Managing Content Entitlement

Kaltura’s Entitlement Model

Kaltura’s entitlement model relies on the extension of Kaltura’s categories.  Categories may hold entitlement settings as well as specific end-user permissions. These entitlement settings and end-user permissions are inherited by media entries associated with these types of categories.

The entitlement model provides a direct association between end-users and the collection of media items they are entitled to access, and enables a simple and efficient way to add entitlement controls to both flat and hierarchical application/website navigation layout.

Kaltura provides a built-in infrastructure for controlling and managing end-user entitlements to content. This infrastructure includes the required attributes and permission controls as well as the server utilities for enforcing those controls.

Using Kaltura’s entitlement services, end-user facing applications such as Kaltura MediaSpace can be extended to add the following capabilities:

  • Groups’ media channels - Provides the ability to set media channels that limit access and contribution of content to members of a specific group of users.
  • Granular control over user permissions to content - Provides the ability to define different privacy and permission levels for accessing and managing content in media channels.
  • Personalized global search engine - Provides the ability for users to easily search and find relevant content from the entire set of media they are entitled to access.

Category’s Entitlements Tab

Entitlement settings may be set on categories in different ways, for example, from the application, via the CSV or through a Kaltura API. The Category’s Entitlements tab in the KMC is where content entitlement settings are managed by account administrators. The Entitlements tab only appears in KMC accounts that are set with the entitlement feature and in categories that were set to have entitlement settings for an application. 

The Entitlement Settings are added to categories as part of the MediaSpace installation. For other purposes entitlement settings can be added to categories from the Integration Settings page under the Settings tab. See Adding Entitlement to Categories for more information.

The following sections describe the different setting options available in the Entitlements tab and their impact on end-user entitlements in applications such as MediaSpace.

Entitlement's Workflow

  1. Create a category. See Adding/Editing a Specific Category.
  2. Add Entitlements to categories. See Adding Entitlement to Categories.
  3. Go to the Content tab and select the Categories tab.
  4. Click on a category or select Edit from the Actions drop down menu.
  5. Select the Entitlements tab.
  6. Set the Entitlement Settings.

Entitlement Terminology

Privacy Context Label 

The Privacy Context is a free text label that indicates to which application the entitlement settings apply, for example, “MediaSpace”. For more information see Adding Entitlement to Categories .

Content Privacy 

The Content Privacy defines the visibility of content associated with a category, including its related metadata.  The Content Privacy setting is applied to:

  • Who has access to content published in channel pages
  • Which content will be available to the user in the application global search results
  • Who can access to a single media item in the application.

The Content Privacy options are:

  • No Restriction – Content in the category is visible to everyone with access to the application page it is published in.   In MediaSpace - this option is mostly relevant for setting Media Galleries that are open on the web and can be accessible by everyone, including anonymous viewers.  
  • Requires Authentication – Content in the category is visible only to authenticated end-users – In MediaSpace this option is mostly relevant for setting Media Galleries or Open/Restricted Media Channels that are available to all authenticated users (users of the company/Institution, customers with login etc.) User authentication is made by MediaSpace against the customer Identity Management system, or with using Kaltura’s authentication services. In both cases, the authenticated user ID is then passed to the Kaltura server through the application session. 
  • Private – Content in this category is visible only to users with specific permission to access this category's content and to the owner of the content.  In MediaSpace this option is mostly relevant for setting Private Media Channels - available only to a group of users.

With any content privacy option the owner of the content is entitled to access and manage his content

Category Listing

The Category Listing option defines who can see the category's name and metadata in MediaSpace.  The Category Listing options are:

  • No Restriction - With this option, the category name and metadata is visible to everyone with access to the application page it is listed in.   In MediaSpace - this option is used for having MediaSpace Galleries always listed in the top menus and side navigation layout and for having MediaSpace open or restricted channels included in the Channels listing page. 
  • Private – With this option, the category name and metadata are visible only to users with permission to access the category and its content. In MediaSpace this option is used for having private channels visible only to group members. 

