Modifying Access Rights for a Group

Security rights will be defined at a resource (for example, camera) level within the group. Rights may include the ability to view a camera, to use the PTZ, or to change camera settings. Permissions to access these rights can be associated with users and/or user groups by an administrator.

If your system is under Enterprise Management, the Farm and User membership security settings are read-only if they have been configured at the enterprise management level. You cannot add/remove users or groups. You can, however, modify access to Devices and Video walls.

To modify access rights for a Group:

1.      From the Groups section, select the name of the group. The Group Information is displayed in the right pane.

2.      Click Manage Security. The Security Configuration dialog box opens.

3.      From the Security Profiles drop-down box, select the profile for which you want to modify privileges. (For background information, see Managing Security Profiles.)

4.      Select the Allow, Deny, or Unspecified option for each Right.

        Farm tab defines access rights for core functionality that is not specific to a camera or other resource; for example, whether a user can connect to the farm, or export video.

        Devices tab defines user permissions that can be defined for device; for example, whether a user can view the live feed or change the configuration for a specified camera, or listen to a camera or talk through a camera

        Video Walls tab defines user permissions that can be defined for video walls; for example, whether a user can move a window in the video wall, or edit a video wall layout.

        Users tab defines user permissions that can be defined for other users; for example, whether a user can view or edit the properties of another user or group.

        The Effective Permission column calculates the access granted this group for the current functionality. Symphony checks if this group is a member of another group that may restrict access to the resource. For example if the current group allows access but another group of which it is a member restricts access, the effective permission will be Deny.

5.      Click Apply to save changes and then Close.

You can click on the effective permission entry for a given right to display a list of inherited permissions. This helps you determine which group membership is causing the current effective permission.

Users within Groups and Effective Permissions

Users can be assigned individual security privileges if necessary.

The Deny option for any individual user or group overrides Allow.

       If at any point there is an explicit Deny permission defined between a user/group and the resource/group, permission will be denied.

       If there are no explicit Allow or Deny permissions, permission will be denied.

       If no explicit Deny permissions exist, but there is at least one Allow permission, permission will be allowed.

 

Example

User A has individual right of Allow, belongs to Group 1 which also has Allow, but is a sub group of Group 2, which has Deny. User A will be Denied the right.

 

User B has individual right of Deny, belongs to Group 1 which has Allow and is a subgroup of Group 2, which has Allow. User B will be Denied the right, irrespective of the group designations (of Allow). Deny is always the effective overriding permission.

Associating Groups with Active Directory

Currently, Active Directory groups are not supported in Enterprise Management.

 

When the Active Directory authentication is enabled, groups can be optionally associated with Active Directory groups. Associating groups with Active Directory may be beneficial in large organizations with an existing Active Directory hierarchy. Once the associations have been defined, Symphony is periodically synchronized with Active Directory to ensure that the group relationships are equivalent.

To associate a group with Active Directory groups:

 

1.      In the Group Information dialog box, click the Associate button. The Active Directory Search dialog box opens.

2.      Use the search feature to find and select the Active Directory group to associate. If groups are associated with Active Directory, group membership is automatically synchronized.

Ban Live Video

Allows you to ban video from cameras and camera groups. Only users and groups with specified permissions can use this feature. You must set up all server machines for this feature.

If your system is under Enterprise Management, the Farm and User membership security settings are read-only if they have been configured at the enterprise management level. As the Symphony administration user, you cannot add/remove groups locally. You can, however, make local changes to the non-centrally-managed permissions of those groups. You can create a UserBanGroup in Enterprise Management and assign the desired users to it, and then as a local administrator set device permissions to users.

 

To create a User Ban Group:

1.      Create a group named UserBanGroup. To this new group, add the following users:

        All non-admin users that should be banned from selected devices during a video ban.

        Users who log into video wall clients. This is so that video wall clients are properly banned.

2.      Add this group to database settings table:

a.      From the Server menu, select Manual Configuration Editor.

b.      Click Add a new setting in the first row to activate the cells.

c.  Enter the following in cells under each column:

Type=Global

Section=Main

ID=<empty>

Key=LiveBanGroup,

Value= UserBanGroup

 

3.      To confirm your entry, click the Action cell.

4.      Click OK.