User Roles

User Roles control what permissions Core users have and what assets they can see and interact with in the system. Each User is assigned to one Role but there can be overrides added to a User’s individual Profile that make special allowances for that user outside of the Role they are assigned to.

User Role Elements

After clicking on the Users module in the left navigation panel choose User Roles in the top panel. Here you can browse and search User Roles that you have access to as well as view and manage existing User Roles and create new User Roles.

1. Users Tab - You will find this tab in the Left Navigation panel
   NOTE: You will only see your own profile if you do not have permission to add/edit other users.
2. User Roles - This tab allows you to see a list of existing User Roles
3. Search Bar - This allows you to query a search of existing User Roles
4. + New User Role - Allows you to create a new User Role

---

The Anatomy of User Roles

The top bar of the User Role includes:

1. User Role Name
2. Number of Members Assigned to the Role
3. Save Role as a Template
4. Load a Template for the User Role
5. Close the Role detail

There are also six tabs that make up a user role:

6. Role Info - Defines the role and it’s primary capabilities and limitations
7. View Access Rules - Defines what the role can view
8. Edit Access Rules - Defines what the role can edit
9. User Access Rules - Defines who else in the system can be seen by this role
10. Members - Lists who the role is applied to
11. Screener - Defines what Screener devices the role has access to

Role Info

The Role Info Screen has five main parts:

1. User Role Name - The name of a User Role usually contains key words to make it easier for admins to distinguish the role while looking at the list. For example, a user role like Editorial Uploader for ‘The Great Movie’ may be called TGM - Editorial - Uploader so that the film abbreviation leads to the Role name. However, Roles can be titled however your Admins determine works best for your system.
2. Admin Settings - This section determines certain (but not all) permission choices for the role. * Each of these settings will be detailed below.
3. Role Restrictions - This section only applies to Standard Users who are able to add other users. In this section you will choose which roles the standard user will be able to choose from when creating a new user.
4. Production - This section determines which Productions the user has access to.
5. Watermarks - This section determines the look of the watermark for the User Role for Images, PDFs and for Videos.

Admin Settings

Domain

In CORE the Domain is the highest level of a meta data hierarchy structure. For example, in a M&E structure Film or TV are Domains. Each Domain has a single meta data structure that applies to it, and that structure is the way users categorize (tag) files when they are added to the system. In the Admin Settings area, choosing a Domain determines the meta data tag structure that the user will have to choose from when they categorize files or browse in File Search.

Package Share Types

This determines which types of Packages the User will be able to send.

• Feedback (standard): Feedback (standard) package opens to a view of all files with the comment panel enabled. Everyone on this share type can collaborate. If simple viewer is on, recipients will launch into a simple file player with no extra clutter.
• Dailies: Opens the recipient directly into the player with the first file open. Recipients are hidden by default and simple viewer is on by default.
• Approval: Opens to a view of all files with the approval panel enabled. Everyone on the share can collaborate, but each person can only see approvals based on their role. If simple viewer is on, recipients will launch into a simple file player with no extra clutter.
• Sync Review: Opens a real-time hosted review. Recipients can not see or access the files except when guided by the host (sender of the package).
• Download: Opens a simple, web-based download page. This type of package is best for when recipients only need to download the files.

Package share download options

The package share download options are the options the user role will see when sharing a package for download.

• Recipient Settings: This option means that the user/sender will default to the user permissions set up by the Administrators for the recipients they are sending the package to.
• Allow download without watermark: This option allows the user/sender to grant the recipients the permission to download the files without a watermark.
• Allow download with watermark: This option allows the user/sender to grant the recipients the permission to download files with a watermark. The watermark can be the one chosen in the user’s role or can be a custom watermark determined at the time of the share.

User Access Level

The user access level is the primary determinant of what permissions the User has in the system. In CORE, a permission is the ability to view, download, or edit files, or to perform other actions within the system. Choose between the following:

• Standard User: Standard users start with no permissions in the system. A Standard User can log in to CORE and view packages that are shared with them. All additional permissions are granted in the User Role they are assigned to or in Access Overrides.
• Admin: User with full permissions and all abilities in CORE. Can view, modify, and download any file in the system, regardless of other permissions. Can create projects, add users, user roles, domains, meta structures and any other functions in the Admin panel.

Authentication Type

If your company has Active Directory integration enabled, this will allow you to configure Single Sign On. CORE supports SAML, Okta, and OneLogin and can support custom integrations with other providers.