Content Publish Permissions - Contribution Policy 

The Contribution Policy option defines which end-users can add content to this category through applications. The applicative permission to publish in MediaSpace’s shared Galleries is set from the MediaSpace Application Role of the user. See the Kaltura MediaSpace Setup Guide for more information. The category contribution policy adds the ability to have this type of authorization for publishing content in specific galleries/channels.  

The Category Contribution Policy options are:

  • No Restriction – With this option, any end-user authorized to publish content in MediaSpace can publish content in the gallery/channel associated with this category. In MediaSpace this option is used in shared galleries to which every user with a MediaSpace Admin Application Role can add content to, and in Open Channels to which all MediaSpace users with content can add their content to.  
  • Private - With this option, only end-users with specific permission to add content to this category can add content to it. In MediaSpace this option is used in Restricted/Private Channels.

Moderate Content

Moderate Content - (Moderation is configured through MediaSpace.) Media will not appear in the page until approved by the category manager/moderator.

End-User Permissions

When any one of the Category Entitlement Options is set to Private, the respective access level is based on specific end-user permissions.  User permissions to a category and content associated with it are set through 4 permission levels: Member, Contributor, Moderator, and Manager.  The basic access permissions listed below are enforced by the Kaltura server. In MediaSpace the permission levels are used to control the availability of the relevant UI controls and user flows, for example, Channel Settings, Channel’s moderation panel, Publish Module and others. 


The settings of end-user permissions are set from the KMC, in Bulk Process via a CSV formatted schema, or via Kaltura APIs. Use the Default Permission Level field to set the default permission level.  The permissions may be changed by selecting the Manage Users field and editing the permission level. 

In MediaSpace:  Channel Managers can set their channel’s groups members and may assign different permission levels to members of their group.

The content owner has always full access and editing permissions to his own content. He is also able to remove his content from any category, regardless of the category’s settings. 

Tip: the category end-user permissions may also be used by applications when the category is not set as private – for granting category specific applicative permissions to specific users.  In MediaSpace: users that is not set to with an Admin Application Role can still be granted with permission to publish content in specific galleries.  In this case the category’s contribution policy is set to No Restriction while ability to publish content in the respective gallery is granted by the application to all MediaSpace Admin users, but also to a few specific users that are set as contributors in the category.

End-User Permission Attributes

  • Status – indication to the state of the user permission set to the category. This attribute may be used for supporting different applicative flows.
    • Active – Access permission is active and enforced
    • Deactivated – Access permission is not active anymore. (can be activated again)
  • Update Method - indication on how a specific end-user permission is updated, this may be used for supporting automatic processes for setting permissions to channels from groups managed in on organizational information systems, while being able to set manual overrides to specific end-user permissions.
    • Automatic - user permission is updated via an automatic process (either via a CSV formatted schema or an API based integration). User permission level may be updated by the automatic process.
    • Manual – user permission is updated manually only and will not be updated by an automatic process.

Setting the Entitlement Settings

Perform the tasks in the workflow to configure the KMC with Entitlement Settings.

To edit Entitlement Settings of a category 
  1. Select the Content menu and then select the Categories tab.
  2. Click on a category. The Edit Category window is displayed.
  3. Select the Entitlements tab.
  4. Edit the Entitlement Settings options, Informative tooltips are available for each one of the options.
  5. Set the Content Privacy. See How to determine content privacy in the KMC.
  6. Select the Category Listing. See What are the category's listing options in the KMC and KMS?
  7. Select the Content Publish permissions (also known as Contribution Policy). See How to define the contribution policy in the KMC and KMS.
  8. Moderate Content. Enable this field to support the moderation of content prior to publishing in the channel. (Moderation is configured through Kaltura MediaSpace.)
  9. Select the Default Permission Level. See What are specific end-user permissions in the KMC and KMS 
  10. Click Change Owner to Change the owner.
  11. Click Manage Users to manage end-user permissions.
  12. Click Save.

Change Owner

Use this option to change the category owner. 

  • Enter the new category owner’s name and click Apply.

