Adding and Managing Permission Sets

Each group has a permission set applied to it. A permission set defines a wide variety of permission settings, including asset and production filtering.

Important: The “admin” permission set is the only one that allows access to the client’s Administration window. Even if you duplicate the “admin” permission set, that copy will not have access to the Administration window.

About the Default Permission Sets

Final Cut Server Installer automatically creates six permission sets.

  • admin: This is the only permission set that includes access to the Final Cut Server client’s Administration window. It provides access to all aspects of the Final Cut Server system. It should only be assigned to groups of users that are capable of administering all aspects of the Final Cut Server system.
  • artist, manager, and editor: These permission sets are all identical and provide access to all aspects of the Final Cut Server system except for those that are specific to the admin permission set.

    The intention of these three permission sets is to give you a starting point for creating specific permission sets for different groups of users. For example, you might want to modify the artist permission set so that those users are only able to access specific devices that contain the graphics they work on.

  • reviewer: This permission set is unable to create, delete, catalog, or edit any of the assets within the Final Cut Server catalog. The reviewer permission set is only able to see assets that have a status of Approved, Ready for Review, Rejected, or Completed.
  • browser: This permission set is unable to create, delete, catalog, edit, edit details, or copy any of the assets within the Final Cut Server catalog. The browser permission set is only able to see assets that have a status of Approved.

Working with Permission Sets

Permission sets are created and configured from a Final Cut Server client’s Administration window.

To see the existing permission sets
  1. In a Final Cut Server client, choose Administration from the Server pop-up menu to open the Administration window.

    Important: You must be logged in as a user with administrator privileges for the Administration item to appear in the Server pop-up menu.

  2. Click Permission Set in the column on the left to open the Permission Set pane.

    A list of existing permission sets appears. By default there is one called “admin,” plus others that the installer created based on the customer profile you selected. See the Final Cut Server Setup Guide for more information.

Figure. Administration window showing the Create button and Duplicate button in the Permission Set pane.

The Permission Set pane contains three columns:

  • Name: This is the name of the permission set. This is also the name that appears when you are managing groups.
  • Perm ID: This is a number that Final Cut Server assigns to permission sets, based on the order in which they are created.
  • Priority: This is a number that defines the priority level of the permission set. Higher values are consulted first to set the permissions for users who are assigned to multiple groups. For example, if a user belongs to a group with a permission set that has a priority of 3 and a second group that has a permission set priority of 4, the second group’s permission set (with the priority of 4) is used.
To add a new permission set
  1. Click the Create button.

    The Permission Set window appears.

    Figure. Permission Set window.
  2. In the column on the left, click Create, Asset Filter, and Production Filter to open and configure their panes.

    See Settings for Permission Sets for details on the settings in these panes.

  3. Select the All Permissions checkbox to set this permission set to have the same permissions as “admin,” but without access to the Administration window.

    This is often the best way to create a permission set. Starting with all settings enabled and then disabling a few specific settings can be easier than starting with a permission set with nothing enabled and then enabling many settings.

    Important: The “admin” permission set is the only one that allows access to the Administration window.

  4. Click Save Changes.

  5. Click the Administration window’s Search button to see the new permission set in the Permission Set pane.

In many cases, it is easier to duplicate an existing permission set and then make changes to it as needed.

To make a duplicate of an existing permission set
  1. Select the permission set that you want to copy.

  2. Click the Duplicate button.

  3. Click the Administration window’s Search button.

A new permission set, named Clone of [duplicated permission set], is added to the list.

To edit an existing permission set
  1. Double-click an existing permission set in the Permission Set pane.

    The Permission Set window appears.

    Figure. Permission Set window.
  2. Click Metadata, Trait Permissions, and Device Permissions to configure each group of settings.

    See Settings for Permission Sets for details on the settings in these panes.

  3. Click Save Changes.

This window closes and the permission set appears in the Permission Set pane with the changes you made.

Settings for Permission Sets

There are three main areas for configuring a permission set:

  • Metadata pane

  • Trait Permissions pane

  • Device Permissions pane

Note: The Trait Permissions and Device Permissions panes are available only when you are editing an existing permission set.

About Metadata Settings

The metadata permissions include the column on the left where you can select the type of metadata to configure.

Modify

This includes the name and priority settings.

The priority setting determines the order in which permission sets are consulted when a user belongs to multiple groups with different permission sets. Higher values are consulted first. For example, if a user belongs to a group with a permission set that has a priority of 3 and a second group that has a permission set priority of 4, the second group’s permission set (with the priority of 4) is used.

Asset Filter

Select Asset Filter to define a metadata filter applied to all asset searches. These metadata filters will be used to perform searches initiated by members of the group. For example, you can create a filter for the Newsroom group so that members of the group only see assets with a Completed status.

Figure. Permission Set window showing the Asset Filter options.
Production View Filter

Select Production View Filter to define a metadata filter applied to nested production searches. These metadata filters will be used to perform searches initiated by members of the group.

Figure. Permission Set window showing the Production View Filter options.
Production Filter

Select Production Filter to define a metadata filter applied to top-level production searches. These metadata filters will be used to perform searches initiated by members of the group.

Figure. Permission Set window showing the Production Filter options.

Trait Permissions Settings

Click the Trait Permissions button to configure access to a variety of areas within Final Cut Server, including assets, productions, jobs, users, and so on. See Setting Trait and Device Permissions for more information.

Figure. Permission Set window showing the Trait Permissions settings.

Important: Most of the settings in the Trait Permissions pane are highly specialized and should not be changed unless you have specific needs and are willing to spend time testing the changes to make sure unintended side effects do not occur.

Many of the items listed in the Name column are reserved for internal use by Final Cut Server. Changing these settings does not affect how the permission set actually works. These include all of the items with “Tab” in their names.

The most commonly configured items are the media asset and production metadata sets. These items all have either “(Media Asset)” or “(Production)” immediately after their names. For example, you may want to forbid a group of users from accessing assets that use the Graphic metadata set.

Device Permissions Settings

Click the Device Permissions button to configure a group’s ability to perform an action on the selected device. Permissions applied to the group apply to all group members. See Setting Trait and Device Permissions for more information.

Figure. Permission Set window showing the Device Permissions settings.

Setting Trait and Device Permissions

The Trait Permissions and Device Permissions panes list traits or devices in rows and actions in columns. For each trait or device, click the cell and choose an option from the list to define the security permission:

  • Permit: Allow the action or actions.
  • Forbid: Deny the action or actions.
  • Inherit: Inherit is a default system setting that can mean an action is permitted or forbidden depending on where the action is inherited from. For user-created permission sets, trait permissions that are set to inherit will usually forbid that action, while device permissions set to inherit will usually permit the action. If permission modifications are needed, it is best to explicitly set any actions to permit or forbid based on the desired result.

The following table lists all of the action columns and their relationships with trait and device permissions.

Column
Trait permissions
Device permissions
Visible
Display tabs in the user interface, or control access to certain types of assets or productions.
Select device when searching.
View details
View selected item details.
View item details on device.
Create
Create items with this trait; for example, users, assets of type Commercial, or productions of type Promotion.
Create or copy items to device.
Edit details
Edit selected item details.
n/a
Search
Search for items, in traits like All Assets and All Productions.
Search device.
Delete
Delete items.
Delete items from device.
Copy from
Copy items from a device to anywhere else.
Copy items from a device to anywhere else.
Catalogue
n/a
Catalog items on device as Final Cut Server assets.
Edit hints
Edit field hints.
n/a
Start
n/a
n/a
Stop
n/a
n/a
Edit media
Allow checking out and locking assets.
Edit a Contentbase device’s media items directly.