Redirect on Login

Select which module the User will see when they first log in. Choose between Dashboard, File Search and Inbox.
NOTE: Not all systems will have the Dashboard option.

MFA (Multi-Factor Authentication) Type

If you would like to require the role to have another layer of security you can enable MFA here. If Google Authenticator is enabled the User must install the Google Authenticator app on their mobile device and enter a 6-digit code each time they log in.

Save Access Level

This option controls a User's download settings both for Files they search for in the system, as well as those sent to them in Packages when they are set to Recipient Settings. If Files are shared with a user in a Package set to Download or View Only, however, then that setting will override this user role setting.

• None: The user role can not download any Files from the system unless they are shared in a package set to be Downloadable.
• Proxy: The User can download the proxy of any File that they can view from the File Search page. They can also download the proxy of any File that was shared with them in a Package set to Recipient Settings.
• Source and Proxy: The user role can download the source of any File that they can view from the File Search page, or that was shared with them in a Package set to Recipient Settings. They can also download the proxy if they choose, and may download them without a watermark.

Watermark Strategy

Controls how assets will be watermarked.

• Overlay: Add watermark as a text overlay which can be disabled.
• Burn-in: Burn-in, or digitally “bake”, the watermark on top of the image, video, or document so the watermark shows up no matter if you’re viewing the file in a system player or downloading it.

Categorization Type

This controls the user’s categorization options.

• Quick Share & Categorize: Allows the user to categorize the asset or “Quick Share” without categorizing the file. (if a file is not categorized, it cannot be found via searching All Files)
• Categorize Only: Asset must be categorized before it is shared.
• Quick Share: User cannot categorize but can share without categorizing the asset.
• None: User cannot categorize or share the file. The asset must be categorized and/or shared by another user.

Dashboard Type

Controls how the Dashboard module will function. (Note: Not all CORE systems have Dashboard enabled)

• Package: The Dashboard displays a list of Productions contained in Packages that have been shared with you. In this mode, a Production will not appear on the Dashboard until someone has sent you a Package containing at least one File from it.
• Production: The Dashboard displays a list of Productions you've been assigned to.

---

Admin Settings - Granular Permissions

These settings enable additional abilities for Standard Users. Note that Admin Users always have all of these permissions.

Admin

• Role Manager: Create new User Roles, and edit Roles that the User has been given access to through the Role Restrictions field. A user can never create another Role with higher permissions than they themselves have.
• Upload Manager: View and categorize uploads made by other Users.
• Queue Manager: View and re-prioritize jobs in the Processing Queues. (currently disabled)
• Download Manager: View list of downloads made by other Users.
• View Private Conversations: View all Comments on files that you have access to, even if they are marked Private.
• Change Watermark: Ability to change the watermark when downloading files. With this enabled, Users can change the watermark style, and also the User's name on the watermark.

User

• Disable License Agreement: If your system has a License Agreement that Users must agree to before logging in, checking this setting will allow a User to bypass it.
• Create Users: Create User accounts for others. With this permission, you can also edit Users you've created, as well as those which you're granted Edit access to through your User Access Rules. The Roles which are available to assign are those granted through the Role Restrictions field.
• Upload Assets: Gives Users the ability to upload files into CORE.
• Print: Gives Users the option in the interface to print images and documents.
• Box files access: Allows users to access Box files.

Package

• Package Manager - Packages shared with a Standard User who has this additional permission do not have any restrictions that a sender may have put on the package. The exception to this rule is expiration dates or views allowed for the package. The package manager:

  • Has the ability to batch package shares on the inbox
  • Can delete package shares
  • Can view package share information of recipients
  • Can view recipients If the Hide Users setting is flagged on The package manager cannot view other recipients inboxes (with Std User settings)

• Forensic Streaming Enabled - Forensic watermarking is only offered through a 3rd party integration and will require a license for users to enable this option. Forensic watermarking places an ‘invisible’ watermark on assets in order to track their location and provides the highest level of trackable security available for assets being shared outside of CORE. Forensic watermarking can work in conjunction with visible watermarks in the CORE system.

• Package Reports - Allows Users to run reports on package access, views, downloads etc.

• Mobile Downloads - Allows Users who are sent a package to download files within the CORE mobile app for offline viewing with no wifi access. (For example, viewing an asset while in airplane mode while travelling.)

• Approval Manager - Allows Users to see all of the approvals (thumbs up, thumbs down) for approval type packages.

Device

Select which device(s) the User may log in from. Choose from Desktop, Mobile, AppleTV, or any combination of the above.

