User Roles: An Overview of User Role Features

In this article:

• Parts of the User Role tab
• Anatomy of User Roles
  • Role Info
    • Admin Settings
    • Granular Permissions
    • Role Restrictions
    • Production
    • Watermarks
  • View Access Rule
  • Edit Access Rule
  • User Access Rule
  • Members
  • History

User Role Elements

After clicking on the Users module in the left navigation panel choose User Roles in the top panel. Here you can browse and search User Roles that you have access to as well as view and manage existing User Roles and create new User Roles.

1. Users Tab - You will find this tab in the Left Navigation panel 
   NOTE: You will only see your own profile if you do not have permission to add/edit other users.
2. User Roles - This tab allows you to see a list of existing User Roles
3. Search Bar - This allows you to query a search of existing User Roles
4. + New User Role - Allows you to create a new User Role

The Anatomy of User Roles

The top bar of the User Role includes:

1. User Role Name
2. Number of Members Assigned to the Role
3. Save Role as a Template
4. Load a Template for the User Role
5. Close the Role detail

There are also six tabs that make up a user role:

6. Role Info - Defines the role and it’s primary capabilities and limitations
7. View Access Rules - Defines what the role can view
8. Edit Access Rules - Defines what the role can edit
9. User Access Rules - Defines who else in the system can be seen by this role
10. Members - Lists who the role is applied to
11. Projection Room(V7) - Select/Unselect devices from the user role
12. History - Shows the history of role like when the role was created and actions taken on it.

Role Info

The Role Info Screen has five main parts:

1. User Role Name - The name of a User Role usually contains key words to make it easier for admins to distinguish the role while looking at the list. For example, a user role like Editorial Uploader for ‘The Great Movie’ may be called TGM - Editorial - Uploader so that the film abbreviation leads to the Role name. However, Roles can be titled however your Admins determine works best for your system.
2. Admin Settings - This section determines certain (but not all) permission choices for the role. * Each of these settings will be detailed below.
3. Role Restrictions - This section only applies to Standard Users who are able to add other users. In this section you will choose which roles the standard user will be able to choose from when creating a new user.
4. Production - This section determines which Productions the user has access to.
5. Watermarks - This section determines the look of the watermark for the User Role for Images, PDFs and for Videos.
    

Admin Settings

Within Admin Settings:

• Domain
• Package Share Types
• Package share download options
• User Access Level
• Default Package Share Type
• Authentication Type
• Redirect on Login
• MFA (Multi-Factor Authentication) Type
• Save Access Level
• App Customer Logo
• Watermark Strategy
• Categorization Type
• Dashboard Type
• Logout Time in minutes

Domain

In CORE the Domain is the highest level of a meta data hierarchy structure. For example, in a M&E structure Film or TV are Domains. Each Domain has a single meta data structure that applies to it, and that structure is the way users categorize (tag) files when they are added to the system. In the Admin Settings area, choosing a Domain determines the meta data tag structure that the user will have to choose from when they categorize files or browse in File Search.

Package Share Types

This determines which types of Packages the User will be able to send.

• Feedback (standard): Feedback (standard) package opens to a view of all files with the comment panel enabled. Everyone on this share type can collaborate. If simple viewer is on, recipients will launch into a simple file player with no extra clutter.
• Autoplay: Opens the recipient directly into the player with the first file open. Recipients are hidden by default and simple viewer is on by default.
• Approval: Opens to a view of all files with the approval panel enabled. Everyone on the share can collaborate, but each person can only see approvals based on their role. If simple viewer is on, recipients will launch into a simple file player with no extra clutter.
• Review Mode: Opens a real-time hosted review. Recipients can not see or access the files except when guided by the host (sender of the package).
• Direct Download: Opens a simple, web-based download page. This type of package is best for when recipients only need to download the files.
• None: Opens up a Package in view mode and User can't take action further on it.

Package share download options

The package share download options are the options the user role will see when sharing a package for download.

• Recipient Settings: This option means that the user/sender will default to the user permissions set up by the Administrators for the recipients they are sending the package to.
• Allow download without watermark: This option allows the user/sender to grant the recipients the permission to download the files without a watermark.
• Allow download with watermark: This option allows the user/sender to grant the recipients the permission to download files with a watermark. The watermark can be the one chosen in the user’s role or can be a custom watermark determined at the time of the share.

