Role-Based Visibility

Opencast supports a powerful mechanism that allows to provide users selective access to the administrative user interface. Using that mechanism, it is possible to configure what parts of the UI (and therefore functionality) are visible to a given user based on the user's roles. Hence, we call that mechanism role-based visibility.

This is no security feature and does not guarantee that users cannot access any of the functionality.

How To Use

The best practice to assign a larger set of roles to a user is to use Opencast's support for user groups. This way, you can define a group whose roles provide access to the parts of the UI you want to provide access to. Given such a group, you can just add users to that group and they will get all the roles of the group which includes roles that allow the users to access specific parts of the UI.

There is a set of so-called user interface roles, each of them providing access to a specific part of the administrative user interface. Those roles can be easily identified by their name prefix ROLE_UI.

Important ROLE_ADMIN implicitly provides full access to the user interface. When working with role-based visibility, users (and the groups they belong to) may not have ROLE_ADMIN therefore. Similarly, ROLE_CAPTURE_AGENT provides write access to events the user having the role would usually have no write access to. This is the role automatically attached to users used by capture agents. They need this special priviledge to ingest to events which another user has created. In general, it's not a good idea to re-use this role for regular users.

User Interface Roles

This section describes which roles permit access to what parts of the user interface. Note that role-based visibility is not just hiding graphical elements from users, it does also protect server-side resources from unauthorized access if necessary.

It is important to understand that the UI roles are not coupled, i.e. having a particular role does not imply any other permission than the one exactly provided by the role.

Example: Just having the role ROLE_UI_NAV_CAPTURE_VIEW won't display the navigation menu. This requires the role ROLE_UI_NAV, too.

The advantage of having independent roles is that it makes role-based visibility even more flexible, For example, it is possible to not use the navigation menu at all. The drawback of this approach is that it makes configuration more advanced. But configuring role-based visibility is not a daily tasks.

General Access

Important: ROLE_ADMIN_UI is required for accessing the admin ui in general in means of providing access to some often used resources

Role User Interface
ROLE_ADMIN_UI Allow user to access login page as well as commonly used resources

The navigation menu is the menu on the top-left that allows the user to navigate between subsections of the administrative user interface.

Role User Interface
ROLE_UI_NAV Display navigation menu
ROLE_UI_NAV_RECORDINGS_VIEW Display navigation menu entry Recordings
ROLE_UI_NAV_CAPTURE_VIEW Display navigation menu entry Capture
ROLE_UI_NAV_SYSTEMS_VIEW Display navigation menu entry Systems
ROLE_UI_NAV_ORGANIZATION_VIEW Display navigation menu entry Organization
ROLE_UI_NAV_CONFIGURATION_VIEW Display navigation menu entry Configuration
ROLE_UI_NAV_STATISTICS_VIEW Display navigation menu entry Statistics

If you want to provide access to the navigation menu, ROLE_UI_NAV is needed. Then, for each of the navigation menu entries, include the respective role if the menu entry should be accessible by the user.

Note that this really just controls the navigation menu and its menu entries. Not less, not more.

Statistics: Organization

Role User Interface
ROLE_UI_STATISTICS_ORGANIZATION_VIEW Display Organization page

Recordings: Events

Role User Interface
ROLE_UI_EVENTS_VIEW Display Events page
ROLE_UI_EVENTS_COUNTERS_VIEW Display the Counters on the Events page
ROLE_UI_EVENTS_CREATE Display Add Event button on Events page
ROLE_UI_EVENTS_DELETE Display Delete action in Events table
ROLE_UI_EVENTS_EDITOR_VIEW Display Playback/Editor action in Events table
ROLE_UI_EVENTS_DETAILS_VIEW Display Event Details action in Events table
ROLE_UI_TASKS_CREATE Display Actions on Events page

For the Playback/Editor tool, further access can be provided:

Role User Interface
ROLE_UI_EVENTS_EDITOR_EDIT Allow the user to actually edit videos

There are quite a number of roles to provide selective access to the tabs offered by the Event Details modal:

Role User Interface
ROLE_UI_EVENTS_DETAILS_METADATA_VIEW Display tab Metadata
ROLE_UI_EVENTS_DETAILS_ASSETS_VIEW Display tab Assets
ROLE_UI_EVENTS_DETAILS_PUBLICATIONS_VIEW Display tab Publications
ROLE_UI_EVENTS_DETAILS_WORKFLOWS_VIEW Display tab Workflows
ROLE_UI_EVENTS_DETAILS_SCHEDULING_VIEW Display tab Scheduling
ROLE_UI_EVENTS_DETAILS_ACL_VIEW Display tab Access Policy
ROLE_UI_EVENTS_DETAILS_COMMENTS_VIEW Display tab Comments
ROLE_UI_EVENTS_DETAILS_STATISTICS_VIEW Display tab Statistics

For the individual tabs, it is possible to further provide access:

Role User Interface
ROLE_UI_EVENTS_DETAILS_METADATA_EDIT Allow the user to edit Metadata
ROLE_UI_EVENTS_DETAILS_ACL_USER_ROLES_VIEW Display user roles in Access Policy
ROLE_UI_EVENTS_DETAILS_ACL_NONUSER_ROLES_VIEW Display non user roles in Access Policy
ROLE_UI_EVENTS_DETAILS_ACL_EDIT Allow the user to edit Access Policy
ROLE_UI_EVENTS_DETAILS_WORKFLOWS_EDIT Allow the user to edit Workflows
ROLE_UI_EVENTS_DETAILS_WORKFLOWS_DELETE Allow the user to delete Workflows
ROLE_UI_EVENTS_DETAILS_SCHEDULING_EDIT Allow the user to edit Scheduling
ROLE_UI_EVENTS_DETAILS_COMMENTS_CREATE Allow the user to create comments
ROLE_UI_EVENTS_DETAILS_COMMENTS_DELETE Allow the user to delete comments
ROLE_UI_EVENTS_DETAILS_COMMENTS_EDIT Allow the user to edit comments
ROLE_UI_EVENTS_DETAILS_COMMENTS_REPLY Allow the user to reply to comments
ROLE_UI_EVENTS_DETAILS_COMMENTS_RESOLVE Allow the user to resolve comments

Recordings: Series

Role User Interface
ROLE_UI_SERIES_VIEW Display Series page
ROLE_UI_SERIES_CREATE Display Add Series on Series page
ROLE_UI_SERIES_DELETE Display Delete action in Series table
ROLE_UI_SERIES_DETAILS_VIEW Display Series Details action in Series table

There are quite a number of roles to provide selective access to the tabs offered by the Series Details modal:

Role User Interface
ROLE_UI_SERIES_DETAILS_METADATA_VIEW Display tab Metadata
ROLE_UI_SERIES_DETAILS_ACL_VIEW Display tab Access Policy
ROLE_UI_SERIES_DETAILS_THEMES_VIEW Display tab Theme
ROLE_UI_SERIES_DETAILS_STATISTICS_VIEW Display tab Statistics

For the individual tabs, it is possible to further provide access:

Role User Interface
ROLE_UI_SERIES_DETAILS_METADATA_EDIT Allow the user to edit Metadata
ROLE_UI_SERIES_DETAILS_ACL_USER_ROLES_VIEW Display user roles in Access Policy
ROLE_UI_SERIES_DETAILS_ACL_NONUSER_ROLES_VIEW Display non user roles in Access Policy
ROLE_UI_SERIES_DETAILS_ACL_EDIT Allow the user to edit Access Policy
ROLE_UI_SERIES_DETAILS_THEMES_EDIT Allow the user to edit Theme

Capture: Locations

Role User Interface
ROLE_UI_LOCATIONS_VIEW Display Locations page
ROLE_UI_LOCATIONS_DELETE Display Delete action in Locations table
ROLE_UI_LOCATIONS_DETAILS_VIEW Display Location Details action in Locations table

There are quite a number of roles to provide selective access to the tabs offered by the Locations Details modal:

Role User Interface
ROLE_UI_LOCATIONS_DETAILS_CAPABILITIES_VIEW Display tab Capabilities
ROLE_UI_LOCATIONS_DETAILS_CONFIGURATION_VIEW Display tab Configuration
ROLE_UI_LOCATIONS_DETAILS_GENERAL_VIEW Display tab General

Systems: Jobs, Servers and Services

Role User Interface
ROLE_UI_JOBS_VIEW Display Jobs page
ROLE_UI_SERVERS_VIEW Display Servers page
ROLE_UI_SERVICES_VIEW Display Services page

On those pages, it is possible to further provide access:

Role User Interface
ROLE_UI_SERVERS_MAINTENANCE_EDIT Allow the user turn on/off server maintenance
ROLE_UI_SERVICES_STATUS_EDIT Allow the user to sanitize services

Organization: Users

Role User Interface
ROLE_UI_USERS_VIEW Display Users page
ROLE_UI_USERS_CREATE Display Add user on Users page
ROLE_UI_USERS_DELETE Display Delete action in Users table
ROLE_UI_USERS_EDIT Display User Details action in Users table

Organization: Groups

Role User Interface
ROLE_UI_GROUPS_VIEW Display Groups page
ROLE_UI_GROUPS_CREATE Display Add groups on Groups page
ROLE_UI_GROUPS_DELETE Display Delete action in Groups table
ROLE_UI_GROUPS_EDIT Display Group Details action in Groups table

Organization: Access Policies

Role User Interface
ROLE_UI_ACLS_VIEW Display Access Policies page
ROLE_UI_ACLS_CREATE Display Add access policy on Access Policies page
ROLE_UI_ACLS_DELETE Display Delete action in Access Policies table
ROLE_UI_ACLS_EDIT Display Group Details action in Access Policies table

Configuration: Themes

Role User Interface
ROLE_UI_THEMES_VIEW Display Themes page
ROLE_UI_THEMES_CREATE Display Add theme on Themes page
ROLE_UI_THEMES_DELETE Display Delete action in Themes table
ROLE_UI_THEMES_EDIT Display Theme Details action in Themes table