Uwe Posted July 25, 2020 Report Share Posted July 25, 2020 Hello, first I would like to thank Daria, who clarified my misunderstanding regarding the access control. My questions as a result of my first tests: Daminion writes the tag XMP:owners to the file. What happens to the files that do not support XMP, e.g. all "unknown formats", txt, open office formats etc.? For these formats the access control works without the XMP:owners tag. So why do all other files need to be updated? Regarding performance: About 135000 files should be assigned to a newly created access control group. The job is still running since 15 hours and only 55000 files are assigned. Additionally I see many error messages in the log file errors.txt. You'll get the file by Skype. Regards, Uwe Quote Link to comment Share on other sites More sharing options...
Uwe Posted July 25, 2020 Author Report Share Posted July 25, 2020 (edited) Additional remark: from my point of view the tag XMP:owners doesn't make sense as long as the CSV export doesn't write also the owners information in the output file of files of the "unknown formats". regarding the entries in the file errors.txt: 2020-07-26 11:57:23,595 [STP SmartThreadPool Thread #296] ERROR PicaJet.Daminion.Service.Utils.SynchronizeMediaItemCommand [(null)] - mediaItemId: 280417 filePath: '\\xxxx\Foto\01_Foto\2020\2020_05\2020_05_29\20200529_140020-000.png' exception: PicaJet.Daminion.Common.PicaJetException: Message: File didn't updated This file was updated - there is the tag XMP:owners in the metadata of the file 2020-07-26 11:57:07,249 [STP SmartThreadPool Thread #296] ERROR PicaJet.Daminion.Service.Utils.SynchronizeMediaItemCommand [(null)] - mediaItemId: 280261 filePath: '\\xxxx\Foto\01_Foto\2020\2020_05\2020_05_31\20200531_151953-000.ARW' exception: PicaJet.Daminion.Common.PicaJetException: Message: File didn't updated This file wasn't updated BUT its XMP sidecar file was - in the XMP sidecar file is the tag XMP:owners - my Admin Panel settings: Write tags to sidecar XMP files (except DNG format) This seems to happen also with e.g. MOV, MP4, MTS, all RAW format files with XMP sidecar files. There are entries for CR2 files not updated. What I don't understand: not all CR2 files have an entry in the errors.txt. Topic Import new files: New files are imported by using an Import Folder defined in the Admin Panel and are automatically moved to the upload folder also defined in the Admin Panel. This leads to the situation that the new imported file is assigned to the Access Control entry "Anybody". That means e.g. user assigned to "Access Control Group A" can see this file even if this file will be assigned later to the "Access Control Group B". The reason is that all user (role Editor) are automatically member of "Anybody". Am I right, is my observation correct or am I wrong? Edited July 26, 2020 by Uwe check result of the file errors.txt/Import new files Quote Link to comment Share on other sites More sharing options...
Daria Kotilainen Posted July 27, 2020 Report Share Posted July 27, 2020 Hi Uwe, Quote What happens to the files that do not support XMP, e.g. all "unknown formats", txt, open office formats etc.? For these formats the access control works without the XMP:owners tag. So why do all other files need to be updated? To these files, happens the same thing as with all other tags. These tags just stay in Daminion and are not written into the file's metadata. We do write the AC tag into the files for supported formats to preserve the access control status if the files is imported into another catalog with the intention to hack the access permissions (e.g editor want to give access to another editor without bothering the admin). I agree that this behavior may be inconsistent depending on the files type, but not sure that this will be changed any time soon. Quote New files are imported by using an Import Folder defined in the Admin Panel and are automatically moved to the upload folder also defined in the Admin Panel. This leads to the situation that the new imported file is assigned to the Access Control entry "Anybody". That means e.g. user assigned to "Access Control Group A" can see this file even if this file will be assigned later to the "Access Control Group B". The reason is that all user (role Editor) are automatically member of "Anybody".Am I right, is my observation correct or am I wrong? If an editor is a part of AC group A but not of a group B, and the files is assign to the group B, the editor from the group A will no be able to see it because the file is not in Public anymore. Kind regards Daria Quote Link to comment Share on other sites More sharing options...
Uwe Posted July 27, 2020 Author Report Share Posted July 27, 2020 2 hours ago, Daria Kotilainen said: Hi Uwe, To these files, happens the same thing as with all other tags. These tags just stay in Daminion and are not written into the file's metadata. We do write the AC tag into the files for supported formats to preserve the access control status if the files is imported into another catalog with the intention to hack the access permissions (e.g editor want to give access to another editor without bothering the admin). I agree that this behavior may be inconsistent depending on the files type, but not sure that this will be changed any time soon. If an editor is a part of AC group A but not of a group B, and the files is assign to the group B, the editor from the group A will no be able to see it because the file is not in Public anymore. Kind regards Daria Yes that's true but as long as the item is still in the upload folder and not assigned to group B it can be seen by anybody and not protected. Quote Link to comment Share on other sites More sharing options...
Daria Kotilainen Posted July 27, 2020 Report Share Posted July 27, 2020 We are going to release a new version with AC on folder levels, then you can apply AC of the Upload folder. This may be a solution Kind regards Daria Quote Link to comment Share on other sites More sharing options...
Uwe Posted July 27, 2020 Author Report Share Posted July 27, 2020 thank you Daria, that sounds good Quote Link to comment Share on other sites More sharing options...
Uwe Posted August 8, 2020 Author Report Share Posted August 8, 2020 Hello, I made a first test of the new function Folder - "Security". This fixes the security hole, I descibed above. Thanks. Regards, Uwe Quote Link to comment Share on other sites More sharing options...
Daria Kotilainen Posted August 9, 2020 Report Share Posted August 9, 2020 thank you Uwe, glad to hear this! Daria Quote Link to comment Share on other sites More sharing options...
Uwe Posted August 11, 2020 Author Report Share Posted August 11, 2020 Update 11.8.2020 build 2208: An item is part of AC group A and AC group B. The folder in which the item is stored belongs only to members of AC group A. But the item can bee seen by members of AC group B. Only if both conditions are true: AC group B and folder security for AC group B the items should be displayed. Regards, Uwe Quote Link to comment Share on other sites More sharing options...
Daria Kotilainen Posted August 12, 2020 Report Share Posted August 12, 2020 Hello Uwe, Access control on folders level and Access control on files level are two different security protocols. AC on files level allows you to give access to certain files from a "locked" folder without the necessity to move files to another folder with different AC settings. The behavior you observe is correct. Kind regards daria Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.