Episode ID roles

Users with a role like ROLE_EPISODE_<ID>_<ACTION> will have access to the episode with the given identifier, without this having to be explicitly stated in the ACL attached to the episode.

For example, ROLE_EPISODE_872dc4ec-ca8a-4e12-8dac-ce99784d6d29_READ will allow the user to get read access to episode 872dc4ec-ca8a-4e12-8dac-ce99784d6d29.

The <ACTION> will be capitalized, but special characters may not be converted to _, e.g. ANNOTATE-ADMIN.

Setup

When updating from an Opencast that did not have this feature, to make this work for the Admin UI and External API, the Elasticsearch Index needs to be updated with modified ACLs. You can achieve this by calling the /index/rebuild/AssetManager/ACL and /index/rebuild/Search endpoints. These endpoints will reindex the event ACLs in both the AssetManager index and the Search index.

In case you have custom actions configured, this will only work for the actions that were configured during the reindex of the Elasticsearch index. If you later add custom actions, you will have to reindex again.