Organisational structures within EdgeVis Server
EdgeVis Server offers a number of organisational structures to allow administrators to segment their servers into logical groupings and manage different operational needs.
Encoders
An encoder is an entity (that can be a hardware device or a software package) that can publish services within EdgeVis, including live TVI video streams, edge video recording, alarm triggers, location data.
Users
A user is an entity (including viewing clients or third-party integration tools) that accesses EdgeVis in order to consume a service from an encoder.
Server-wide administrators
A special type of user who has access to every domain, encoder and user within the system and, if granted the appropriate permissions, has the right to configure and manage the server.
Domains
All encoders and users must exist within a domain. A domain is a segmented area within EdgeVis Server where all encoders and users are only visible to other users within the domain. This allows server administrators to keep different customers/user communities separate (and hidden) from each other - a user within the domain can’t see a server-wide administrator or a user in another domain. It is possible to create multiple domains on the server.
When creating alarm rules, users can send notifications to any other user within the domain.
Groups
A group is a mechanism used to simplify role and permission management. For example, if there is a building with five encoders (providing video surveillance) and a number of security guards who must be provided access to those encoders there are two ways to provide the security guards access:
Without groups, it is necessary to assign each security guard the appropriate viewing permissions to each encoder individually. When a new guard is hired, they too must be given five permissions (one to each encoder), and if a new encoder is added to the building it is necessary to find each security guard’s account and individually grant them permission to view the new encoder.
With groups, it becomes considerably simpler to manage, as a group is created to hold all the encoders and all the security guards. When adding a new security guard to the group they are granted one viewing permission, to the group, meaning they have access to all encoders within the group. When a new encoder is added to the group, all security guards are immediately granted with the same level of access.
An encoder and user can be added to multiple groups – in the example above a security guard may have permission to access encoders across multiple buildings by being a member of multiple groups.
Roles and permissions
Introducing Role-based access control
EdgeVis Server uses Role-based Access Control (RBAC) to regulate users’ access to the server, groups and encoders. Rather than assign individual permissions to a user on a case-by-case basis, it is first necessary to create a Role that contains all the desired permissions for a user and assign that role to a user.
The permissions within EdgeVis Server fall into three different categories:
Server permissions
The ability to manage the server, including managing domains, server settings, backup/restore and role editingAccount management
The ability to create/edit/delete groups, encoders and usersEncoder usage
The ability to control how encoders are configured and used within viewing clients
Each category has several sub-categories, each of which contain many granular permissions for each sub-category. The following table outlines the different categories, sub-categories, and number of available permissions within each.
There are four built-in roles (that can’t be modified or deleted):
Server Administrator – all permissions available within the system
Domain Administrator – all permissions related to managing all actions within domains
Encoder Administrator – all permissions within the Encoder usage section
Viewer – all operator-level permissions within Encoder usage
It is also possible to create roles that contain any combination of permissions to match operational requirements.
Assigning roles to users and defining the role scope
Once a role has been created/selected for a user, the second decision an administrator must make is to decide the scope the user has access to. There are four possible scopes:
Server-wide – the top level of the server, above all domains. A user granted a role at the server level will have those permissions on any encoder/user/group in any domain in the system.
A specific domain – assigning a user a domain-wide role will grant them the appropriate permissions on any encoder/user/group in the specified domain.
A specific group of encoders – to limit a user to only using/administering a group of specific encoders
A specific encoder – to limit a user to only using/administering one specific encoder
For example, the following table describes the effects of assigning a user one of the built-in roles (Server Administrator, Domain Administrator, Encoder Administrator or Viewer) to each of the different scopes (Server-wide, a specific domain, and a specific group/encoder):
Creating a custom role
From the User roles page use the Create role menu option to create a new custom role. After entering a name and description the role details page is listed.
This page lists a summary of the permissions granted to the role – by default any new role has no permissions assigned.
To assign permissions to a role (or to change an existing role’s permissions) use the Edit permissions menu option.
Tip: it is recommended to enter a meaningful description that describes the purpose of the role, to help administrators who assign roles to users – this avoids having to drill down into the role to determine the permissions assigned to a role.
There are over sixty individual permissions within EdgeVis Server – to help make permissions more manageable they are categorised into three areas (Server administration, Account management, Encoder usage), each of which contains a number of sub-categories.
Each category (and sub-category) has a master Enable/disable all to quickly toggle all permissions on or off, or use the Custom button to drill down into the permissions contained within the category.
At the lowest level, it is possible to enable individual permissions within each category. There are no restrictions on the combinations allowed - except for the Account management category, where the interface will force certain permissions to avoid creating invalid roles (e.g. to create a user account, it is required to have the edit user account permission).