Managing Categories’ End-User Permissions

To manage categories’ end-user permissions
  1. Set the Entitlement Settings.
  2. Select the Content menu and then select the Categories tab.
  3. Click on a category. The Edit Category window is displayed.
  4. Select the Entitlements tab. The Entitlements screen is displayed.
  5. Scroll down and click Manage Users.
  6. Select Add Users or perform Bulk actions on multiple users.
  7. Select the Permission Level. See Specific End-Users Permissions.
  8. Select the Update Method. See End User Permission Attributes
  9. Select Add Users to add additional users. See Add End Users to Entitlements.
  10. Click Save.

Add End Users to Entitlements

To add end users to entitlements
  1. Enter the User’s Names.
  2. Select the Permission Level.
  3. Select the Update Method and Click Add Users.

Add Users from a Parent Category

If you want to add users to a category that has users associated to its parent category, the following radio buttons are displayed.

Select whether to:

  • Select End-user permissions for this category
  • Inherit users from parent category.

Bulk Actions for Managing Categories End-User Permissions

To perform bulk actions on end-user permissions
  1. Check the box or multiple boxes next to the user name and select More Actions.
  2. Select one of the following options  
  • Active – activates the specific end user permissions for the category
  • Set permission levels - overrides the permission level of all selected end-users
  • Update - Set to manual or automatic update. See End-User Permission Attributes.
  • Delete Users- deletes the selected end-users from the category.
  • Click Close.

Visibility of Content Associated with Multiple Categories

For content associated with more than one category, the privacy and visibility of this content via global search or a direct link to the video page, is determined based on the category with the lowest restriction level the content is associated with (within the application category tree).  


In a MediaSpace based media portal:

  • A video that is published in a few private channels but also in at least one public gallery (Content Privacy = No Restriction) will be visible to everyone with access to the portal.  Access to this video in this case is available to all from the public gallery page itself, via the portal’s Global Search or via a direct link to the MediaSpace page of this video.    
  • A video that is published in a few private channels but also in at least one organizational shared gallery (Content Privacy = Requires Authentication), will be visible to all members of the organization (following login to the portal) from the organizational shared gallery page itself, but also via the portal’s Global Search or via a direct link to the MediaSpace page of this video. This content will not be available to anonymous viewers with a direct link to the MediaSpace page of this video - a login page will be prompted in this case.  

  • A video that is published in a few private channels but is also set in Kaltura categories managed in the KMC account that are not integrated with the media portal (for example, categories integrated with Kaltura extensions to CMS/LMS, categories set by the account KMC administrator for different purposes, etc.). Access to the video via the Media Portal is determined only by the entitlements settings of the categories the Media Portal is integrated with. This is controlled by the application specific “privacy content” label set to these categories.

  • A video that uploaded by an end-user but was not published in any gallery or channel in MediaSpace (private media), could only be accessed by the content owner.

Visibility of Content Outside of the Application

When the entitlement feature is enabled for the account, an internal enforcement level is also set and managed by Kaltura. The options for entitlement enforcement are:

  • Entitlement enforcement is enabled by default.

    When entitlement enforcement is enabled for the account - access to content under categories with entitlement is only possible via applications that implement entitlement and are integrated with these categories. This is the recommended setting in MediaSpace accounts for the highest level of content security.

Embed codes that are grabbed by authorized users from within the MediaSpace application bypass the entitlement enforcement for the specific entry. Thus, the entry will become publicly available within the grabbed player outside of MediaSpace.

  • Entitlement enforcement is disabled by default and enabled by the application.

    When entitlement enforcement is disabled for account - access to content under categories with entitlement is possible via any application, including player embed codes that are grabbed from the KMC. With this option the application itself activate the entitlement enforcement so entitlement rules are kept within the application but all content in categories the application is integrated with can be accessed via other applications as well. This is the default setting for Kaltura trial accounts.

Contact Kaltura to change the entitlement enforcement level for your account.

In This Article
Was this article helpful?
Thank you for your feedback!