K2 sans and media access security – Grass Valley K2 System Guide v.7.2 User Manual

164

K2 System Guide

07 April 2010

Chapter 7 Administering and maintaining the K2 system

The way in which the K2 FTP interface applies media access security is explained in
this section.

The K2 FTP interface uses the credential information for the current FTP session
logon and checks it against the access control list for a K2 bin. This is the access
control list that you set up through the Organize Bins dialog box in AppCenter. Any
media access related operations such as get, put, dir, rename and delete are checked
against the FTP session’s logon credentials to access the media. For example, if an
FTP session is denied access to List Bin Contents for bin A, then the session can not
initiate a dir operation on bin A to list the contents of the bin. Furthermore, the session
can not transfer clips into bin A using the put operation.

For the purpose of compatibility FTP access conventions, accounts for user movie or
user mxfmovie are provided on the K2 system. These accounts are automatically set
up when you install K2 software version 3.2 or higher. Do not restrict access for these
accounts. If your security policy requires restricting access to these accounts, contact
Grass Valley Support.

On a K2 SAN, authentication takes place on the K2 Media Server. Setting up FTP
security for specific local users and groups is not supported on a K2 SAN, with the
exception of the local movie and mxfmovie accounts. However, you can set up FTP
security for domain users and groups.

K2 SANs and media access security

This section applies to media access security, not FTP security. Refer to the preceding
section for information about FTP security.

On a K2 SAN, the users and groups referenced by media access security features are
the users and groups on the connected K2 clients, not the K2 Media Server. To
simplify account setup and maintenance, you can use domain users and groups rather
than local users and groups.

If you use local users and groups, to support media access security you must have
those same exact local accounts set up on each K2 client and K2 Media Server within
the K2 SAN. However, you don’t need to set up security via AppCenter on each K2
client. When you modify permissions on a shared storage bin from one K2 client, then
permissions are enforced similarly on all of the K2 clients in the K2 SAN.

Protocol control of channels and media access security

Protocol security restricts a channel in its access to the media in a bin, regardless of
what user is currently logged on to AppCenter. This is different than the other types
of media access security, in which the security restricts the user (as currently logged
on to AppCenter) in their access to the media in a bin, regardless of what channel is
being used.

Nevertheless, permissions for protocol channels are still derived from user accounts.
In AppCenter’s Configuration Manager, on the Security tab you can associate a user
account with a channel of protocol control. Based on that association, when a protocol
controls the channel, AppCenter checks the credential information for the associated
user account against the access control list for a K2 bin. This is the access control list
that you set up through the Organize Bins dialog box in AppCenter. In this way,
AppCenter determines whether to allow or deny that channel’s operations on the
media in the bin.