Integrated DNS . . . . . . . . . . 19
Configuring a Child Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring DNS With Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Adding FSMs and Profile Servers to the Domain . . . . . . . . . . . . . . . . . 24
Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Adding Users to the New Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Step 3 Discontinuing Open SAN Service . . . . . . . . . . . . . . . . . . . . . 33
Step 4 Joining Machines to the New Domain
For Each DNP Workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
For Each FSM and Profile Media Server . . . . . . . . . . . . . . . . . . . . . . . 36
Step 5 Modifying CVFS for Open SAN Security
Adding Windows Security to CVFS . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Power Cycling the FSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Step 6 Turning the System Back On . . . . . . . . . . . . . . . . . . . . . . . . . 41
Step 7 Setting Security Permissions
Setting Initial Shared Volume Permissions. . . . . . . . . . . . . . . . . . . . . . 44
Setting High Level Shared Volume Permissions . . . . . . . . . . . . . . . . . 45
Setting NewsEdit Root Level Permissions . . . . . . . . . . . . . . . . . . . . . . 47
Setting NewsEdit Bin Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Step 8 Using a Reference Time Source. . . . . . . . . . . . . . . . . . . . . . . 51
Step 9 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Digital News Production
3
Contents
4
Digital News Production
Grass Valley Product Support
To get technical assistance, check on the status of problems, or report new
problems, contact Grass Valley Product Support via e-mail, the Web, or by
phone or fax.
Web Technical Support
To access support information on the Web, visit the product support Web page
on the Grass Valley Web site. You can download software or find solutions to
problems by searching our Frequently Asked Questions (FAQ) database.
Grass Valley Product Support
World Wide Web:
Technical Support E-mail Address:
http://www.thomsongrassvalley.com/support/
gvgtechsupport@thomson.net.
Phone Support
Use the following information to contact product support by phone during
business hours. Afterhours phone support is available for warranty and contract
customers.
United States (800) 547-8949 (Toll Free) France +33 (1) 34 20 77 77
Latin America (800) 547-8949 (Toll Free) Germany +49 6155 870 606
Eastern Europe +49 6155 870 606 Greece +33 (1) 34 20 77 77
Southern Europe +33 (1) 34 20 77 77 Hong Kong +852 2531 3058
Middle East +33 (1) 34 20 77 77 Italy +39 06 8720351
Australia +61 1300 721 495 Netherlands +31 35 6238421
Belgium +32 2 3349031 Poland +49 6155 870 606
Brazil +55 11 5509 3440 Russia +49 6155 870 606
Canada (800) 547-8949 (Toll Free) Singapore +656379 1390
China +86 106615 9450 Spain + 34 91 512 03 50
Denmark +45 45968800 Sweden +46 87680705
Dubai + 971 4 299 64 40 Switzerland +41 (1) 487 80 02
Finland +35 9 68284600 UK +44 870 903 2022
Digital News Production
5
Preface
Authorized Support Representative
Profile Users Group
A local authorized support representative may be available in your country. To
locate the support representative for your country, visit the product support
Web page on the Grass Valley Web site.
You can connect with other Profile XP Media Platform users to ask questions
or share advice, tips, and hints. Send e-mail to profile-users@thomson.net to
join the community and benefit from the experience of others.
6
Digital News Production
Introduction
With Open SAN security, you can control the visibility and access for users and
groups within NewsEdit bins by associating the bins and assets with file system
permissions. Open SAN security uses the overlapping modes of inheritance,
exclusivity, and group membership, as implemented by Windows, to establish
file system security. These principals apply:
• Selective access—You create groups of users, such as Editors or Producers,
and set permissions for each group.
• Partial control—You control access to branches of the Bin tree for users and
groups.
• Administrative control—The Administrator has exclusive access to a tool in
the top-level bin that allows the setting of permissions in the top-level bins.
Steps 1-3 can be completed at any time in preparation for Open SAN Security.
Steps 3-9 must be done with the NewsShare system off line, during a
maintenance window.
To use Open SAN security in your newsroom, follow these steps:
Step: Description Refer to...
1 Design a security schema Page 9
2 Create and configure a Domain Controller Page 13
3 Discontinue the Open SAN Service Page 33
4 Join computers to the new domain Page 35
5 Add Windows Security to the CVFS configuration Page 37
6 Turn on the Open SAN Failover Monitor Service and reboot all
client machines and Profile Media Servers
7 Set permissions for the shared volume Page 43
8 Optionally, install and configure NetTime on the FSMs and
Profile Media Servers
9 Test to make sure that security is working Page 53
The rest of this manual discusses each of these steps in detail.
Digital News Production
Page 41
Page 51
7
8
Digital News Production
1
Step
Designing a Security Schema
The first step in setting up security in your Open SAN system is to determine a
schema for permissions. The schema determines which groups you create, and
which permissions you give each group.
Thomson Grass Valley has created a typical schema for use in illustrating
security principles in this document. You may use this schema if it is
appropriate for your newsroom, or create your own. For the examples in this
manual, we’ll assume that the newsroom has five groups: Editors, Producers,
Archivists, Ingestors, and Viewers.
The Open SAN security principles are agnostic to these groups, though the use
of groups greatly simplifies the establishment of the security schema. We
picked these names as exemplary; you do not need to use them in your
operation. You can have as many or as few groups as you like, named however
you wish. If your domain has a tree hierarchy, you may assign permissions to
global groups as well.
The discussion in this chapter pertains to planning groups, users, and
permissions. The actual creation of domain entities and setting of permissions
are done in Step 8.