---

Role Restrictions

This field appears if the Role has either Role Manager or Create Users permissions. If the User has the Role Manager permission, the Roles selected here will be available for them to view and modify in the User Roles section. If the User has the Create Users permission, the Roles selected here will be available for them to assign to other Users.

Productions

Select which Productions the User has access to. Productions selected here will be available in the User's dashboard and top selector dropdown, and will be available to them when categorizing Files (if they are able to do so). Additionally, if the User has the Role Manager permission, the Productions selected here must be part of any File Access Rules they create (see below).

Watermarks

Set the style of watermarks that users in this role will receive by default when viewing or downloading files. You can set different watermark styles for images, pdfs, and videos. This setting may be overridden if the User has the Change Watermark permission, or if someone sends them a Package with a custom watermark. Additionally, this setting may be overridden globally in certain cases by the Production Watermarks Admin section.

View Access Rules

File Access Rules govern what files a User can see, whether they can interact with them, and if so, how.

• View Access Rules control what Files a User can view, and optionally, what additional information about them they can view.
• Each User Role can have as many File Access Rules as needed.
  NOTE: To learn how to create a View Access Rule see Create a New User Role: A Step-By-Step Guide

Access Rules

List of the rules you create within the User Role. A User Role can have multiple rules.

File Permissions

By checking the File Permissions boxes, permission can be granted to view additional info for the files you have access to view.

View History

View the history panel for the Files you have access to. See here for information about the History Panel.

View Access

View who else has access to the Files you have access to. See here for information about the Access Panel.

Email on Ingest

Users assigned to the role will receive an email notification whenever Files matching the Rule are ingested into CORE.

Metadata Fields

The fields shown here will match those in the Tag Structure for the selected Domain. Click on a field to add a conditional rule for that field.

Conditionals

Each Conditional is simply a filter. You can add as many conditionals to a Rule as you'd like. All Conditionals in a rule are ANDed together. Files that match the Rule will become available (or be hidden) if they satisfy all of the listed conditionals. For each Field, choose at least one Value to match.

Field Name

The field you are using to filter values.

Condition

Select either "Is", "Is Not." or “Is All”.

Value

The Value that a File must have in order to match. You can add multiple Values to each conditional. Click the X to remove a Value.

Add Value

Click to select existing Values from a dropdown, and add them to the Conditional.

Remove Conditional

Click the trash icon to Remove the entire Conditional.

Edit Access Rules

Edit Access Rules control what Files a User can edit. Files matching an Edit Access Rule will be both viewable and editable by Users assigned to the Role. The anatomy of Edit Access Rules is the same as View Access Rules with one exception, it does not include Email on Ingest. That rule is applied only in View Access Rules.
Important: If you make overrides to the Edit Access Rules in this section you will be overriding the Rules set up for the user in their assigned User Role.

User Access Rules

User Access Rules control which other Users in the system a User will be able to see and/or modify. The rule allows Users to view other users within selected Production, Company, Department or Position.
Important: If you make overrides to the User Access Rules in this section you will be overriding the Rules set up for the user in their assigned User Role.

Members

A list of Active and Inactive users who have been assigned to that User Role.

Screener

A selectable list of devices to which the given User Role can broadcast Screeners via the Projection Room App.

Before Creating New User Roles

Creating a new User Role is the first step to setting up users for a production. Find below a few tips and insight to help you better plan and prepare for User Role creation in CORE.

Naming Conventions Tips

Use a convention that can be applied across projects. For instance:

• Start each Role with the name of a project, business group or workflow that is most appropriate for your needs.

• Use numbers for easy identification of role type or complexity. For instance, if you know that every project has seven roles, scale them from 01 to 07 with 01 being the most basic user with limited access and 07 as your Admin.

• Use keywords that indicate the role type, such as Inbox Only, Upload, Download, Distribution, etc.

• Examples:

  • PROJECT A_01_Inbox Only
  • PROJECT B_01m_Inbox_Mobile Only
  • BUSINESS GRP_03_Upload-Download
  • BUSINESS GRP_05_Package Mgr_Distro
  • SYSTEM_07_Admin

Craft User Role Templates

Create a template for each role type you’ve identified.

Go to Create User Role Templates for more specific instructions.

Create a New User Role: A Step-By-Step Guide

Creating a User Role is done in multiple parts:

• Step 1: You must first create the basic user role in the Role Info tab
• Step 2: If any, add Viewer Access Rules
• Step 3: If any, add Edit Access Rules
• Step 4: Finally, you create User Access Rules Some users will also manage your company’s Projection Room App. In that case, there is a Step 5.

