Grass Valley Open SAN Security User Manual

Number: 510057.001

The Quality System of:

Thomson Broadcast & Media Solutions

TBMS TBMS
400 Providence Mine Road 17 rue du Petit Albi-BP 8244
Nevada City, CA 95945 95801 Cergy Pontoise
Cergy, France
TBMS
Weiterstadt, Germany TBMS
Brunnenweg 9 10 Presidential Way, 3rd Floor, Suite 300
D-64331 Weiterstadt, Germany Woburn, MA 08101

TBMS TBMS
15655 SW Greystone Ct. 2300 South Decker Lake Blvd.
Beaverton, OR 97006 Salt Lake City, UT 84119

TBMS TBMS - PCB
Nederland B.V. Rennes, France
4800 RP BREDA Rue du Clos Courtel
The Nederlands Cesson-Sevigne, Cedex
France

TBMS/Nextream TBMS/Nextream
Rennes, France Technopole Brest Iroise
Rue du Clos Courtel CS 73808
Cesson-Sevigne, Cedex 29238 Brest Cedex 3
France France

Including its implementation, meets the requirements of the standard:

ISO 9001:2000

Scope: The design, manufacture and support of video hardware and software products
and related systems.

This Certificate is valid until: June 14, 2006
Revision Date: September 9, 2003
Renewal Date: June 14, 2003
Issued for the first time: June 14, 2000

Copyright

Copyright © 2004 Thomson Broadcast and Media Solutions, Inc. All rights
reserved. Printed in the United States of America.

This document may not be copied in whole or in part, or otherwise reproduced
except as specifically permitted under U.S. copyright law, without the prior written
consent of Thomson Broadcast and Media Solutions, Inc., P.O. Box 59900,
Nevada City, California 95959-7900

Trademarks

Disclaimer

U.S. Government
Restricted Rights
Legend

Revision Status

FeedClip, Grass Valley, NewsEdit, NewsQ, and Profile are either registered
trademarks or trademarks of Thomson Broadcast and Media Solutions, Inc. in the
United States and/or other countries. Other trademarks used in this document are
either registered trademarks or trademarks of the manufacturers or vendors of the
associated products. Thomson Broadcast and Media Solutions, Inc. products are
covered by U.S. and foreign patents, issued and pending. Additional information
regarding Thomson Broadcast and Media Solution, Inc.’s trademarks and other
proprietary rights may be found at www.thomsongrassvalleygroup.com.

Product options and specifications subject to change without notice. The
information in this manual is furnished for informational use only, is subject to
change without notice, and should not be construed as a commitment by Thomson
Broadcast and Media Solutions, Inc. Thomson Broadcast and Media Solutions,
Inc. assumes no responsibility or liability for any errors or inaccuracies that may
appear in this publication.

Use, duplication, or disclosure by the United States Government is subject to
restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data
and Computer Software clause at DFARS 252.277-7013 or in subparagraph c(1)
and (2) of the Commercial Computer Software Restricted Rights clause at FAR

52.227-19, as applicable. Manufacturer is Thomson Broadcast and Media
Solutions, Inc., P.O. Box 59900, Nevada City, California 95959-7900 U.S.A.

Rev Date Description

November 30, 2004 Release 071-8369-00 for Software Version 5.1

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Step 1 Designing a Security Schema

Sample Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

NewsShare System Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . 11

Permissions and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Step 2 Setting Up a Domain Controller

Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Installing Windows 2000 Server Software . . . . . . . . . . . . . . . . . . . . . . 16

Adding the Domain Controller to Your Network . . . . . . . . . . . . . . . . . . 16

Adding the New Machine to the Parent Domain. . . . . . . . . . . . . . . . . . 18

Configuring the Domain Controller with Active Directory . . . . . . . . . . . 19

Configuring a New Domain Tree With Integrated DNS . . . . . . . . . . 19

Configuring a Child Domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring DNS With Forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Adding FSMs and Profile Servers to the Domain . . . . . . . . . . . . . . . . . 24

Creating Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Creating Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Adding Users to the New Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Step 3 Discontinuing Open SAN Service . . . . . . . . . . . . . . . . . . . . . 33

Step 4 Joining Machines to the New Domain

For Each DNP Workstation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

For Each FSM and Profile Media Server . . . . . . . . . . . . . . . . . . . . . . . 36

Step 5 Modifying CVFS for Open SAN Security

Adding Windows Security to CVFS . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Power Cycling the FSMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Step 6 Turning the System Back On . . . . . . . . . . . . . . . . . . . . . . . . . 41

Step 7 Setting Security Permissions

Setting Initial Shared Volume Permissions. . . . . . . . . . . . . . . . . . . . . . 44

Setting High Level Shared Volume Permissions . . . . . . . . . . . . . . . . . 45

Setting NewsEdit Root Level Permissions . . . . . . . . . . . . . . . . . . . . . . 47

Setting NewsEdit Bin Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Step 8 Using a Reference Time Source. . . . . . . . . . . . . . . . . . . . . . . 51

Step 9 Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Digital News Production

3

Contents

4

Digital News Production

Grass Valley Product Support

To get technical assistance, check on the status of problems, or report new
problems, contact Grass Valley Product Support via e-mail, the Web, or by
phone or fax.