Digital News Production
9
Step 1 Designing a Security Schema
Sample Security Schema
The following table lists the groups and permissions being used as an example
in this document:
News Group Bin Permissions
Domain Administrator All Full control
Editors Monday-Sunday Read/Write/Delete in top level bins, but
Feeds Read only
HFR Read/Write
Archive Read/Write
Producers Monday-Sunday Read/Write
Feeds Read only
HFR Full control
Archive Read/Write
Archivists Monday-Sunday Read only
Feeds Read/Write
HFR Read only
Archive Full control
Ingestors Monday-Sunday Read only
Feeds Full control
HFR None (permission denied)
cannot delete material from newscast bins.
10
Archive Read/Write
Viewers Monday-Sunday Read only
Feeds Read only
HFR Read only
Archive Read only
Digital News Production
NewsShare System Users and Groups
NewsShare System Users and Groups
At a minimum, you need to create two user-group sets for use by certain
components of the NewsShare system:
Group User Members Password
Profile Services profile profile
Vibrint Services VibrintService triton
Permissions and Groups
In addition to the groups you’ll create for your newsroom, you need to create
one group to manage the Profile Media Servers, and set permissions for three
built-in groups—Domain Admins, Everyone, and SYSTEM. Based on our
security schema, the following table illustrates how groups and permissions are
set for the various NewsEdit folders and bins:
Use
Windows
Explorer
Use
NewsEdit
Tools | Set
Root
Permissions
Domain Admins
Everyone
SYSTEM
V:\
V:\media
V:\PDR
V:\Thumbnails (inherit control from V:\)
V:\VibrintAttic (inherit control from V:\)
V:\VibrintAVFiles
**
**
FFF F
FF
FF FF F
F FL RL RL RL R L R F
Archivists
Editors
Ingestors
Digital News Production
Producers
Viewers
Profile Services
11
Step 1 Designing a Security Schema
Domain Admins
Everyone
SYSTEM
Archivists
Editors
Ingestors
Producers
Viewers
Profile Services
Use Bin
Security
Properties
Monday-Sunday
Bins
Feeds Bin
HFR Bin
Archive Bin
F
= Full Control
L
= List Folder Contents
= Read
R
= Write
W
= Delete
D
-
= Deny
**
= Inheritance is blocked at this level
F F -W -D W D -W -D W -D L R
F F W -D -W -D W D -W -D L R
F F -W -D W -D -F W D L R
F F W D W -D W -D W -D L R
12
Digital News Production
2
Step
Setting Up a Domain Controller
A Domain Controller is a separate machine running Windows 2000 Server
software and configured with Active Directory. If purchased from Thomson
Grass Valley, an XRE is used. If the sole responsibility of the machine is to act
as a domain controller, SMG- or customer-furnished equipment may be used,
provided that it meets the specifications necessary to host Windows 2000
Server.
In general, you need to follow these guidelines for the Domain Controller:
• The Domain Controller cannot be an FSM.
• A separate Domain Controller and related domain node should be allocated
to the technical LAN subnet. This Domain Controller should also have
sufficient access to all related LANs to establish trusts and provide
authentication services.
• An XRE can be used to host another NewsEdit product, SmartBins.
• The domain controller may be remote to the Open SAN, but needs high
availability and direct configurability by your newsroom engineering
department.
• Consistent with the Windows domain model, the domain controller may also
use a backup within the Open SAN subnet.
• You can either create a Domain Controller as a new domain tree or as a child
domain to an existing Domain Controller on your network.
• For normal newsroom operation, if the domain controller is a member of a
forest or tree, the Domain Controller can be subordinate: trusting but not
trusted.
The configuration of Microsoft Windows domains with Active Directory is a
broad and deep topic that is documented extensively by a variety of resources,
including Microsoft’s website. Each news organization has different
infrastructure and policies regarding the configuration of domains. What
NewsShare Open SAN security requires is an Active Directory zone with at
Digital News Production
13
Step 2 Setting Up a Domain Controller
least one dedicated Windows 2000 Server domain controller; there are several
ways to achieve this, and the choice appropriate for your organization depends
on your organization’s culture, infrastructure, and IT policies.
In planning, you need to determine the relationship of the new domain to its
tree; whether it will use integrated, delegated, or standalone DNS; and whether
the domain controller’s mode will be mixed, in order to interoperate with preWindows 2000 domain controllers, or native, allowing advanced features,
particularly greater opportunity in configuring user groups. The recommended
configuration to effect the most flexible control of the technical domain is to
run integrated DNS on a native-mode domain controller.
This guide details two of the many ways to set up a domain controller with
Active Directory:
• First node in a domain tree, integrated DNS, (mixed-mode) permissions
compatible with pre-Windows 2000 servers.
• Child node in an existing domain tree, (integrated) DNS in the parent,
(native-mode) permissions compatible with Windows 2000 servers and
higher.
As an adjunct step, depending on the trust relationship between the domain
controllers for NewsShare and those of the larger organization, the use of a
standalone DNS with forwarding may be necessary to achieve a highly isolated
domain. This configuration step is detailed as well.
14
Digital News Production
Overview
To create a Domain Controller, follow these steps:
Install Windows 2000 Server software page 16
Add the Domain Controller to the network page 16
Overview
What to do Refer to...
Add the new machine to the parent domain (if creating a child
domain)
Configure Active Directory page 19
Add all FSMs and Profile Media Servers to the new domain page 23
Create new groups page 25
Create users as necessary page 27
Add users to the new groups page 29
page 18
Digital News Production
15
Loading...