Overview
This document will guide you through the steps to create and configure additional MCommunity groups as needed to make it easier to manage users.
Assumptions:
- Shibboleth and MCommunity configuration has been set up in your Mediaspace site and tested by the MiVideo support team.
- You have been added as an Owner of the “MiVideo SupportGroupsMaster” account for your Mediaspace by the MiVideo support team (in MCommunity, click My Groups and look for your MiVideo group in the list).
- You are familiar with https://mcommunity.umich.edu.
About MiVideo Support Groups Master
This is a special MCommunity group that acts as the connection between Shibboleth (U-M Level 1 authentication) and your Mediaspace site. Your site’s MCommunity accounts must be added as members of this account (steps to follow). NEVER DELETE THIS ACCOUNT.
Understanding Mediaspace Roles
A Mediaspace role is assigned to a user at login. When using Shibboleth authentication with MCommunity groups the role assignment is automated. A user must only be a member in ONE associated MCommunity group.
- The typical configuration assigns the viewerOnly role to logged in users who are not members of a designated MCommunity group.
- In most cases the only roles mapped to MCommunity groups are unmoderatedAdminRole and privateOnlyRole.
The MiVideo support team has likely already added you to an MCommunity group mapped to the unmoderatedAdminRole.
In most cases you will add users to an MCommunity group mapped to either the unmoderatedAdminRole or privateOnlyRole, but here are all the Mediaspace roles and their capabilities:
- anonymousRole
- The non-logged in user; They can view public content but not interact with the site (upload, comment, create playlists).
- viewerRole
- Can browse public galleries
- Is not authorized to upload/create/publish content
- Does not have a My Media page
- Can be a channel member, but cannot contribute content to channels
- privateOnlyRole
- Can upload content (My Media)
- Cannot publish to galleries
- Can add/publish media to channels if given appropriate channel permissions (contributor or manager).
- adminRole
- Can upload content (My Media)
- Can publish their own content to gallery categories
- Can add/publish media to channels if given appropriate channel permissions (contributor or manager).
- unmoderatedAdminRole –
- Same as adminRole plus bypass content moderation settings (when moderation is enabled)
Creating MCommunity Group(s) for User Management
Naming Convention
You should follow the established naming convention for your Mediaspace’s MCommunity Master Group.
The group name is usually MiVideo {Mediaspace identifier} {Mediaspace Role}.
For example the Staging Mediaspace (https://staging.mivideo.it.umich.edu) groups are:
- MiVideo Staging SupportGroupsMaster
- MiVideo Staging unmoderatedAdminRole
- MiVideo Staging privateOnlyRole
TIP: You can create multiple MCommunity groups all mapped to the same Mediaspace role, but users should only be members of one group. Some customers may find this is a useful way to manage large numbers of MCommunity users.
Create a Group & Add to Mediaspace
- Go to https://mcommnity.umich.edu and log in.
- Click My Groups
- Scroll the list and find your MiVideo SupportGroupsMaster account and make note of the Mediaspace identifier between “MiVideo” and “SupportGroupsMaster”
- Back at the top of the page, click Create Group
- Enter the group name following the naming convention (e.g. MiVideo Staging privateOnlyRole).
TIP: Check your spelling. You cannot rename your groups. If you make a mistake you have to delete the group and start over.
- Create an email address for your group following your naming convention (e.g. [email protected])
- Enter a description to help you remember what function this group serves (e.g. “staging.mivideo.it.umich.edu mcommunity integration”). You can be as detailed as desired to remind you of the group’s purpose in your Mediaspace.
- Click Continue
- Complete the form with these settings:
- Only owners can add members (default)
- Membership view - members only
- Messages can be sent to the group by - anyone (default)
- Click Continue to add owner(s) and member(s)
IMPORTANT: Do NOT add yourself as a member UNLESS this is the role you should have when logging in to Mediaspace. Members should only belong to one MCommunity group.
- Your uniquname is automatically added as a group owner. If there are others who will manage the users in this group, add their uniquname(s) below yours.
- Add members to the members text box (you must add at least one uniquname).
- Click Finish and wait for confirmation (it can take a few minutes).
- At the top of the group page, copy the group email address (NOT the request email address) so you can easily add it to the SupportGroupsMaster group.
- Click My Groups at the top of the page and click your MiVideo SupportGroupsMaster group (e.g. MiVideo Staging SupportGroupsMaster)
- Click the Members Tab
- Click Add Members
- Paste the copied email address into the Add Members box, then click Save Changes.
- You should now see your new group listed as a sub-account. Highlight this sub-account group name and copy it (not its URL) so you can easily add it to your Mediaspace SAML module.
- Log in your Mediaspace admin and click the SAML module (one of the last menu items on left).
- Scroll down to the roleAttributes section. You may see the unmoderatedAdminRole config that was created by the MiVideo team.
- Click Add “roleAttributes” at the bottom right of this section.
- Paste the copied group name into the Name field
- Copy/paste the attribute text from the unModeratedAdmin role or copy/paste from here: urn:oid:2.16.840.1.113719.1.1.4.1.25
TIP: This value is the same for all groups you add. It is the Shibboleth field that holds each user’s MCommunity group information.
- Choose the appropriate role from the drop-down list (probably privateOnlyRole).
- Click Save at the bottom of the page.
- Repeat steps 1-24 for each MCommunity group you want to associate to a Mediapsace role.
- Test the configuration:
- Have a group member login to the front end
- In the admin, click the Manage Users button and look for the group member in the list and verify they received the proper role.