Jump to content

Access Control


Uwe

Recommended Posts

Hello,

first I would like to thank Daria, who clarified my misunderstanding regarding the access control.

My questions as a result of my first tests:
Daminion writes the tag XMP:owners to the file. What happens to the files that do not support XMP, e.g. all "unknown formats", txt, open office formats etc.? For these formats the access control works without the XMP:owners tag. So why do all other files need to be updated?

Regarding performance: About 135000 files should be assigned to a newly created access control group. The job is still running since 15 hours and only 55000 files are assigned. Additionally I see many error messages in the log file errors.txt. You'll get the file by Skype.

Regards, Uwe

Link to comment
Share on other sites

Additional remark: from my point of view the tag XMP:owners doesn't make sense as long as the CSV export doesn't write also the owners information in the output file of files of the "unknown formats".

regarding the entries in the file errors.txt:
2020-07-26 11:57:23,595 [STP SmartThreadPool Thread #296] ERROR PicaJet.Daminion.Service.Utils.SynchronizeMediaItemCommand [(null)] - mediaItemId: 280417 filePath: '\\xxxx\Foto\01_Foto\2020\2020_05\2020_05_29\20200529_140020-000.png' exception: PicaJet.Daminion.Common.PicaJetException: Message: File didn't updated
This file was updated - there is the tag XMP:owners in the metadata of the file

2020-07-26 11:57:07,249 [STP SmartThreadPool Thread #296] ERROR PicaJet.Daminion.Service.Utils.SynchronizeMediaItemCommand [(null)] - mediaItemId: 280261 filePath: '\\xxxx\Foto\01_Foto\2020\2020_05\2020_05_31\20200531_151953-000.ARW' exception: PicaJet.Daminion.Common.PicaJetException: Message: File didn't updated
This file wasn't updated BUT its XMP sidecar file was - in the XMP sidecar file is the tag XMP:owners - my Admin Panel settings: Write tags to sidecar XMP files (except DNG format)
This seems to happen also with e.g. MOV, MP4, MTS, all RAW format files with XMP sidecar files. There are entries for CR2 files not updated. What I don't understand: not all CR2 files have an entry in the errors.txt.

 

Topic Import new files:
New files are imported by using an Import Folder defined in the Admin Panel and are automatically moved to the upload folder also defined in the Admin Panel. This leads to the situation that the new imported file is assigned to the Access Control entry "Anybody". That means e.g. user assigned to "Access Control Group A" can see this file even if this file will be assigned later to the "Access Control Group B". The reason is that all user (role Editor) are automatically member of "Anybody".
Am I right, is my observation correct or am I wrong?

 

Edited by Uwe
check result of the file errors.txt/Import new files
Link to comment
Share on other sites

Hi Uwe, 

 

Quote

What happens to the files that do not support XMP, e.g. all "unknown formats", txt, open office formats etc.? For these formats the access control works without the XMP:owners tag. So why do all other files need to be updated?

To these files, happens the same thing as with all other tags. These tags just stay in Daminion and are not written into the file's metadata. We do write the AC tag into the files for supported formats to preserve the access control status if the files is imported into another catalog with the intention to hack the access permissions (e.g editor want to give access to another editor without bothering the admin). I agree that this behavior may be inconsistent depending on the files type, but not sure that this will be changed any time soon.

Quote

New files are imported by using an Import Folder defined in the Admin Panel and are automatically moved to the upload folder also defined in the Admin Panel. This leads to the situation that the new imported file is assigned to the Access Control entry "Anybody". That means e.g. user assigned to "Access Control Group A" can see this file even if this file will be assigned later to the "Access Control Group B". The reason is that all user (role Editor) are automatically member of "Anybody".
Am I right, is my observation correct or am I wrong?

If an editor is a part of AC group A but not of a group B, and the files is assign to the group B, the editor from the group A will no be able to see it  because the file is not in Public anymore. 

 

 

Kind regards

Daria

Link to comment
Share on other sites

2 hours ago, Daria Kotilainen said:

Hi Uwe, 

 

To these files, happens the same thing as with all other tags. These tags just stay in Daminion and are not written into the file's metadata. We do write the AC tag into the files for supported formats to preserve the access control status if the files is imported into another catalog with the intention to hack the access permissions (e.g editor want to give access to another editor without bothering the admin). I agree that this behavior may be inconsistent depending on the files type, but not sure that this will be changed any time soon.

If an editor is a part of AC group A but not of a group B, and the files is assign to the group B, the editor from the group A will no be able to see it  because the file is not in Public anymore. 

 

 

Kind regards

Daria

Yes that's true but as long as the item is still in the upload folder and not assigned to group B it can be seen by anybody and not protected.

Link to comment
Share on other sites

  • 2 weeks later...

Update 11.8.2020 build 2208:

An item is part of AC group A and AC group B.

The folder in which the item is stored belongs only to members of AC group A.

But the item can bee seen by members of AC group B. Only if both conditions are true: AC group B and folder security for AC group B the items should be displayed.

Regards, Uwe

 

Link to comment
Share on other sites

Hello Uwe, 

 

Access control on folders level and Access control on files level are two different security protocols. AC on files level allows you to give access to certain files from a "locked" folder without the necessity to move files to another folder with different AC settings. The behavior you observe is correct. 

 

Kind regards

daria

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...