Secure Sharing with External Third-Party Users

Introduction

Dalet Flex allows you to share a pre-signed URL with external users to allow them to download a specific asset. Secure sharing with third-party users extends the ability to share Flex assets with external reviewers and stakeholders to manage external contributions and collaborations seamlessly and speed up delivery to customers.

This workflow shares Flex assets with external users by creating third-party users in Dalet Flex with a specific set of permissions for assets, collections, workspaces and review sessions. Secure Share with third-party users also allows external users direct access to FlexMOVE to deliver content securely to Dalet Flex without the need for full access to the system.

An external user who receives a secured share link has direct single click access to an asset in FlexMAM, a review session on an asset or FlexMOVE for a designated amount of time, after which access is automatically denied. By default, an external user can use the link multiple times until it expires. Once created, third-party users remain in the system, but they cannot reuse expired links.

NOTE: You can set the Consul KV flex/shared/featureToggles/disableThirdPartyTokenReuse=true to limit access to a single use.

Secure sharing links can be generated via workflow action plugins, API or scripting SDK.

To support Secure Share, Dalet Flex:

Creates and manages third-party user roles with configurable permissions - Third-Party Access Role Type, Third-Party Access Account metadata, Third-Party User Type
Uses JEF Permission action plugins to automate creating links and sharing with external users, manage ACL permissions, disable users
Displays visual indicators and real time updates and visibility of sharing status in FlexMAM and FlexREVIEW
Allows direct, authenticated access to shared sessions or assets for external users with secure links
Allows external content contribution through FlexMOVE
Monitors shared links in FlexADMIN for compliance and security

Enabling Secure Share in Dalet Flex

The following objects and configurations are required in Dalet Flex to enable Secure Share. These objects can be created in Flex Core or from API/SDK.

Create a Role of type Third-Party Access

Third-Party users should not have access to all Flex Apps and should not have all the permissions of a standard Flex user. To simplify managing the allowable permissions of Third-Party users, you create a Role of Role Type Third-Party Access. Create Third-Party Roles in Flex CORE in Access > Roles.

Third-Party Access type supports a restricted list of whitelisted permissions. Permissions that are not on the whitelist cannot be assigned to this role and are disabled.

For example, FlexMAM, FlexMOVE and FlexREVIEW may be the basic apps that are assigned to a third-party user and Functionality/Object permissions might be configured to create two different roles, a “Read” role and a “Write” role.

Configure Account Metadata related to Third-Party access

Set account metadata related to external sharing in Flex CORE in Access > Accounts > Metadata. This information can only be set for tenant accounts. It cannot be set for the master account or for any sub-accounts.

In the Allowable Roles fields, set which roles can be specified for third-party users. You can add multiple Allowable Roles, but only roles of type Third-Party Access can be assigned as Allowable Roles.
Set a Default Role that will be used if no role is explicitly specified when a third-party user is created/refreshed.
In the Maximum Expiration field, set the maximum amount of time (in minutes) the secure link is valid for.
In the Default Expiration field, set the default expiration period (in minutes) for the secure link if no expiration period is explicitly specified when a third-party user is created/refreshed.

Create a User of type Third-Party

Assigning a Third-Party type role to a user, creates a Third-Party User and gives external users access to assets in Dalet Flex. Third-Party Users can be created manually in Flex CORE or on the fly as part of a workflow.

Create a new user of type Third-Party in Flex CORE in Access > Users.

The user must have:

Valid email, firstName, lastName – if name is not provided, email is copied to the name field
Valid Allowable Role for the given account – if no role is provided and the account metadata specifies a default role, the default role is assigned

NOTE: A Third-Party User does not have an assigned password and cannot be added to a Group.

A Third-Party User can also be created using API.

You do not have to create third-party users in advance. When an action to generate a Third-Party Access token is triggered, Dalet Flex checks if the user the link is being sent to already exists in the system and if the user does not exist it creates it using the details supplied in the action.

Create Permission actions to use for Secure Share

To support the Secure Share workflow, there are several plugins in the Permission plugin type that are used. The Permission plugin type provides plugins that are used for the end-to-end Secure Share workflow. These plugins automate creating links and sharing with external users, manage ACL permissions and disable users.