Assigning a server-wide role to a user
When to use: There is a requirement to either provide a user the ability to configure/monitor the server or provide the user with a level of access to all domains, and groups/encoders/users within each domain.
Users with a server-wide role do not exist within any domain and can be viewed by selecting the Server Administrators button on the server home page.
This will display a list of Server Administrators, including the default Administrator account. To view an existing user’s details, including their assigned role, click on their name. To create a new user with a server-wide role use the Create user menu option and enter a name and password – this will then display the new user’s details.
The user’s detail page will display their communication preferences and the role(s) they have been assigned.
To add or change the roles, click the roles icon in the Server Wide Access section (which may indicate that no roles are currently applied).
This will open the Manage user roles page which will display the user’s existing roles.
The bottom section of the page lists all the roles available on the system, which can be assigned to the user by using the plus icon.
The middle section of the page lists the roles assigned to the user. To remove a role, use the delete icon.
To view the permissions a role will grant, click on the role’s icon. This will display a summary of the role, where it is possible to drill down into each role’s categories and the individual permissions within.
It is possible to assign multiple roles to a user, which creates an additive effect granting the user all the permissions contained within each role.
Assigning a user role to a specific domain
When to use: There is a requirement to provide a user, within a specific domain, a level of access (for example account management) to all groups/encoders/users within that domain.
From the domain’s homepage select the Users icon to display a list of users within the domain. To view an existing user’s details, including their assigned role(s), click on their name. To create a new user, use the Create user menu option and enter a name and password – this will then display the new user’s details.
The user’s detail page will display their communication preferences and the role(s) they have been assigned.
To add or change any domain-wide role, click the roles icon in the Domain Wide Access section (which may indicate that no roles are currently applied).
This will open the Manage user roles page which will display the user’s existing roles.
The bottom section of the page lists all the roles available on the system, which can be assigned to the user by using the plus icon.
The middle section of the page lists the roles assigned to the user. To remove a role, use the delete icon.
To view the permissions a role will grant, click on the role’s icon. This will display a summary of the role, where it is possible to drill down into each role’s categories and the individual permissions within.
It is possible to assign multiple roles to a user, which creates an additive effect granting the user all the permissions contained within each role.
Assigning a user role to a specific group
When to use: There is a requirement to provide a user a level of encoder access to a specific group of encoders within a specific domain.
Note: This is the preferred method of assigning roles and permissions for users who predominately configure or view video from encoders, as it limits access to only the encoders contained within the group.
Step 1 - If necessary, create the user and encoder accounts for the encoders/users.
Step 2 - From the domain’s homepage select the Groups icon to display a list of groups within the domain. Either select an existing group, or use the Create group menu option and enter a name and description – this will then display the new group’s details.
The group’s detail page will display any existing encoders and users in the group.
Use the In this group list box to toggle between showing encoders and users in the group.
Step 3 – Use the Add encoder to group menu option to select the desired encoder accounts to add to the group.
Step 4 – Use the Add user to group menu option and select the first user.
This will then display the Manage user roles page which allows for the selection of the user’s role. To view the permissions a role will grant, click on the role’s icon.
The bottom section of the page lists all the roles available on the system, which can be assigned to the user by using the plus icon.
The middle section of the page lists the roles assigned to the user (this should be empty to start with). To remove a role, use the delete icon.
Note: Only permissions applicable to Encoder usage will be granted to the user, as the scope has been limited to a group. For example, granting the user the Administrator role will allow the user to administer the encoders within the group, but will not allow the user to administer the user accounts in the domain or provide any server-wide permissions.
It is possible to assign multiple roles to a user, which creates an additive effect granting the user all the permissions (applicable to encoders) contained within each role.
Repeat Step 4 to add each user to the group. The role granted will be applied to every encoder in the group.
Assigning a user role to a specific encoder
When to use: There is a requirement to provide a user a level of encoder access to an individual encoder within a specific domain.
Note: While it is possible to provide access to individual encoders it is the least flexible method of managing roles. Using groups to manage roles allows for easier ongoing management of users and encoders.
Step 1 - From the domain’s homepage select the Encoders icon to display a list of encoders within the domain. Either select an existing encoder, or use the Create encoder menu option and enter a name and password – this will then display the new encoder’s details.
The encoder’s detail page will display a number of configuration icons within the Encoder configuration section, varying on encoder model and online/offline status.
Step 2 – Use the Directly configured access icon to display the list of groups and users who have access to the encoder.
Step 3 – Use the Add user to encoder menu option to select the existing user to grant access. (The user must already exist – if not return to the domain home page and create a new user first.)
