Market7

Security’s getting tighter in here

Below this paragraph you’re looking at a significant advance in our securing content and information about production that’s run discreetly through video.Market7. The first modules in the application to feature access controls were collaborative script and resource management — in both of these people can be explicitly invited or excluded from access based on permission levels granted either to them personally & directly, or more indirectly through association of privilege with their roles. Roles in this context sort of act like tags. Thing is that until recently roles could be openly changed by anyone. So, if I’m locked out of a script I want to see, but I suspect the “crew” role (or of course some other one) does have access, then I can just expand my roles to include “crew”, and I’m in. We’re about to expand content security considerations to other parts of our service, so it’s become time to close the roles loophole, now done.

The above image is a project-owner’s perspective. This is the only person in a project who may determine which people in a project may assign roles. The red padlock towards upper-right indicates that some users are restricted from role assignment, and that button is only visible to the project owner who may press it to modify. When there are no restrictions set for any team member on role-setting, which is the default condition when a new project starts, the button is green instead of red, and reveals an open padlock. Then there’s the nearby floating rectangle containing text — it’s our new (& more on-screen persistent during mouse-over) style of text/information-revealing (aka tooltip). Looks nice, right? This message tells the project-owner about their being allowed to modify roles themselves, also indicated by the little, green, open padlock above the Team module’s Roles column, right by the pointer. When someone who’s denied role modification privileges by the project-owner looks at the Team module, the lock over that column is red and closed, the person can not add or modify (but CAN see) roles, and the tooltip includes identification & contact information for project-owner along with advice to contact that person for modification request.