NOTE: The Generate Third-Party Access action generates a secure link but does not give access to assets. Access to assets MUST be given by adding ACLs to Users. You cannot add a third-party user to a Group.

Use this plugin..	To...
Add ACL	Set ACL (Read Only/Read-Write) permissions for a list of Users. NOTE: This plugin only adds an ACL to a single User, add a script action to the workflow to assign the ACL to multiple users.
Disable User(s)	Disable a set of users specified by UserId/Email address. The users can no longer log into the system and use the shared link.
Grant Third-Party Access	Generate a secure link and send the link in a mail to the given user(s). This action checks if the given user(s) exists as a Third-Party user. If the user does not exist, the action creates a new Third-Party User. Once there is a valid Third-Party user (new/existing), the action generates a secure link and sends the link to the user(s).
Remove ACL	Remove a list of Users from ACL permissions for a specific asset
Remove all ACLs	Remove all ACLs for a list of Users from all assets

Configuring a Grant Third-Party Access action

Use the Grant Third-Party Access action to create third-party users if they do not already exist and generate a secure link to share with this user.

1. Add mandatory Third-Party User Information to create a Third-Party User that does not exist: Email address, First name, Last name. If no name is provided, email is copied to the name field when the user is created. This field supports Expressions.

Create Third-Party User Info in JSON format

2. Select the Message Template that is used to send the secure link (mandatory).

3. Select the Role to assign to a new user. If no role is configured, the Default Third-Party Role is assigned.

4. Set the syntax that will be used for the URL of the secure shared link. A fully qualified prefix can be used or you can use / and the account host name is prepended to the link (mandatory).

5. Set the token expiry time in minutes. If no duration is provided the Maximum Expiration value configured in the account metadata is used.

6. Set whether all third-party access tokens that already exist in the system for the specified user(s) are revoked before generating new tokens (mandatory).

Configuring an Add ACL action

The Grant Third Party Access action does not give external users permission to view/edit assets in Dalet Flex, this is done by assigning ACL permissions. This action is run in the context of an asset(s).

1. Select the Users to add to ACL. You can add multiple users if required.

2. Set the ACL to add READ_ONLY/READ_WRITE.

3. The User field supports Expressions and can use the workflow variable thirdPartyUserIds that contains information about users.

NOTE: When workflow variable, thirdPartyUserIds returns a single userId, it is propagated to the Add ACL (Permission) action successfully. If the variable returns a list, a Groovy script action must be used to add ACLs for assets to users.

def execute() {

    def assetService = flexSdkClient.assetService;

  
    def usersList = context.getWorkflowStringVariable('thirdPartyUserIds');
  

  def assetId = context.getWorkflowObjectVariable('assetName').id;
  
  
   context.logInfo("assetId: "+ assetId)  
  
   context.logInfo("usersList : "+ usersList.toString())


  def users = usersList.split(",") as List
  
    
  users.forEach(id -> {
  
  Set<FlexObjectAclPatchSpec> acls = new HashSet<>();


      FlexObjectAclPatchSpec flexObjectAclPatchSpec = FlexObjectAclPatchSpec.builder()
            .id(Long.parseLong(id))
            .context(FlexAclContext.USER)
            .operation(FlexAclOperation.ADD)  
            .mode(FlexAclMode.READ_WRITE)
            .build();
      acls.add(flexObjectAclPatchSpec);
   

      assetService.patchAcl(assetId, acls);
               
  }); 
  
   

  return  assetService.getAcl(assetId);

Configuring a Disable User(s) action

Use the Disable User(s) action to disable external third-party users and remove their access to assets in Dalet Flex.

Set the User IDs of the users to disable. This field supports Expressions and can use the workflow variable thirdPartyUserIds that contains information about users to disable, for example [#{variables.thirdPartyUserIds}].

Set the email addresses of the users to disable.

You can also Disable users in FlexADMIN.

Identifying Shared Assets in Dalet Flex

Users can easily identify shared items in FlexMAM and FlexREVIEW.