User Access Level

The user access level is the primary determinant of what permissions the User has in the system. In CORE, permission is the ability to view, download, or edit files or to perform other actions within the system. Choose between the following:

• Standard User: Standard users start with no permissions in the system. A Standard User can log in to CORE and view packages that are shared with them. All additional permissions are granted in the User Role they are assigned to or in Access Overrides.
• Admin: User with full permissions and all abilities in CORE. Can view, modify, and download any file in the system, regardless of other permissions. Can create projects, add users, user roles, domains, meta structures, and any other functions in the Admin panel.
• Live Rooms: When this access level is selected, a user will only have access to the LIVE Rooms feature. User role creators will still need to add MFA or Logout time in minutes, if needed. As the LIVE Rooms feature is a real-time collaboration tool, CORE's DAM access is not required. No other changes need to be made to a LIVE Rooms-only role.
• Coordinator Role: When this access level is selected, the role defaults to a certain combination of settings and restrictions that are meant for coordinator and assistant types who don't need to access files for themselves, but they are key to the distribution of files:
  • Inbox-only user
  • Package sharing and re-sharing capabilities in spite of original settings from sender
  • No ability to upload or download
  • Shares packages as View-only
  • Can see all system users 
  • Sees Secure-style watermark

Default Package Share Type

The Users package type default settings are designated here

Authentication Type

If your company has Active Directory integration enabled, this will allow you to configure Single Sign On. CORE supports SAML, Okta, and OneLogin and can support custom integrations with other providers.

Redirect on Login

Select which module the User will see when they first log in. Choose between Dashboard, File Search and Inbox.
NOTE: Not all systems will have the Dashboard option.

MFA (Multi-Factor Authentication) Type

If you would like to require the role to have another layer of security you can enable MFA here. If Google Authenticator is enabled the User must install the Google Authenticator app on their mobile device and enter a 6-digit code each time they log in.

Save Access Level

This option controls a User's download settings both for Files they search for in the system, as well as those sent to them in Packages when they are set to Recipient Settings. If Files are shared with a user in a Package set to Download or View Only, however, then that setting will override this user role setting.

• None: The user role can not download any Files from the system unless they are shared in a package set to be Downloadable.
• Proxy: The User can download the proxy of any File that they can view from the File Search page. They can also download the proxy of any File that was shared with them in a Package set to Recipient Settings.
• Source and Proxy: The user role can download the source of any File that they can view from the File Search page, or that was shared with them in a Package set to Recipient Settings. They can also download the proxy if they choose, and may download them without a watermark.

App Customer Logo

Clients can have their company's logos uploaded into CORE. This field enables admins to define which logo your users see in the top left corner of the screen when they use the system. This is a good option for different businesses owned by a parent company that are using one CORE system. 

Technical specs for the logos:

• Image needs to fit within a 200x80 px area or have 2.5:1 ratio for resizing
• File size: No larger that 1MB
• Image types: png, jpg, jpeg, eps
• File names should be clearly named for the business, because these are the names that will appear in your logo menu.

To have your logos added to your CORE environment, reach out to your technical account rep or email support@5thkind.com. 

Watermark Strategy

Controls how assets will be watermarked.

• Overlay: Add a watermark as a text overlay which can be disabled.
• Burn-in: Burn-in, or digitally “bake”, the watermark on top of the image, video, or document so the watermark shows up no matter if you’re viewing the file in a system player or downloading it.

Categorization Type

This controls the user’s categorization options.

• Quick Share & Categorize: Allows the user to categorize the asset or “Quick Share” without categorizing the file. (if a file is not categorized, it cannot be found via searching All Files)
• Categorize Only: Asset must be categorized before it is shared.
• Quick Share: User cannot categorize but can share without categorizing the asset.
• None: User cannot categorize or share the file. The asset must be categorized and/or shared by another user.

Dashboard Type

Controls how the Dashboard module will function. (Note: Not all CORE systems have Dashboard enabled)

• Package: The Dashboard displays a list of Productions contained in Packages that have been shared with you. In this mode, a Production will not appear on the Dashboard until someone has sent you a Package containing at least one File from it.
• Production: The Dashboard displays a list of Productions you've been assigned to.