Step 4 – Selecting a user will then display the Manage user roles page which allows for the selection of the user’s role. To view the permissions a role will grant, click on the role’s icon.
The bottom section of the page lists all the roles available on the system, which can be assigned to the user by using the plus icon.
The middle section of the page lists the roles assigned to the user (this should be empty to start with). To remove a role, use the delete icon.
Note: Only permissions applicable to Encoder usage will be granted to the user, as the scope has been limited to an encoder. For example, granting the user the Administrator role will allow the user to administer the encoder, but will not allow the user to administer the user accounts in the domain or provide any server-wide permissions.
It is possible to assign multiple roles to a user, which creates an additive effect granting the user all the permissions (applicable to encoders) contained within each role.
Domains
All encoders and users must exist within a domain. A domain is a segmented area within EdgeVis Server where all encoders and users are only visible to other users within the domain. This allows Server Administrators to keep different customers/user communities separate (and hidden) from each other - a user within the domain can’t see a Server Administrator or a user in another domain. It is possible to create multiple domains on the server.
There are some rules around domains and users:
A user with a Server-wide role will be able to see all domains (and encoders and users within). On logging in they will be taken to the server’s home page, which lists all domains on the server. Selecting a domain will take the user to the domain homepage where they can view the groups, users and encoders within.
A user who has a role within a domain will only be able to see the encoders and users within the domain. On logging in they will be taken directly to the domain’s home page.
If segregation of users is not required it is possible to create only one domain, in which to keep all encoders and users.
Managing domains
A Server Administrator (with the appropriate permission) can create domains, edit the domain’s description or delete an existing domain.
To create a domain
From the server home page click the Domains icon, then use the Create domain icon to create the domain. It is recommended to enter a meaningful description, as this will be displayed throughout the portal to help users disambiguate different domains.To edit the domain’s description
From the server home page click the Domains icon, then select the desired domain. This will display the domain’s homepage. Click the Edit domain option to enter a new description for the domain.To delete a domain
From the server home page click the Domains icon, then select the desired domain. This will display the domain’s homepage. Click the Delete domain option to delete the domain.
This will also delete all groups, encoder and user accounts contained within.
Export/import of domains
A Server Administrator (with the appropriate permission) can create a backup of the groups, encoders and users within a domain. This backup can either be re-imported to the same server, or imported onto a different server.
To export, on the domain’s homepage click the Export domain icon. This will create a backup (stored locally on the server) that can be restored at a later date (or manually moved to another server and imported there). Backups are stored in the EdgeVis Server installation folder in the ‘bin\backup’ folder.
Note: For security reasons a domain export only saves the encoder, group and user accounts and not the roles and permissions used within the domain. Only performing a full server backup will save all roles and permissions.
To import a previously saved domain, enter the Domains page from the server home page and then select the Import domain icon. This will list all previously exported domains on the server.
Note: It is only possible to import a domain if there are no items on the server with the same name.
Moving encoder and user accounts between domains
Any encoder or user account (within a domain) can be moved to a different domain by a Server Administrator with the appropriate role (e.g. Administrator).
From within the existing domain open the details page for the desired encoder or user account. Select the Move domain menu option on the right. This will display a list of domains that the account can be moved to.
Moving an account will delete all existing group memberships, alarm rules, and assigned roles/user access.
Promoting a domain user to a Server-wide Administrator
It is possible to promote an existing domain-level user to a server-wide administrator using the Move Domain feature described above. When selecting Move Domain the list of available domains includes an Administrators item – select this option to move the selected user from the current domain to the Server-wide Administrators.
Sharing encoders and users across domains
While an encoder or user can only be a member of one domain it is possible to allow users in other domains to share access to selected encoders within a different domain, or allow users from another domain to access encoders. A user with server-wide access and full user-account permissions (create, edit and delete) is required to perform this action.
To grant access to an encoder from another domain:
Step 1 – Sharing an encoder requires a group to be created in the target domain. Either create a new group or select an existing group as the destination of the encoder(s).
Step 2 – Use the Add encoder to group menu option. This will display all encoders within the target domain.
Step 3 – Use the From domain list box to select the domain containing the desired encoder. The page will now list the encoders available in the target domain.
Step 4 – Select the desired encoder. This will then be added to the group and should be listed in the encoder list.
To signify that the encoder is from another domain the encoder will show a sub-heading with the name of the original domain.
Note: Users in the group will be granted the same level of access to the imported encoder that they have to non-imported encoders. This may expose other information about the encoder or the name of other users in the original domain (e.g. users who are assigned to receive notifications for an alarm rule).
To grant access to a user from another domain:
Repeat the above steps, but using the Add user to group menu option in Step 2.