In FlexMAM:

(1) A shared badge on the icon

(2) Filter assets using the Is Externally Shared column

(3) For assets, collections and UDOs, the user the link is shared with is displayed in the External sub-tab of the Access tab in the Summary panel

(4) Click on a row to show the details of the Share

In FlexREVIEW:

(1) A shared badge on the icon

(2) A Users Assigned tab in the Summary panel to display who the review session has been assigned to

(3) Indication of the assigned user type

In FlexADMIN:

(1) Third-party User screen displays a list of all third-party users

(2) Status of access tokens shared with a user: Active, Expired, Inactive

(3) Disable the user to remove access from all assets

Working with Secure Share

There are different ways to generate secure sharing links. You can create end-to-end workflows and wizards to trigger workflows. This section includes some examples of workflows and wizards that can be used to generate secure links to view assets in FlexMAM, perform reviews in FlexREVIEW and upload media with FlexMOVE.

Sample end-to-end workflow to create an asset and generate a secure shared link to the asset

To enrich your content, you may want to allow external users access to specific assets in Dalet Flex. This is an example of a workflow that creates an asset and sends a secure link to an asset to external users

Step	This node	Does this
1	Create object	Creates an asset in FlexMAM
2	Grant Third Party Access	Creates new Third-Party Users, generates secure links, emails the links to the users
3	Wait for Grant TPA	Script action to wait until the links are created
4	Add ACL to multiple users	Script action that retrieves a list of `thirdPartyUserIds` from workflow variables and assigns ACL READ_WRITE permissions for the asset created in Step 1 for each user.
5	Wait Add ACL	Script action to wait while ACL permissions are updated for all users

In FlexMAM, the asset has a shared flag and the users that have received the secure link are displayed in the External tab of the Access tab of the asset.

Click on one of the External users to see details of who shared the asset and who it was shared with.

The user who received the mail with the link can click multiple times and can work with the asset based on the assigned READ_ONLY or READ_WRITE ACL permissions. The shared link is valid for the time configured in the account metadata. You can run a Disable User(s) action on these users at any time to disable the share.

This sample Wizard can be used to trigger a workflow to generate a secure shared link on an existing asset.

Sample workflow to generate a secure shared link to a Review session

External users may need to review content that is created in Dalet Flex. This is an example of a workflow that generates a secure link for an external user to access and perform a review session on an asset in Dalet Flex

Step	This node	Does this
1	Grant Third Party Access	Creates a new Third-Party User, generates a secure link to a review session and emails the link to the user
2	Add ACL	A Permission action that retrieves a `thirdPartyUserId` from workflow variables and assigns ACL READ_WRITE for the asset in context.
3	Start Review Session	Creates a review session for the asset in context.

A sample configuration of a Grant Third Party Access action that creates/activates a third-party user, generates a secure token to access a review session and mails it to the user.

The link is sent in an email using the Message Template configured in the action.

Once the workflow is completed, a review session is created. The user who receives the link can open the session in FlexREVIEW, the asset is displayed with a shared flag and can see what sessions are assigned to him in the Users Assigned tab in the Summary Panel. An external user who has READ_WRITE ACL permissions for the asset, can Start the review, edit metadata, add annotations and custom timeline markers and Finish the review session.

This sample Wizard contains the details required to create a third-party user and can be used to trigger a workflow to generate a secure link to a review session.

Generate a secure link to FlexMOVE to upload media

It is useful to receive content from external sources, such as journalists or production houses without allowing users full access to the system. The link to FlexMOVE can be generated using a standalone workflow that includes a Grant Third-Party Access action, such as the one shown here.

This action creates Third-Party users if they do not yet exist in the system and creates a link and token to access FlexMOVE. The link is valid for a given time and once it expires, a new link must be generated and sent to the external user to deliver more content. Once created, third-party users remain in the system, but they cannot reuse expired links.

In FlexMAM, a standalone wizard can be used to supply the information required to generate the secure link: Multiple emails can be supplied. If no workspace is selected, the default workspace for the account is used provided it has been assigned to the third-party user. If no workspace (default or otherwise) is assigned, the Upload button in FlexMOVE is disabled.

Using External User Roles and role-based permissions, you can provide precise control over what external users can do within the shared inbox while maintaining security and operational efficiency.

External User Links for specific Inboxes in FlexMOVE can also be created through API and Scripting SDK.