Access to the content hosted on your platform is at the heart of how your architecture works, so it is vital to understand every aspect of it. In this first of two articles on the subject, we are going to take a look at the basics of how permissions work on your Nudgis platform.
Let's start by defining permissions : these are the access parameters that you grant to media or features for each of your users. They can be fine-tuned according to several filters : by user, by user group or by authentication group.
Whether you are an administrator or a user, understanding access permissions to channels and their content is fundamental to worry-free browsing. In Nudgis, permissions are both very simple and very tricky, because although there are a number of automated functions that allow you to easily manage the permissions of a large number of users, it is essential to understand the ins and outs, in order to retain total control over access to your content. Let's take a look at the basics.
The channel or media permissions tab
You can apply permissions directly from the channel or media edit page.
Then go to the 'Permissions' tab.
Here you can add users or groups and give them custom permissions:
Further down, you'll find the permissions granted to authentication groups. These allow you to give rights to users according to their authentication method.
User and group permissions
To access the permissions of a particular user or group, go to Menu > Administration > User and group management. At the end of the line for a user or group, click on the symbol representing a key.
A typical permissions page is divided into four parts:
- Global permissions define the rights that the user will have on the site (the right to create channels and media, configure certain services, parameters relating to the site such as the site title, etc.).
Editing permissions define the rights that the user will have over the media for which they have editing rights.
The permissions on the personal channel define the rights that the user will have on their own personal channel.
Finally, the last section covers the rights applied to the user for the channels and media in the catalogue.
The "Ignore authentication group permissions" option at the top of the page is generally reserved for administrator accounts. It is not recommended for ordinary users
It is also possible to use existing permissions profiles or create new ones that allow you to apply a wide range of custom permissions in just a few clicks.
Go to Administration > Authentication settings and services > Permission profiles.
Click on "Edit" on an existing profile or "Add a permissions profile", where you will find the sections seen in the previous chapter.
The "Profiles for : LTI roles" allows you to create profiles which will be applied automatically according to the role reported by the LTI protocol (the protocol used by most LMS such as Moodle).
To apply a profile to a user account or group, go to its permissions page and click on "Apply a profile" :
Finally, select a profile and click on "Apply".
How permissions work and the concept of inheritance
Each permission is represented by a label, a permission status icon and one of three values: 'Yes', 'No' and 'Untouched'.
If the permission is set to "Untouched", it will be based solely on the inheritance system.
To change permissions manually, click on the "Edit" button in the top right-hand corner:
The following window will appear, where you can change the values for each item individually or all at once (using the drop-down menu in the box below).
To give a permission, it must therefore be explicitly changed to "Yes" or come from inheritance. A permission applied to an element will also be given to its sub-elements (inheritance principle).
A permission applied directly (not inherited) will be indicated in bold italics.
In the screenshot below, access to the Catalogue Root has been authorised manually.
The sub-channels have inherited this value.
You can see where a permission comes from by hovering over it with your cursor:
If a user inherits two contradictory values for the same item ("Yes" from group A and "No" from group B) then the "Yes" value will take priority.
The permissions page
Let's now look at how these rules are applied in practice.
In the example above, all the permissions have been set to "Yes" on the root of the catalogue, so the sub-elements have inherited these permissions (as you can see on the "Documentation" channel and its sub-elements).
If we now modify the permissions for the "Documentation EN" channel to deny access to the user, we get :
You can see that the "Documentation EN" channel and the video it contains will no longer be accessible to the user.
Let's now create a "Documentation" group with the following permissions (access has been specifically granted to the "Documentation EN" channel):
When we then add our user to this group, the permissions do not change:
This behaviour is due to the priority that specifically applied permissions have over inherited permissions: the user inherits the permissions of his group, but manually applied permissions take priority.
The "Example video" video, for its part, has inherited the values of its parent channel "Documentation EN".
If we now allow the user's group to have specific access to this video :
You can see that the video is now accessible to the user (the permissions for the "Documentation EN" channel remain unchanged):
To check, hover over one of the permissions in the video to see that they are indeed inherited from the "Documentation" group:
Some Nudgis settings apply direct permissions to certain channels. Let's take a look at where to find them and the permissions they modify.
Personal channel settings
In the authentication settings (Menu > Administration > Authentication settings and services, Settings) the options 'Protect personal channels access' and 'Protect personal channels media access' will apply permissions to the channels and media in your catalogue.
These permissions are applied automatically by the system and are indicated as "personal (system)" when the permission is hovered over.
Permissions applied by LTI
The LTI standard allows Nudgis to give permissions to users according to their roles in the LMS. The associated permissions are applied by "lti (system)".
Similarly, LDAP synchronisation (and in particular the import of LDAP groups and the creation of the corresponding strings) is likely to create or modify permissions.
These will be indicated by the "LDAP synchroniser (system)" label.
During trimming, the child video recovers the rights of the parent video; these permissions are noted as "trimming (system)" when hovering over the permissions.
Permissions applied during deployment
When a Nudgis instance is deployed, certain permissions are applied by the installation script. These are indicated by the "msinstaller (system)" label on the permissions settings page.
You have reached the end of this article, and we hope the concept of permissions is now much clearer to you. But it is possible to go even further in controlling access to content on your platform. To find out more, read the other articles in the Nudgis section.
We invite you to continue reading on the subject of permissions with the article dedicated to LTI, and wish you a pleasant experience with our solutions !