Welcome to the second of three articles devoted to authentication. In this article, we will look at a number of settings that can be used to refine certain aspects of your users' experience of the platform and automate certain functions.
We recommend that you have read the article dedicated to users and groups before reading this one.
First of all, make sure that your user account has the global permission entitled "Can edit site settings".
To access the authentication settings, open the administration menu and click on "Authentication > Authentication settings and services".
Table of content
1/ AUTHENTICATION STATUS REPORT
2/ SETTINGS
Authentication status report
In this first tab you will find a summary of the authentication services activated, as well as an indication of the priority of the services. In the right-hand frame you will see the information services (services that retrieve information about the user, such as LDAP or SAML).
You will also find the link to the local authentication page (https://your_nudgis_url/login-local/), which allows you to connect without using external authentication services.
Settings
The first frame of this tab contains general parameters relating to authentication.
- Session expiration delay : After this time the user will have to reconnect to the site, the default value is 40h (144000 seconds).
- Session expires at browser close : Defines whether the user must log in again after closing and reopening the browser.
- Require authentication : forces authentication to browse the site. Activating this parameter renders permissions obsolete for unauthenticated users.
- Make thumbnails images public : Defines whether video and channel thumbnails are visible to non-authenticated users.
- Enable address fields : Enables postal address fields to be added to user account configuration.
- Email list for new accounts : In this field, add the email addresses that will be notified when a new user account is created on the platform (enter one address per line).
-
Users update interval limit : Minimum time between two updates of user information. The information includes that returned by the LDAP service if the option is enabled, the addition of users to authentication groups, and the automatic assignment of users to groups.
-
Store users in statistics : Defines whether users should be stored in statistics.
-
Allow impersonate : If this option is enabled, accounts with permission to edit users and groups will be able to use the impersonation feature, which simulates what a user sees. This feature is mainly used for debugging purposes.
-
Allow group admins to create users: This option is required so that group administrators can create users when they do not exist (Please refer to the previous article on authentication, and more specifically to chapter 2A "Local groups").
The second frame contains parameters relating to personal channels. Each of these channels is associated with a user account, which must have the "May have a personal channel" permission.
The first parameter defines the parent chain in which the user's personal chains will be stored.
The next two parameters relate to the permissions system. They enable the access permission to be set to "No" for both authenticated and non-authenticated users. The aim is to prevent accounts authorised to visit the parent channel from gaining access to other users' personal channels and their media.
You can then define whether channels should be set to "Unlisted" when they are created. Unlisted channels are not visible when browsing the site or in the search engine, except to users who have permission to edit them. Users with access permission only will need to know the link to view the channel.
Finally, the last option allows personal channels and their content to be deleted when the associated user is deleted.
The following section refers to the Nudgis API.
The master API key is used in particular by the Worker systems which are responsible for operations on the media (transcoding, slide detection, etc.) and by certain external applications. It is therefore not recommended to modify it. However, if it is compromised, you can generate a new one by clearing the field and then saving the changes. Don't forget that you will need to modify the configuration of the Workers and applications that use it.
You can restrict the use of the master API key to a list of IP addresses (one per line). If an unauthorised IP tries to use the key, an email will be sent to the site administrators (users with permission to edit the site settings).
If you decide to use IP restriction, remember to add the Workers IP addresses to the list. Otherwise many critical Nudgis functions will no longer be operational.
Finally, you can choose whether or not users can see their own API key.
Let's now take a look at the parameters relating to speakers.
- Send an email to speakers : When the media is ready to be played, the users registered as speakers will receive an email to inform them.
- Allow speakers edition (email) : Gives editing permission to users whose email address is entered in the "Speakers" field of the media.
- Allow speakers edition (id) : Gives editing permission to users whose speaker ID is entered in the "Speaker" field in the media.
- Give access rights to speakers : In addition to the two previous parameters, this also grants access rights to speakers.
- Behaviour when adding media with the "mscspeaker" chain target : The mscspeaker argument allows you to upload media to the speaker's personal chain without having to enter the chain id (for use with Miris Capture recorders or via the API). This option allows you to define the behaviour of Nudgis if the speaker does not exist in the user database. Three options are available :
-
1/ Do nothing : The video will be placed in the default channel.
-
2/ Create user account only : If no mechanism has been set up to give the user permission to own a personal channel on the fly, the video will be placed in the default channel.
-
3/ Create user account and personal channel : The video will be placed in the personal channel of the created user.
-
-
Set creator as a speaker : If this option is enabled, the user who created the media will be added to the list of speakers.
-
Speaker email content : Enables you to modify the email sent to speakers when the video is ready to be played (see first item in this list).
-
Users default storage quota : You can apply a default storage quota to users. This includes all the media in their personal channel as well as all the media where they are defined as a speaker.
-
Reject media over quota : By default, if a user still has a margin on their quota, they will be able to add media even if their quota is exceeded once the media has been added. This option prevents this from happening.
-
: This is the threshold to be reached before the user is warned that their quota is about to be reached.
-
Users available storage required to record: Amount of available storage required for the user to be authorised to record with the WebStudio.
This is followed by two settings relating to the history of user actions. The first allows you to duplicate logs (which by default are only recorded in the database) in files.
The second defines the retention period for these logs. This option is particularly useful for compliance with regulations such as the RGPD.
And finally, the last feature on this page concerns the automatic deletion of inactive users. The deletion process runs every night and deletes all users who have not logged on to the platform for a certain period of time.
The first parameter allows you to activate or deactivate the functionality, while the second allows you to define the period after which users who have not logged in will be deleted.
Users can be notified by email that their account will be deleted, or you can restrict this notification to users belonging to certain groups. Use regular expressions in this field to define the groups concerned.
It is also possible to send a daily report of accounts about to be deleted to administrators. Define the delay between notifications and actual deletion in this last field.
Permissions Profiles
Let's move straight on to the last tab, which deals with automatic group assignment. We'll look at configuring the various authentication services in the next and final article in this triptych. add link after publication of article.
The group assignment functionality enables users to be automatically assigned to groups on the basis of their internal attributes ("username", "email", "first_name", "last_name", "speaker_id", "company", "position", "country") or external attributes (retrieved by services such as LDAP).
The format used to build the rules is YAML.
To create a new rule, click on "Add a rule" :
A superimposed window then opens, so let's take a look at what we can set here :
The first option allows you to activate or deactivate the rule. In the second field, select the group to which you wish to add the users affected by the rule.
The 'Unassign' option removes from the group users who do not comply with the rule and who have been added to the group by an automatic rule. You can force the condition to be case-sensitive using the following parameter.
Finally, the condition in YAML format defines the rule that will be applied. You should read the tooltip for the condition carefully, as it provides examples of how to use it, as well as a number of details on how the rules work.
Now that we've covered the authentication parameters, it's time to move on to configuring the various authentication services available in Nudgis.
Comments
0 comments
Please sign in to leave a comment.