Web Technical Support

To access support information on the Web, visit the product support Web page
on the Grass Valley Web site. You can download software or find solutions to
problems by searching our Frequently Asked Questions (FAQ) database.

Grass Valley Product Support

World Wide Web:
Technical Support E-mail Address:

http://www.thomsongrassvalley.com/support/

gvgtechsupport@thomson.net.

Phone Support

Use the following information to contact product support by phone during
business hours. Afterhours phone support is available for warranty and contract
customers.

United States (800) 547-8949 (Toll Free) France +33 (1) 34 20 77 77

Latin America (800) 547-8949 (Toll Free) Germany +49 6155 870 606

Eastern Europe +49 6155 870 606 Greece +33 (1) 34 20 77 77

Southern Europe +33 (1) 34 20 77 77 Hong Kong +852 2531 3058

Middle East +33 (1) 34 20 77 77 Italy +39 06 8720351

Australia +61 1300 721 495 Netherlands +31 35 6238421

Belgium +32 2 3349031 Poland +49 6155 870 606

Brazil +55 11 5509 3440 Russia +49 6155 870 606

Canada (800) 547-8949 (Toll Free) Singapore +656379 1390

China +86 106615 9450 Spain + 34 91 512 03 50

Denmark +45 45968800 Sweden +46 87680705

Dubai + 971 4 299 64 40 Switzerland +41 (1) 487 80 02

Finland +35 9 68284600 UK +44 870 903 2022

Digital News Production

5

Preface

Authorized Support Representative

Profile Users Group

A local authorized support representative may be available in your country. To
locate the support representative for your country, visit the product support
Web page on the Grass Valley Web site.

You can connect with other Profile XP Media Platform users to ask questions
or share advice, tips, and hints. Send e-mail to profile-users@thomson.net to
join the community and benefit from the experience of others.

6

Digital News Production

Introduction

With Open SAN security, you can control the visibility and access for users and
groups within NewsEdit bins by associating the bins and assets with file system
permissions. Open SAN security uses the overlapping modes of inheritance,
exclusivity, and group membership, as implemented by Windows, to establish
file system security. These principals apply:

• Selective access—You create groups of users, such as Editors or Producers,
and set permissions for each group.

• Partial control—You control access to branches of the Bin tree for users and
groups.

• Administrative control—The Administrator has exclusive access to a tool in
the top-level bin that allows the setting of permissions in the top-level bins.

Steps 1-3 can be completed at any time in preparation for Open SAN Security.
Steps 3-9 must be done with the NewsShare system off line, during a
maintenance window.

To use Open SAN security in your newsroom, follow these steps:

Step: Description Refer to...

1 Design a security schema Page 9

2 Create and configure a Domain Controller Page 13

3 Discontinue the Open SAN Service Page 33

4 Join computers to the new domain Page 35

5 Add Windows Security to the CVFS configuration Page 37

6 Turn on the Open SAN Failover Monitor Service and reboot all

client machines and Profile Media Servers

7 Set permissions for the shared volume Page 43

8 Optionally, install and configure NetTime on the FSMs and

Profile Media Servers

9 Test to make sure that security is working Page 53

The rest of this manual discusses each of these steps in detail.

Digital News Production

Page 41

Page 51

7

8

Digital News Production

1

Step

Designing a Security Schema

The first step in setting up security in your Open SAN system is to determine a
schema for permissions. The schema determines which groups you create, and
which permissions you give each group.

Thomson Grass Valley has created a typical schema for use in illustrating
security principles in this document. You may use this schema if it is
appropriate for your newsroom, or create your own. For the examples in this
manual, we’ll assume that the newsroom has five groups: Editors, Producers,
Archivists, Ingestors, and Viewers.

The Open SAN security principles are agnostic to these groups, though the use
of groups greatly simplifies the establishment of the security schema. We
picked these names as exemplary; you do not need to use them in your
operation. You can have as many or as few groups as you like, named however
you wish. If your domain has a tree hierarchy, you may assign permissions to
global groups as well.

The discussion in this chapter pertains to planning groups, users, and
permissions. The actual creation of domain entities and setting of permissions
are done in Step 8.

Digital News Production

9

Step 1 Designing a Security Schema

Sample Security Schema

The following table lists the groups and permissions being used as an example
in this document:

News Group Bin Permissions

Domain Administrator All Full control

Editors Monday-Sunday Read/Write/Delete in top level bins, but

Feeds Read only

HFR Read/Write

Archive Read/Write

Producers Monday-Sunday Read/Write

Feeds Read only

HFR Full control

Archive Read/Write

Archivists Monday-Sunday Read only

Feeds Read/Write

HFR Read only

Archive Full control

Ingestors Monday-Sunday Read only

Feeds Full control

HFR None (permission denied)

cannot delete material from newscast bins.