To create a new User Role:

1. Navigate to the Users module
2. Click User Roles.
3. Click New User Role
4. Add basic User Role info in the Role Info tab
5. Click the Save Changes button to save your User Role. Important step! :)

Add Basic User Role Info (Step 1)

1. Start by entering the User Role name.
   

CORE Tip: Create a standardized naming convention for your User Roles based on the general user types you will need for each of your projects or divisions. This way you can save roles as a template, and reuse them by simply changing the name of the User Role to the current project, etc. Make the names descriptive enough so you know what they include, or maintain a chart of your different role types that you create.

Your base role is created. You can now personalize the permissions and access based on the needs of the specific role. See examples below for steps to create specific user roles such as Department Admin, Viewer and Uploader.

Example 1: Department Admin

The Department Admin will have the basic Permissions of a Standard User with additional access added to allow them to have Admin permissions for a specific department and production only.

Step 1: Create a new role and assign the new Role a name by entering it under User Role Name. For our department admin, we will name the role NoobAdventures_07_Editorial_ADMIN.

1. Click on the Users tab on the left panel.
2. Click User Roles.
3. Click + User Role.

Step 2: Assign the specific settings in Role info. In our example, the Editorial Admin:

1. Has access to the TV Domain.
2. Can share all package types.
3. Can share packages to be downloaded with a watermark or without a watermark if the specific user has that permission based on their role.
4. Since our Editorial Admin will not be an Admin for the entire CORE app, we will assign The User Access Level as Standard User. (We will add additional access later by adding Access Rules to the role.)
5. Users with this role will have the ability to Create Users and Upload Assets for the department and production they have access to (we will specify which Department and Production our Editorial Admin has access to later).
6. Users under this role will be able to view Package Reports.
7. This role allows its users to access CORE from the mobile and AppleTV apps in addition to the Desktop version.
8. In the Roles Restriction section, you control what roles you can choose when you create new users. In our example below, the Editorial Admin can create new users with the Asset Uploader or Asset Viewer roles.

9. Under Production, we can assign which Productions the Users in this role have access to. In this example, the Editorial Admin will only have access to Noob Adventures production. Click on any additional productions to add more.

10. Under the Watermark section, assign the watermark style that the Editorial Admin will see when they view video, image or PDF document. In our example, we chose the standard watermark styles.

Step 3: Create an Access Rule that gives the NoobAdventures_07_Editorial_ADMIN access to the Editorial Department only.

1. To ensure the Editorial Admin only has access to the Editorial Department, we need to create an Access Rule. To do so click: a. View Access Rules
   b. Click on +Add Rule, name the rule (in this case NoobAdven_view) c. Choose your Tag Type (Example TV Domain) d. Choose Department under the Structure e. Choose Conditional value, in this case, we want the Editorial Admin to have access to View Editorial Dept. Click the IS option and then choose Editorial in the pull down showing all the Departments available. f. Select the checkbox for the View History Panel. If checkbox is selected, allows members of this role to have access to the asset history panel in the asset viewer. Asset history panel lists all the history/activity on an asset - who has uploaded, downloaded, viewed, edited, reprocessed, etc. this asset. g. Select the checkbox for the View Access Panel. If checkbox is selected, allows members of this role to have access to the File Access panel in the asset viewer. The File Access panel lists all of the Users who have access to an asset. h. Click on the Save Changes button to save your rule. NOTE: We are not selecting Email on Ingest checkbox for our Editorial Admin rule example here. But the Email on Ingest option, if checked, will send email notifications to members of this role every time an asset matching the access rule parameters is ingested into CORE. Step 4: We also want our Editorial Admin to have the permission to not just view assets but also edit them, as well. We need to create an Access Rule that allows the NoobAdventures_07_Editorial_ADMIN to edit assets in the Editorial Department only.

   To ensure the Editorial Admin has permission to only edit assets for the Editorial Department, we need to create an Edit Access Rule. To do so, click: a. View Access Rules
   b. Click on +Add Rule, name the rule (in this case NoobAdven_edit)
   c. Choose your Tag Type (Example TV domain)
   3. Choose Department under the Structur
   4. Choose Conditional value, in this case, we want the Editorial Admin to edit assets only in the Editorial Dept. Click the IS option and then choose Editorial in the pull down showing all the Departments available.
   5. Click on the Save Changes button to save your rule.
   