Logout Time in minutes

This field dictates the amount of time a user has before they're prompted to login again. The default is 15 minutes.

• For executive users and users reviewing feature-length clips, we recommend 120-180 minutes or 2-3 hours, so their system doesn't timeout during their viewing experience.
• Some clients opt to make users, especially their power users, login by day and set times as long as 1200 minutes or 20 hours.

Admin Settings - Granular Permissions

These settings enable additional abilities for Standard Users. Note that Admin Users always have all of these permissions.

Admin

• Role Manager: Create new User Roles, and edit Roles that the User has been given access to through the Role Restrictions field. A user can never create another Role with higher permissions than they themselves have.
• Upload Manager: In Transfers, view and categorize uploads made by other Users.
• Queue Manager: View and re-prioritize jobs in the Processing Queues. (currently disabled)
• Download Manager: In Transfers, view downloads made by other Users.
• View Private Conversations: View all Comments on files that you have access to, even if they are marked Private.
• Change Watermark: Ability to change the watermark when downloading files. With this enabled, Users can change the watermark style, and also the User's name on the watermark.
• Status Manager: Update status fields on files the user has access to.
  • With Status Manager permissions, an Inbox-only user can update the statuses on the files they've been sent, event without edit capabilities for other metadata.

User

• Disable License Agreement: If your system has a License Agreement that Users must agree to before logging in, checking this setting will allow a User to bypass it.
• Create User by Email: Enables users on the role to add new users to CORE by adding an email during sharing. The email recipient user receives an email notification for the package and must create an account upon sign in. The invited user defaults to an Inbox-only, "created by email" user role and can be updated at any time. (7.0 update)
• Create Users: Create User accounts for others. With this permission, you can also edit Users you've created, as well as those which you're granted Edit access to through your User Access Rules. The Roles which are available to assign are those granted through the Role Restrictions field.
• Upload Assets: Gives Users the ability to upload files into CORE.
• Print: Gives Users the option in the interface to print images and documents.
• Box files access: Allows users to access Box files.
• Create Live Room: Enables users in role to Create Live Rooms.
• Small Thumbnails: When selected, users will see files with thumbnail sizes scaled down to a smaller image for increased content security

Package

• Package Manager - Packages shared with a Standard User who has this additional permission do not have any restrictions that a sender may have put on the package. The exception to this rule is expiration dates or views allowed for the package. The package manager:

  • Has the ability to batch package shares on the inbox
  • Can delete package shares
  • Can view package share information of recipients
  • Can view recipients If the Hide Users setting is flagged on The package manager cannot view other recipients inboxes (with Std User settings)

• Forensic Streaming Enabled - Forensic watermarking is only offered through a 3rd party integration and will require a license for users to enable this option. Forensic watermarking places an ‘invisible’ watermark on assets in order to track their location and provides the highest level of trackable security available for assets being shared outside of CORE. Forensic watermarking can work in conjunction with visible watermarks in the CORE system.

• Package Reports - Allows Users to run reports on package access, views, downloads etc.

• Mobile Downloads - Allows Users who are sent a package to download files within the CORE mobile app for offline viewing with no wifi access. (For example, viewing an asset while in airplane mode while traveling.)

• Approval Manager - Allows Users to see all of the approvals (thumbs up, thumbs down) for approval type packages.

• Stream Admin - Gives the ability to create LIVE Rooms, administer stream settings, and invite and manage LIVE Rooms users. 

Device

Select which device(s) the User may log in from. Choose from Desktop, Mobile, AppleTV, or any combination of the above.

Approval Statuses

Select which statuses users in the role have access to when sharing Approval Packages for Statuses. The system comes with a default set of Statuses that are customizable by the Admin.

Role Restrictions

This field appears if the Role has either Role Manager or Create Users permissions. If the User has the Role Manager permission, the Roles selected here will be available for them to view and modify in the User Roles section. If the User has the Create Users permission, the Roles selected here will be available for them to assign to other Users.