10

Archive Read/Write

Viewers Monday-Sunday Read only

Feeds Read only

HFR Read only

Archive Read only

Digital News Production

NewsShare System Users and Groups

NewsShare System Users and Groups

At a minimum, you need to create two user-group sets for use by certain
components of the NewsShare system:

Group User Members Password

Profile Services profile profile

Vibrint Services VibrintService triton

Permissions and Groups

In addition to the groups you’ll create for your newsroom, you need to create
one group to manage the Profile Media Servers, and set permissions for three
built-in groups—Domain Admins, Everyone, and SYSTEM. Based on our
security schema, the following table illustrates how groups and permissions are
set for the various NewsEdit folders and bins:

Use
Windows
Explorer

Use
NewsEdit
Tools | Set
Root
Permissions

Domain Admins

Everyone

SYSTEM

V:\

V:\media

V:\PDR

V:\Thumbnails (inherit control from V:\)

V:\VibrintAttic (inherit control from V:\)

V:\VibrintAVFiles
**

**

FFF F

FF

FF FF F

F FL RL RL RL R L R F

Archivists

Editors

Ingestors

Digital News Production

Producers

Viewers

Profile Services

11

Step 1 Designing a Security Schema

Domain Admins

Everyone

SYSTEM

Archivists

Editors

Ingestors

Producers

Viewers

Profile Services

Use Bin
Security
Properties

Monday-Sunday
Bins

Feeds Bin

HFR Bin

Archive Bin

F

= Full Control

L

= List Folder Contents

= Read

R

= Write

W

= Delete

D

-

= Deny

**

= Inheritance is blocked at this level

F F -W -D W D -W -D W -D L R

F F W -D -W -D W D -W -D L R

F F -W -D W -D -F W D L R

F F W D W -D W -D W -D L R

12

Digital News Production

2

Step

Setting Up a Domain Controller

A Domain Controller is a separate machine running Windows 2000 Server
software and configured with Active Directory. If purchased from Thomson
Grass Valley, an XRE is used. If the sole responsibility of the machine is to act
as a domain controller, SMG- or customer-furnished equipment may be used,
provided that it meets the specifications necessary to host Windows 2000
Server.

In general, you need to follow these guidelines for the Domain Controller:

• The Domain Controller cannot be an FSM.

• A separate Domain Controller and related domain node should be allocated
to the technical LAN subnet. This Domain Controller should also have
sufficient access to all related LANs to establish trusts and provide
authentication services.

• An XRE can be used to host another NewsEdit product, SmartBins.

• The domain controller may be remote to the Open SAN, but needs high
availability and direct configurability by your newsroom engineering
department.

• Consistent with the Windows domain model, the domain controller may also
use a backup within the Open SAN subnet.

• You can either create a Domain Controller as a new domain tree or as a child
domain to an existing Domain Controller on your network.

• For normal newsroom operation, if the domain controller is a member of a
forest or tree, the Domain Controller can be subordinate: trusting but not
trusted.

The configuration of Microsoft Windows domains with Active Directory is a
broad and deep topic that is documented extensively by a variety of resources,
including Microsoft’s website. Each news organization has different
infrastructure and policies regarding the configuration of domains. What
NewsShare Open SAN security requires is an Active Directory zone with at

Digital News Production

13

Step 2 Setting Up a Domain Controller

least one dedicated Windows 2000 Server domain controller; there are several
ways to achieve this, and the choice appropriate for your organization depends
on your organization’s culture, infrastructure, and IT policies.

In planning, you need to determine the relationship of the new domain to its
tree; whether it will use integrated, delegated, or standalone DNS; and whether
the domain controller’s mode will be mixed, in order to interoperate with pre­Windows 2000 domain controllers, or native, allowing advanced features,
particularly greater opportunity in configuring user groups. The recommended
configuration to effect the most flexible control of the technical domain is to
run integrated DNS on a native-mode domain controller.

This guide details two of the many ways to set up a domain controller with
Active Directory:

• First node in a domain tree, integrated DNS, (mixed-mode) permissions
compatible with pre-Windows 2000 servers.

• Child node in an existing domain tree, (integrated) DNS in the parent,
(native-mode) permissions compatible with Windows 2000 servers and
higher.

As an adjunct step, depending on the trust relationship between the domain
controllers for NewsShare and those of the larger organization, the use of a
standalone DNS with forwarding may be necessary to achieve a highly isolated
domain. This configuration step is detailed as well.

14

Digital News Production

Overview

To create a Domain Controller, follow these steps:

Install Windows 2000 Server software page 16

Add the Domain Controller to the network page 16

Overview

What to do Refer to...

Add the new machine to the parent domain (if creating a child
domain)

Configure Active Directory page 19

Add all FSMs and Profile Media Servers to the new domain page 23

Create new groups page 25

Create users as necessary page 27

Add users to the new groups page 29

page 18

Digital News Production

15