Example 2: Viewer Role

The Viewer Role gives users permission to view assets within a particular production (no uploading, downloading or sharing options).

Step 1: Create a new role and assign the new Role a name by entering it under User Role Name. For our viewer role, we will call it KungFuThis!_01_Viewer.

1. Click on the Users tab on the left panel.
2. Click User Roles.
3. Click + User Role.

Step 2: Assign the specific settings in Role info. In our example, the KungFuThis!_01_Viewer:

4. Has access to the Film Domain.
5. Can share all package types.
6. We will set the Package share download options to Recipient Settings. That way the package can be shared with a watermark or without a watermark if the specific user has that permission based on their role.
7. Our KungFuThis!_01_Viewer should not have any Admin permissions so we will assign the User Access Level as Standard User.
8. The KungFuThis!_01_Viewer should not have the ability to download any assets, so we will choose None under Save Access level.
9. The users with this role will not be responsible for Categorizing or sharing assets, so we choose None for Categorization Type.
10. The only additional permission we want to give this viewer role is the ability to also view assets on all devices: AppleTV, Mobile (iOS), and Desktop. Under Device, choose All to accomplish this.
11. Our KungFuThis!_01_Viewer should only have access to see other users in Kung Fu This! production. We will choose Kung Fu This! under Production.

12. Under the watermarks section, assign the watermark style that the KungFuThis!_01_Viewer will see. In our example, we will assign the Secure watermark to be shown for images, ScriptStyle for PDFs and Low Center Light for video.

Step 3: Create an Access Rule that gives the Air Prod - Viewer access to only the Air project.

To ensure that the KungFuThis!_01_Viewer only has access to the Kung Fu This! project we need to create an Access Rule. To do so click: a. View Access Rules b. Click on +Add Rule, name the rule (in this case KungFu_viewer) c. Choose your Tag Type (Example Film as the Domain) d. Choose Production under the Structure e. Choose Conditional value, in this case, we want the viewer to see the Kung Fu This!. Click the IS option and then choose Production Kung Fu This! in the pull down menu. f. Click on the Save Changes button to save your rule.

Example 3: Uploader Role

The Uploader Role gives users permission to upload and share assets within a particular production (no downloading options).

Step 1: Create a new role and assign the new Role a name by entering it under User Role Name. For our production uploader, we will name the role KungFuThis!_02_Uploader.

1. Click on the Users tab on the left panel.
2. Click User Roles.
3. Click + NewUser Role

Step 2: Assign the specific settings in Role info. In our example, the KungFuThis!_02_Uploader:

4. Has access to the Film Domain.
5. Can share all package types.
6. We will set the Package share download options to Recipient Settings. That way the package can be shared with a watermark or without a watermark based on the recipient’s permission.
7. Our KungFuThis!_02_Uploader:should not have Admin permissions so we will assign the User Access Level as Standard User.
8. The KungFuThis!_02_Uploader should not have the ability to download any assets, so we will choose None under Save Access level.
9. The users with this role will not be responsible for Categorizing or sharing assets, so we choose None for Categorization Type.
10. The KungFuThis!_02_Uploader should have the ability to upload assets, so we will check the Upload Assets box in the User section to allow this permission.
11. The Uploader role only needs to access the Desktop so we will choose that option.
12. Our KungFuThis!_02_Uploader should only have access to see other users in the Kung Fu This! Project. We will choose Kung Fu This! under Production.

13. Under the watermarks section, assign the watermark style that the KungFuThis!_02_Uploader will see. In our example, we will assign the Secure watermark to be shown for images, ScriptStyle for PDFs and Low Center Light for video.

9. Under the watermarks section, assign the watermark style that the Air - Uploader will see. In our example, we will assign the Secure watermark to be shown for images, ScriptStyle for PDFs and Low Center Light for video.

Step 3: Create an Access Rule that gives the KungFuThis!_02_Uploader access to the Kung Fu This! project only.

To ensure that the Air - Uploader only has access to the Air project, we need to create an Access Rule. To do so click: a. View Access Rules
b. Click on +Add Rule
c. Choose your Tag Type (Example Film Domain)
d. Choose Production under Structure
e. Choose Conditional value, in this case, we want the KungFuThis!_02_Uploader to have access to the Kung Fu This! production. Click the IS option and then Kung Fu This! from the pull down menu.

To create more specificity, limitations, or access, add rules to your role. Add and manage rules following the instructions in the below sections:

1. View Access Rules
2. Edit Access Rules
3. User Access Rules