Restrict Access to Folders

The Media Management and Analysis Platform organizes cameras, channels, videos, and recorders into folders. If you have enabled user authentication, you can restrict access to certain resources.

You can only restrict access to top-level folders. For example, you can restrict access to the folder Europe, but Europe/UK inherits access control settings from its parent.

TIP: The top-level folder for cameras/Europe/UK and channels/Europe/UK is Europe. When you restrict access to the Europe folder, the same settings apply for cameras, channels, videos, and other resource types.

When you create or update a folder using the folder management endpoint, you can specify a list of roles who are permitted access. Use the accessControlAllowedRoles property in the body of the request, as described in the MMAP API documentation. For example:

{
  "entityType": "Folder",
  "accessControlAllowedRoles": [
    "Europe",
    "Administrator"
  ]
}

In this case any user who is a member of the "Europe" or "Administrator" role is permitted to access the folder. (The user would also need to be a member of a suitable MMAP role to use the MMAP API. For example, the "read_metadata" role allows a user to retrieve information about items).

NOTE: MMAP expects the role names in IDOL Community to have the prefix MMAP_. For example, the example roles above would be named "MMAP_Europe" and "MMAP_Administrator" in Community. You can modify or remove the prefix by changing the property named avalanche.vms.accessControl.rolePrefix in the MMAP configuration file avalanche.properties.

Grant Access to Media Server

IDOL Media Servers require access to folders so that they can, for example, create video resources that contain analysis results. To grant Media Server access to a restricted folder, ensure that you include the role mediaserver in the accessControlAllowedRoles list when you create the folder. Alternatively, make Media Server a member of one of the accessControlAllowedRoles, by adding the role name to the property avalanche.vms.accessControl.mediaserverRoles in the avalanche.properties configuration file.

Restrict Access to Exported Data

MMAP can be used to export video metadata to an IDOL Content component. MMAP helps to preserve the access controls that you have added to your folders by adding an Access Control List (ACL) to IDOL documents.

MMAP adds the ACL to the document field AUTONOMYMETADATA. To use a different field for the ACL, set the property avalanche.vms.export.content.aclFieldName in the MMAP configuration file avalanche.properties.

MMAP also sets the SecurityType parameter on the index actions used to index documents, so that IDOL Content can identify the type of security that is used. The default configuration sets this parameter to NT_V4. To change the value, set the property avalanche.vms.export.content.securityType in the MMAP configuration file avalanche.properties. Set this property to the same value you use to identify the security type AUTONOMY_SECURITY_V4_NT_MAPPED in your IDOL Content component configuration file.

For more information about how to restrict access to documents in the IDOL index, refer to the IDOL Document Security Administration Guide.