Access control with Streaming Manager for Enterprise

The most important feature to any Streaming Manager for Enterprise (SME) account are the options available to you for securing your content. This is done either on a channel by channel basis, or by setting security for a SME landing page for your content. Your security can be set for your entire account from Integration & Apps > Security settings.

You have 2 main choices for how you want your content secure: either through 2 step email verification, or through SSO.

2 step email verification

If you choose 2 step email verification, you will need to determine what individual email addresses or email domains can have access to any given channel. First, go to your Streaming Manager for Enterprise dashboard, then click on Channels in the left hand column. Then click on the name of the channel you wish to set access permissions for, then click on Access Control.

If you wish to make your player only available through an embed on your own website, click 'Turn off' for Channel page. This will prevent your channel page from being accessed directly, and will also remove the channel from your SME Portal page.

To set email permissions for the channel, click 'Settings' for Secure Content. This will open the Secure content settings tab for this particular channel.

On this page, you can set what individual email addresses should have access to your channel page, or what email domains should have access, or a combination of both. In this particular case, mary@ustream.tv has been granted access to the channel. We can also see that one domain also has access- in this case, @advanced-sales.com. This means that mary@ustream.tv will be able to get access to the channel, and also anyone with an @advanced-sales.com email address.

In order to add emails or domains, simply click the 'add' button on the appropriate tab and enter the information. Be sure to click 'Save' after making any changes.

When a potential viewer attempts to go to the link of your individual channel, or your Portal page, they will first be asked to enter an email address.

If an email that does not meet the criteria set for access, the user will be denied.  In the case of jeff@yahoo.com, jeff@yahoo.com has not been whitelisted as an individual email address and @yahoo.com has not been whitelisted as a domain, so access is denied.

If the email meets the criteria set, the viewer will receive confirmation that an email has been sent to their email address. 

The email will allow them to either open the channel directly in a new browser tab, or to copy the code in the email into the browser tab that is already open. Note that the code sent to the viewer does not expire. The same code will be resent if the viewer does not use this code and requests a new one. 

After an email has been verified the user will have access for 12 hours before the login time expires, however if one checkmarks the "Remember me" function the user will be granted access up to 7 days before the login expiration.

SSO authentication

SSO (Single Sign On) authentication allows you to use a 3rd party identity provider to control access to your Streaming Manager for Enterprise content. Information on how to set up SSO for your Streaming Manager for Enterprise account can be found here.

SSO authentication is set up for your entire account, but each individual channel can be set to take anyone from the domain authorized by the SSO, or selected users, or nobody. Selecting between 2 step authentication or SSO is done fromIntegration & Apps > Security Settings tab:

In this example, we have set Google Apps as our SSO provider. Once the SSO is put in place, you can control access channel by channel. To set access to a channel, open the Channels > Access Control tab.

On the access control tab, you have the ability to set access to nobody in your organization, anyone with the correct email address (anyone who is authenticated by the SSO), or specific email addresses within the organization.

In this example, we will give Jill access to the Sales team channel.

If Jill were to enter the direct URL for the channel page, thereby trying to access the content, the page would first require her to pass the SSO check in the case of a service provider initiated SSO. She will see this:

Since she is the only user we have given access to, another email address, even if eligible for access via the SSO, would not have access to the page:

Granular access and the Streaming Manager for Enterprise (SME) page

Granular access will also determine how different users see and experience your SME Portal page. A user who has access to channel A but not channel B will only see channel A available on your Portal. Channel B would be hidden from them.

For example, we can see two Channels in this SME account: the sales team channel, and the support team channel.

Jeff is on the sales team, and Mary is on the support team. We want them both to access content through our Portal page, but not to have access to the other team's content.

In this case, we can add jeff@ustream.tv in the individual access for the sales channel and mary@ustream.tv for the support channel. When each user goes to access the portal, they will only see those channels that they have access to.

Jeff's view:

Mary's view:

Powered by Zendesk