Restrict Access to Folders
The Media Management and Analysis Platform organizes cameras, channels, videos, and recorders into folders. If you have enabled user authentication, you can restrict access to certain resources.
You can only restrict access to top-level folders. For example, you can restrict access to the folder Europe
, but Europe/UK
inherits access control settings from its parent.
TIP: The top-level folder for cameras/Europe/UK
and channels/Europe/UK
is Europe
. When you restrict access to the Europe
folder, the same settings apply for cameras, channels, videos, and other resource types.
When you create or update a folder using the folder management endpoint, you can specify a list of roles who are permitted access. Use the accessControlAllowedRoles
property in the body of the request, as described in the MMAP API documentation. For example:
{ "entityType": "Folder", "accessControlAllowedRoles": [ "Europe", "Administrator" ] }
In this case any user who is a member of the "Europe" or "Administrator" role is permitted to access the folder. (The user would also need to be a member of a suitable MMAP role to use the MMAP API. For example, the "read_metadata" role allows a user to retrieve information about items).
NOTE: MMAP expects the role names in IDOL Community to have the prefix MMAP_
. For example, the example roles above would be named "MMAP_Europe" and "MMAP_Administrator" in Community. You can modify or remove the prefix by changing the property named avalanche.vms.accessControl.rolePrefix
in the MMAP configuration file avalanche.properties
.
Grant Access to Media Server
IDOL Media Servers require access to folders so that they can, for example, create video resources that contain analysis results. To grant Media Server access to a restricted folder, ensure that you include the role mediaserver
in the accessControlAllowedRoles
list when you create the folder. Alternatively, make Media Server a member of one of the accessControlAllowedRoles
, by adding the role name to the property avalanche.vms.accessControl.mediaserverRoles
in the avalanche.properties
configuration file.
Restrict Access to Exported Data
MMAP can be used to export video metadata to an IDOL Content component. MMAP helps to preserve the access controls that you have added to your folders by adding an Access Control List (ACL) to IDOL documents.
MMAP adds the ACL to the document field AUTONOMYMETADATA
. To use a different field for the ACL, set the property avalanche.vms.export.content.aclFieldName
in the MMAP configuration file avalanche.properties
.
MMAP also sets the SecurityType
parameter on the index actions used to index documents, so that IDOL Content can identify the type of security that is used. The default configuration sets this parameter to NT_V4
. To change the value, set the property avalanche.vms.export.content.securityType
in the MMAP configuration file avalanche.properties
. Set this property to the same value you use to identify the security type AUTONOMY_SECURITY_V4_NT_MAPPED
in your IDOL Content component configuration file.
For more information about how to restrict access to documents in the IDOL index, refer to the IDOL Document Security Administration Guide.