SSO Limitations on Role Management

Please note: With SSO accounts, adding users and user roles requires reauthorization which the SSO doesn't support. Therefore, only Admin user accounts created in CORE outside of the SSO can make any changes to Roles within CORE. CORE with SCIM provisioning enables IT teams to connect client users to CORE with the correct roles; however, those roles still need to be created in CORE via an Admin role outside of SSO.

An Admin user created via SSO cannot:

• Add or Delete  Users 
• Perform MFA Resets 
• Update User Roles
• Adjust and Clean Up Tag Structure 

To perform these functions, a non-SSO Admin account is required.

Productions

Select which Productions the User has access to. Productions selected here will be available in the User's dashboard and top selector dropdown and will be available to them when categorizing Files (if they are able to do so). Additionally, if the User has the Role Manager permission, the Productions selected here must be part of any File Access Rules they create (see below).

Add New Productions When Setting Up a User Role 

When an admin is in a User Profile or in a User Role, and are managing Productions at the multi-select area, you can now add a production right here. No need to stop, exit, and switch to the Tags admin area. Just do it here during the user role setup.

Watermarks

Set the style of watermarks that users in this role will receive by default when viewing or downloading files. You can set different watermark styles for images, pdfs, and videos. This setting may be overridden if the User has the Change Watermark permission or if someone sends them a Package with a custom watermark. Additionally, this setting may be overridden globally in certain cases by the Production Watermarks Admin section.

View Access Rules

File Access Rules govern what files a User can see, whether they can interact with them, and if so, how.

• View Access Rules control what Files a User can view and, optionally, what additional information about them they can view.
• Each User Role can have as many File Access Rules as needed.
  NOTE: To learn how to create a View Access Rule, see Create a New User Role: A Step-By-Step Guide

Access Rules

List of the rules you create within the User Role. A User Role can have multiple rules.

• View Access provides viewing access to files defined by the rules (see above) 
• Edit Access provides both viewing and editing access to the files and metadata defined by the rules.
• User Access grants the ability to see other users in CORE as defined by the rules

File Permissions

By checking the File Permissions boxes, permission can be granted to view additional info for the files you have access to view.

View History

View the history panel for the Files you have access to. See here for information about the History Panel.

View Access

View who else has access to the Files you have access to. See here for information about the Access Panel.

Email on Ingest

Users assigned to the role will receive an email notification whenever Files matching the Rule are ingested into CORE.

Metadata Fields

The fields shown here will match those in the Tag Structure for the selected Domain. Click on a field to add a conditional rule for that field.

Conditionals

Each Conditional is simply a filter. You can add as many conditionals to a Rule as you'd like. All Conditionals in a rule are ANDed together. Files that match the Rule will become available (or be hidden) if they satisfy all of the listed conditionals. For each Field, choose at least one Value to match.

Field Name - The field you are using to filter values.

Condition- Select either "Is", "Is Not." or “Is All”.

Value - The Value that a File must have in order to match. You can add multiple Values to each conditional. Click the X to remove a Value.

Add Value - Click to select existing Values from a dropdown, and add them to the Conditional.

Remove Conditional - Click the trash icon to Remove the entire Conditional.

Edit Access Rules

Edit Access Rules control what Files a User can edit. Files matching an Edit Access Rule will be both viewable and editable by Users assigned to the Role.

The anatomy of Edit Access Rules is the same as View Access Rules with one exception, it does not include Email on Ingest. That rule is applied only in View Access Rules.

Important: If you make overrides to the Edit Access Rules in this section, you will be overriding the Rules set up for the user in their assigned User Role.

User Access Rules

User Access Rules control which other Users in the system a User will be able to see and/or modify. The rule allows Users to view other users within selected Production, Company, Department, or Position.

Important: If you make overrides to the User Access Rules in this section, you will be overriding the Rules set up for the user in their assigned User Role.

Members

A list of Active and Inactive users who have been assigned to that User Role.

History

New with 7.0. The History tab is a historical activity log of all activity associated with the user role. It shows what action has been taken and when. 

The history is maintain for what activities are done by admins on the role .
It does not capture activity by users assigned to the role

1. Data Range - Insert start and end date range preferences to find User Role History. 

2. History Dropdown Filter - Further Filter your search to common look ups 

3. History details  - Chronological, historical User Role details