Kaltura Applications - Support for Groups
Groups may be used to manage entitlements and category assignments for a large number of users in Kaltura applications.
What is a Group?
A group is a single manageable entity that represents a collection of users. Technically, a group is a unique type of user that can have individual users as part of it.
Groups can be assigned to a category/channel just like users can.
After a group is assigned to a category, all the individual users in the group inherit the permission of the group in the category. For example, if the group is assigned as contributor, then all users will be contributors as well.
Why Use Groups?
- You most probably already manage groups in the Identity Provider (SAML/SSO/LDAP/AD) and may want to use the same virtual groups in Kaltura applications (MediaSpace for example).
- In case you have (or expect to have) more than 5000 individual users assigned to a category (technical limitation).
You can create groups and add users to them by either:
- Managing Groups from the MediaSpace or KAF Admin Console.
- Using the KMS automatic SAML group sync - This method is based on the user's metadata with a specific custom data schema per customer that adds users to groups dynamically according to SAML response on login. See Kaltura SAML Group Sync Administrator's Guide
- Using a CSV - See How to Create and Manage Groups Using a CSV File.
- Running an external periodic script on customer servers in sync with their IdP - This method will create new groups and add/remove users from groups. This script uses Kaltura APIs (groupUser) and can be written by the customer or delivered by Kaltura Professional Services. Kaltura already has a general AD script in place for use and can create additional module for other methods.
Support exists in KMS and KMC for assigning groups to channels/categories.
Groups - Email Notifications
- Groups support email address notifications. Admins may add the email address or keep it empty. This feature allows for email notifications to be sent to a distribution list.
- Groups can be set as the owner of media.
- An individual user can be both directly assigned to a category/channel and via a group.
- If an individual user is directly assigned to a category/channel and via a group, the permission of the direct assignment will overrule the group inheritance (even if it is lower permission).
- In case the user is a member of 2 groups and the 2 groups are assigned to a category, the higher permission of the user will be counted in this category.
- A user can be in up to 1024 groups.
- No more than 5000 users can be assigned to a category.
- There is no limit to the number of users inside a group.
- In KMS – members of a channel will not include the users in the group breakdown, but only direct users and groups.
- Analytics are displayed for an individual user (and not the group).
- Known Limitation - a group name cannot be identical to a userID in the group.
How to Create and Manage Groups from the Application Admin Page
Please see the article Managing Groups from the MediaSpace or KAF Admin Console.
Using a CSV file is an available method to create groups, however, the UI to Manage Groups available in the managment console is a much simpler way to create and manage groups. You can create and manage groups using the End-Users CSV file. You will need to modify and upload the End-Users CSV file. You will later be able to add groups to channels based on the CSV file you created and uploaded to the KMC or KMS and your admin configuration. See Configuring the Channelmembers Module to Add Groups to Channels.
A sample End-Users CSV file is available for download from the Upload tab in the KMC.
Groups first need to be created and KMS roles must be assigned. This is a one time process that needs to happen before any groups can be associated with channels. Any role can be defined since user specific roles override the group role.
- In the KMC, modify and upload the end_user csv. See How to add users to KMS using the Bulk Upload Option.
You can download a sample CSV file using the Upload tab in the KMC to add groups. For every group that is created, a user must be added to that group.
- Add the group column titled "group".
- Add a single user or different users to all groups in separate lines. This additional column is used to create all groups in the backend. Do not use spaces in group names.
- Upload the CSV to the KMC or to the KMC.
- Modify and use the End_Users CSV file and enter the group names you created in Step 2 in the userId column.
- Create a column for your KMS instance. Set the column title name to "metadata::KMS_USERSCHEMA1_[your_MediaSpace_instance_id]::role", where the instance id is your MediaSpace instance id, found in the Application module in the MediaSpace Mangement Console configured by your system admin.
- Enter permission levels for each group.
The format of the CSV file with the column title should look like the following:
Other columns are not mandatory to create the goups.
- Upload the modified CSV file to the KMC or to KMS as described in How to add users to KMS using the Bulk Upload Option.
After groups are created and added, you can view the current groups and users within them through the testme console and Kaltura APIs.
Use the following services:
To view groups: User→list filter by (type = group). See https://developer.kaltura.com/api-docs/#/user.list.
To view users within a group: GroupUser→list filter by user id or group id. See https://developer.kaltura.com/console/#/groupUser.list.
Adding Additional Users to Groups
Modify and use the end_user_with_group csv as in step 1.
Every addition to the group should be in a separate line.
To remove users from groups, add '-' to the group name in the column. ex: -group1
For example, the configuration presented here renders the following options in the MediaSpace application:
To edit or add members or groups to a channel/galleries
- Select My Channels and then click on a channel/gallery.
- Click on the Pencil icon to edit.
If you are the channel/gallery manager or owner, you are able to add members/groups to the channel/gallery.
- Select the Members tab.
- Select the Default Permission Level and click Save.
- Click Add Member to add a user or group to the channel/gallery.
- In the Add Member window, under Enter user or group name, start typing a user or group name and select a member or group to add.
- In the Set permission field, select the member's or group’s permission from the drop down menu.
Allows a user to…
View channel content only.
View channel content and add media to the channel.
View channel content, add media to the channel, and moderate channel content.
View channel content, add media to the channel, moderate channel content, and manage the channel (delegate managerial rights to additional users).
- Click Add to add the selected member or group with the specified permission to the channel/gallery.
- Click Save to apply your changes.
Syncing SAML Groups with Kaltura
The Samlgroupsync Module utilizes the SAML attributes to allow mapping of user groups to MediaSpace’s and KAF's groups. The Samlgroupsync module may be used to automatically manage groups via SAML, and can only be enabled when the SAML module is turned on. Group management was previously done via CSV/API and can now be configured through this module. Your SAML integration must be ready and available for group functionality to work properly.
Admins may configure SAML attribute's information to line up with KMS/KAF using the following options:
- Use attribute's value as group name
- Map attribute's value to a group name
You will need to login to KMS/KAF for the changes to take effect. For more information see the Kaltura SAMLGroup Sync Administrator's Guide.