MediaSilo's authorization scope has two layers: the account and a project. A user will have some permissions across an entire MediaSilo account, and will also have permissions scoped to specific projects. We do this to support delegating the management of projects to teams or individuals without exposing authorization to account level resources. Essentially, we allow you to create a contained workspace that cannot affect the account itself.
To support these two layers we have two types of permissions objects: Account Level Roles and Role Templates. Account roles are assigned to a user, and exist across the entire account. Role templates are collections of permissions. They can be assigned to a specific user to define what the user can do within a specific project. We call them templates because they describe a set of permissions that can be prescribed to users resulting in the creation of actual roles.
NOTE:
-
If a user is granted a role within a project, the MediaSilo system will not look any further for the users permissions. This means that if a role grants a user permission to upload assets within an account role but if project role denies it then the users will not be able to upload assets in the respective project.
-
We allow you to assign a default role template to a user to avoid having to explicitly assign a specific role when they are added to a project. The default role template will be automatically assigned to a user each time they are added to a project if no other role is specified.
-
Roles cannot be modified, only Role Templates can. Every new account in MediaSilo is scaffolded with core roles that are immutable.
Permission Groups
Each role has a collection of permission groups that contain a list of permissions that pertain to the respective group. The groups are related to specific workflows within MediaSilo:
- The ASSET group describes the permissions related to working with files managed in MediaSilo.
- The COLLABORATION group describes the permissions that are related to how you can work with others on given assets
- The SHARING group describes where assets can be sent
- The REPORTING group describes what data can be exported from MediaSilo
- The SERVICE group describes what external services are permissible. Currently, transcription is the only service in this group.
Role Templates
Below is an example of what a Role Template looks like
{
"id": "54208878e4b05c1a34c2e0cd",
"displayName": "Editor",
"description": "Any user responsible for editing assets",
"permissionGroups": [
{
"displayName": "ASSET",
"groupIdentifier": "ASSET",
"permissions": [
"CREATE",
"DELETE",
"SOURCE",
"READ",
"UPDATE"
]
},
{
"displayName": "COLLABORATION",
"groupIdentifier": "COLLABORATION",
"permissions": [
"REQUESTAPPROVAL",
"RATE",
"COMMENT"
]
},
{
"displayName": "SHARING",
"groupIdentifier": "SHARING",
"permissions": [
"INTERNAL",
"EXTERNAL"
]
}
]
}
| Name | Description |
|---|---|
| displayName | This is the name that will be show in the MediaSilo application |
| description | For roles in particular, description are important. Often times, the name cannot fully describe the permissions that are being granted within a given role |
| permissionGroups | A collection of permission definitions |