Join our discord community
Pipeline security
In a large number of studios, we need to ensure that assets, footage (etc) are only being worked on and visible to the assigned artist. Currently, anyone can access a Prism pipeline folder and see not only anything they are working on, but everything else related to the project. We are currently using Kitsu along with Prism which is having some hit-and-miss... mostly miss when it comes to this.
The goal is that there is a system (Kitsu) in which we generate the tasks and assign the artists to the tasks. Prism then downloads the tasks from Kitsu for the respective artist. This is currently there, however as mentioned, everyone can see the state of the project and not just their tasks. The Kitsu user's login should restrict what they can view to only those assigned tasks in Prism, though they could be able to take the state manager output which are published for their respective tasks / are exposed to.
For any VFX company having security vetting by MPAA (et al), these levels of security have to be in place, to a point where the user cannot directly browse the file server; everything they need to complete the task should be accessible only via the pipeline tool or project manager.
Please share your thoughts
Pete
Interesting topic, thanks for bringing it up.
It would be simple to add an option to Prism that only specific shots and assets are displayed. Prism doesn't have a way to assign a task to an artist though. So adding it to the Kitsu or Shotgun plugins might be a good way.
It wouldn't change anything from a security perspective though. All shots are still available on the server and if there are no permissions set on your server, every artist could theoretically start to delete any shot in the file browser.
Normally artists don't run Prism as admin/sudo so Prism cannot simply set read and write permissions on folders on the server. Some separate IT tool might be needed to manage permissions of the project folder.
Another idea would be to have the project folder not on a local server, but in the cloud. Then the artist couldn't use a file browser to access files and only what Prism displays could be accessed by an artist. It seems to be possible to combine MPAA with a cloud workflow: https://aws.amazon.com/compliance/mpaa/
Happy to hear your thoughts what kind of implementation you think would make the most sense in Prism,
Richard
As we run everything on the local isilon storage, setting folder permissions via active directory isn't an issue. We can give permissions for a program to access certain folders so that's fine.
Implementation, at first thought:
Removal of browse to folder in the file versions (have it as an option in the project's admin settings)
Three (initially) levels of hierarchy - Manager, supervisor, artist. Manager has current level (i.e. all), supervisor same but without file browsing, artist can only see the shot and asset(s) they are assigned to.
Separate tab for project references (log sheets, images, videos) relative to the project, scene or shot / asset
Using Active Directory login to set name and parameters for access rights, linked to an encrypted file in a master Prism folder (on the storage) which would house all of the access rights for the user, defined by the Manager.
Thanks,
Pete
Active Directory looks like a good solution indeed. I haven't used it yet, but if it's available for enough users I could imagine implementing it into Prism.
Creating different permission roles in Prism is something I wanted to look into very soon. If the Kitsu plugin makes use of these roles it would work very nice. It would be good to have an alternative way to assign shots though, which don't rely on 3rd party tools. The permissions and assignements would be stored in an encrypted file of course.
Implementing Active Directory could be a next step after that.
nice..!