Groups may be used to manage entitlements and category assignments for a large number of users in Kaltura applications.
What is a group?
A group is a single manageable entity that represents a collection of users. Technically, a group is a unique type of user that can have individual users as part of it.
Groups can be assigned to a category/channel just like users can.
After a group is assigned to a category, all the individual users in the group inherit the permission of the group in the category. For example, if the group is assigned as contributor, then all users will be contributors as well.
Why use groups?
- You most probably already manage groups in the Identity Provider (SAML/SSO/LDAP/AD) and may want to use the same virtual groups in Kaltura applications (MediaSpace for example).
- In case you have (or expect to have) more than 5000 individual users assigned to a category (technical limitation).
How are groups created?
You can create groups and add users to them by either:
- Managing Groups from the MediaSpace or KAF Admin Console.
- Using the KMS automatic SAML group sync - This method is based on the user's metadata with a specific custom data schema per customer that adds users to groups dynamically according to SAML response on login. See Kaltura SAML Group Sync Administrator's Guide
- Using a CSV - See How to Create and Manage Groups Using a CSV File.
- Running an external periodic script on customer servers in sync with their IdP - This method will create new groups and add/remove users from groups. This script uses Kaltura APIs (groupUser) and can be written by the customer or delivered by Kaltura Professional Services. Kaltura already has a general AD script in place for use and can create additional module for other methods.
Support exists in KMS and KMC for assigning groups to channels/categories.
Group email notifications
- Groups support email address notifications. Admins may add the email address or keep it empty. This feature allows for email notifications to be sent to a distribution list.
- Groups can be set as the owner of media.
Additional information
- An individual user can be both directly assigned to a category/channel and via a group.
- If an individual user is directly assigned to a category/channel and via a group, the permission of the direct assignment will overrule the group inheritance (even if it is lower permission).
- In case the user is a member of 2 groups and the 2 groups are assigned to a category, the higher permission of the user will be counted in this category.
- A user can be in up to 1024 groups.
- No more than 5000 users can be assigned to a category.
- There is no limit to the number of users inside a group. (But please note that when creating a group of users in the admin console, no more than 3,000 users can be added at one time.)
- In KMS – members of a channel will not include the users in the group breakdown, but only direct users and groups.
- Analytics are displayed for an individual user (and not the group).
- Known Limitation - a group name cannot be identical to a userID in the group.
Create and manage groups
Via KMS / KAF admin console
Please see the article Managing Groups from the MediaSpace or KAF Admin Console.
Via KMC
You can create and manage groups using the End-Users CSV file. You will need to modify and upload the End-Users CSV file. You will later be able to add groups to channels based on the CSV file you created and uploaded to the KMC or KMS and your admin configuration. See Configuring the Channelmembers Module to Add Groups to Channels.
After creating the groups you may assign user roles. This is a one-time process that needs to happen before groups can be associated with channels. You can define any user role, since specific user roles override the group role. A role must be configured so that MediaSpace can recognize and show groups.
See Group Support in Kaltura Applications and Kaltura Groups FAQ
A sample End-Users CSV file is available for download when you click the +Create button in the KMC main menu.
Groups first need to be created and KMS roles must be assigned. This is a one time process that needs to happen before any groups can be associated with channels. Any role can be defined since user specific roles override the group role.
To modify the End-Users CSV File and create groups:
- In the KMC, modify and upload the end-user csv. See How to add users to KMS using the Bulk Upload Option.
You can download a sample CSV file by clicking the +Create button the KMC main menu, and selecting 'Download CSV/XML Samples' under the Bulk Upload option. For every group that is created, a user must be added to that group. - Add the group column titled "group".
- Add a single user or different users to all groups in separate lines. This additional column is used to create all groups in the backend. Do not use spaces in group names.
- Upload the CSV to the KMC or to the KMC.
- Modify and use the End_Users CSV file and enter the group names you created in Step 2 in the userId column.
- Create a column for your KMS instance. Set the column title name to "metadata::KMS_USERSCHEMA1_[your_MediaSpace_instance_id]::role", where the instance id is your MediaSpace instance id, found in the Application module in the MediaSpace Mangement Console configured by your system admin.
- Enter permission levels for each group.
The format of the CSV file with the column title should look like the following:
Other columns are not mandatory to create the goups. - Upload the modified CSV file to the KMC or to KMS as described in How to add users to KMS using the Bulk Upload Option.
After groups have been created and added, you can view the current groups and users within them through the testme console and Kaltura APIs.
Use the following services:
To view groups: User→list filter by (type = group). See https://developer.kaltura.com/api-docs/#/user.list.
To view users within a group: GroupUser→list filter by user id or group id. See https://developer.kaltura.com/console/#/groupUser.list.
Add groups to channels
Administrators should enable the Channelmembers module to allow entitled users to modify channels. Set the fields as follows:
For example, the configuration presented here renders the following options for adding a group in MediaSpace:
- Select My Channels
- Click on a channel/gallery.
- Click on the Pencil icon to edit.
If you are the channel/gallery manager or owner, you are able to add members/groups to the channel/gallery.
If you have the basic UI, select the Members tab. Your page will look like the example below:
If you have the Theming UI, select the Users tab. You page will look like the example below: - Click Add Member or Add Users (depending on what version you have) to add a group to the channel/gallery
- In the Add Member / Add User window, start typing a group name and select the group to add.
- Select permissions - select the group’s permission from the options:
- Member - Can view channel content only
- Contributor - Can view channel content and add media to the channel.
- Moderator - Can view channel content, add media to the channel, and moderate channel content.
- Manager - Can view channel content, add media to the channel, moderate channel content, and manage the channel (delegate managerial rights to additional users).
- Click Add to add the group with the specified permission to the channel/gallery.
Syncing SAML groups with Kaltura
The Samlgroupsync Module utilizes the SAML attributes to allow mapping of user groups to MediaSpace’s and KAF's groups. The Samlgroupsync module may be used to automatically manage groups via SAML, and can only be enabled when the SAML module is turned on. Group management was previously done via CSV/API and can now be configured through this module. Your SAML integration must be ready and available for group functionality to work properly.
Admins may configure SAML attribute's information to line up with KMS/KAF using the following options:
- Use attribute's value as group name
- Map attribute's value to a group name
You will need to login to KMS/KAF for the changes to take effect. For more information see the Kaltura SAMLGroup Sync Administrator's Guide.