When using the CatDV Enterprise Server access to clips and catalogs on the server is governed by users, groups, roles and permissions.
Each catalog on the server is owned by a particular user and group. Each user who logs on to the system has a specific role. The role governs what access they have, depending on what permissions the role has in the catalog’s group. (A role can define different permissions in different groups.)
The following permissions are available:
- Read other users’ catalogs (this lets you open all catalogs belonging to the group, not just those you own)
- Create new catalogs in this group
- Create new clips (whether you can import new clips or create new subclips within an existing catalog)
- Edit own catalogs (if you don’t have this permission catalogs become locked once they have been published to the server)
- Edit other users’ catalogs (this lets you edit any catalog belonging to the group)
- Delete own clips (allows you to delete clips you own from a catalog)
- Delete own catalogs
- Delete others (allows you to delete other users’ clips and/or catalogs within this group, in addition to those belonging to you)
- Tape management (allows you to create and edit tape information)
- User administration (allows you to create new users and change their permissions within this group)
- System administration (allows you to create new groups and edit any permission, effectively the “super user”)
- Edit pick lists (allows you to edit pick list values for that group)
- Edit locked fields (allows you to edit fields that have been marked as locked in the user-defined fields section of Preferences; normally such fields are read-only)
These permissions all apply to one particular group or “production”. A role can have different permissions in different groups, giving you great flexibility in setting up access control if you need it. You can also give a role access to the special System Group; any permission you have in this group will apply to the entire database, regardless of which production group the catalog belongs to.
Differences from earlier versions
Roles are a new feature in CatDV 9. In earler versions of CatDV permissions and group membership were directly assigned to individual users, which meant that any permission changes had to be applied to each user in turn to keep them in sync. When you first switch to the new client and server, new roles are created automatically based on the existing permissions and given a name starting with ‘##’. You should review and consolidate these roles and give them more meaningful names as required.
If necessary, you can keep the old permissions scheme by unchecking the “User roles” option in the Server Control Panel.
Checking permissions
Use the Browse Database command to view the group and user that a catalog belongs to and whether you have permission to read, write or delete the catalog. The “Access” column summarises these permissions with the letters ‘r’, ‘w’ and ‘d’, while ‘-‘ indicates you don’t have access. If you use the tree navigator catalogs are arranged in folders according to the production group they belong to.
Use the Show Info button to display the catalog information panel where you can change the user or group the catalog belongs to (if you have permission to edit the catalog).
If you still don’t see the commands to publish catalogs or save changes, even though you think you should have permission to do so, there are several other things to check:
- Check that the “Allow write access to server” option is checked in the “Server” Preferences page
- Make sure you are not using a Browse Only client license.
- If the status line shows you are in a read-only view and the clips are shown with a distinctive red background this means you are quickly previewing the contents of a catalog on the server without having fully opened it. Right click on the catalog in the tree or use the Server menu and choose the Open For Editing command.
User Admin Panel
When editing users and permissions, first create the group(s) you are interested in by going to the User Admin panel and clicking the ‘+’ button in the Production Groups section (you will need to log on as a systems administrator to do this).
Next, you can define a number of system-wide roles, for example Systems Adminstrator, Group Adminstrator, Librarian, Logger, Producer, and so on. Again, click on the ‘+’ button to do this. For now, just enter a role name.
Once you have created groups and roles you can assign a role to particular groups by giving that role permissions in that group. Select the production group and role you wish to link together, then click on the ‘+’ button in the Role Permissions section. Once you do this you can click on the permissions you want users with that role to have in that group. (Remember that if you give a role permissions in the System Group that’s shorthand for giving the role that permission in all groups.)
Finally, once you have created your production groups and defined your roles, you can create users and assign them to particular roles.
When you select a production group, all the roles which are members of that group (ie. have access to the group) are shown with a tick mark in the Member column. Conversely, if you select a role then all the groups it is a member of are shown with ticks in the production group Member column. Once you select a group and a role, both of which tick check marks, then you can view and edit the permissions of that role in that group.
Customising functionality for roles
When a user logs on to the system, if they are a member of more than one production group they choose which group they want to work in. Selecting a group loads the preference settings for that group, including settings such as proxy locations, user-defined field names, pick list values, and customised view layouts. If you check the Advanced user interface checkbox for that role then users with that role will always see the advanced toolbar, advanced tree and advanced tree regardless of what the group settings are.
In addition to this group-based customisation, the specific role of the user can override certain default settings for the production group. For example, a details panel layout called “Advanced” could be defined that is turned off for most users in the group and is only enabled for adminstrators.
Click the pencil button to edit a role and enter override settings, such as the names of tabs that are always to be shown or hidden for that role.