I support a few systems that implement similar granular permissions logic. When content managers want to use the system, they must have permissions to do so.
Yesterday, a “content manager” of our security cameras software system called me and said
“James, I am trying to export a piece of video from one of the cameras, but cannot. “
There was an incident on our campus, someone wanted to export a 90 second clip from the previous week. Good. That is why the keep 30 days of video from most of the cameras in our system. I was able to access the camera find the video and export for him. Great.
But, remember a good rule is to empower your users, give them the ability to do what they need in the system. They should not have to rely on you. Let them do their jobs. Great. Except, here comes the conundrum. With systems and permissions, the more liberal you are with them,the more holes you open in your system. In theory, its much better to have fewer accounts with lots of permissions. Its like opening a hole in your firewall. You prefer not to do it. The default position is no. Permissions are granted on a need basis. When we do grant permission, it is only to the area of need, to the chagrin of simple and easy.
That is the balance you try to strike
1 – empower your users, give them permission to do their job – you do not do for them – you are not a bottle neck
2- A granular minimalist approach. No super admin for you.
I solved this issue by adding a very granular permission to a group where the user was a member. And then asked him to login and try to export the video piece again. This solution was a little bit of 1 and 2, perhaps that is the blend to strive for.
- Steps in Genetec Config tool to grant permissions to export video
- login to desktop config client
- Find and select the user group, where the accounts lived
- Drill into Privileges | Actions | Cameras | View live video | Export video
- select allow.
Im sorry, a little mundane. Today I was asked to update some contact information on a secure part of our website. These the the steps, for now.
- convert the provided word document to pdf, remove spaces from file name
- login to wflboces – open the District Wide Safety plan – then the sub page for the emergency contact info – this is a password protected page
- In edit mode, click on the files link, then update the appropriate file, by uploading the new one. This will change the reference at the bottom of the page – where link is placed
- Manually update the link at the top of the page to reflect file name update, since the bottom is not visible enough.
It took me a little while to work through this process. It is all changing soon, as we migrate to a new web platform.
Around April or May, perform these steps.
- Open frmBooking form, change the hard coded year , look in the vBeginID_AfterUpdate() function.
- Open the tblSchoolWeeks table and correct a couple records….the newly generated calendar weeks, specifically where the application generates a couple incorrect holiday weeks – because of the odd process that my customer does not follow correctly. The past couple years, I have simply renumbered the weeks (2) that are not supposed to be there (the correct holiday weeks), to the weeks that are.
- Open form subFrmCheckin -look in Form_load event, update hard coded date
- A new school year id has been generated and needs to be updated in a couple places.
- Open frm_districts_building_kits_dates – open the query (rec source) for the unbound list box – change the schoolyearid.
- – qryBooking2013-14 – leave the name, change the schoolyearid
You may also have to correct kit cost – that seems to use the older year price. If this happens, follow these steps to correct kit booking cost issue
- open the kits table – ensure cost is up to date
- open the booking table to verify that booking for the new year are in there
- create a new query and use an update statement to correct cost that is wrong
- pull up the kits table, show just id and cost columns, hid the other columns
- next to the kits table – position the query window – so its easy to see both and scroll down the kits table. Last year I also printed the kit booking records so i could see which kits actually needed to update.
Perform these steps each april, until one of us retires.
constraints: Using only MS Access 2003, not the much newer version of 2010 or 2013. opening in newer version corrupts the db.
- copy the current year billing db from network home space to local folder called /old billing
- rename the db in network home space to following year
- kill the old shortcut on the desktop pointing to the previously named db
- create a new shortcut – browsing to the newly named db in network home space
- open the DB
- remove records from the transactions table
- update the date on the main form
- update the other form, not report, form – a form that loads when clicking on the Reports button – semantics! Anyway, change the dates on the unbound form controls.
For a while, I have been trying to figure out how to give my account permission to reboot a server remotely. These server are running Windows 7. The workstations are responsible for providing IP address and a connecting port for cameras. Sometimes the cameras come off line, usually because Windows did an update and something did not come back on line.
Today, when we discovered some of the cameras down, I worked with a new network technician to resolve the issue. He taught me this nice command line beauty:
shutdown – r
It took a minute – but, sure enough, I was logged out of my session and the server was rebooted, with a parameter to restart.
I guess as long as my account that I am remoting in with is of type admin, I can get to that command line and run any of the windows commands, like this one.
Now, when cameras are off line, I too can consume the low hanging fruit on the tree that usually corrects the problem, a restart of the server. I do here my colleague saying in my minds ear, “some of these problems need me to be there to diagnose with a reboot not solving the issue”. But, today, like most days, the reboot of the server brought the cameras back online in the network.
We are finally getting serious about upgrading our main website for our BOCES organization. If you know what a BOCES is, you now there are a lot of considerations that go into the decision about who to upgrade to.
We are currently using a SchoolWorld solution, that belong to Blackboard. We are considering upgrading to the SchoolWires solution, also from blackboard. We are also looking into a company called Logisoft. They would be the anti-establishment candidate, during this political season. We can call Logisoft – BernieSoft – feel the Burn.
My view is how i will the existing content port over to a new system? How will that be done, who will do it, what kind of migration does it look like, how long would it take, what would be our role? My collegue, Shannon, who is the public information officer, looks at it like what other things does the service offer? calendar syncing, sub-site options, mobile options, easy to use, training for the site users?, admin interfaces for our content champions?
As a BOCES, we have several other entities that exist within our organization, like two tech centers, one each in Williamson and Stanley NY. Also, spec. education buildings in 4 different locations and a couple others. All of which are part of the BOCES system.
The view from the seats looks like “how many of our sub-sites could be housed in the main site?” In other words, do the special education building really need their own site? Lets bring them into the fold, under the umbrella of the main BOCES site. Create a sub space for them. That would seem a better solution, as we are paying fewer renewal fees for DNSs and steamlining the process.
A problem with bringing the ed. centers under the umbrella would be sharing say a calendar or some other module that is already being used by the BOCES site.
I am going to make a comparative chart, that highlights certain items from each vendor. That is also the view from the admin. level people at BOCES. That want to know the summary data, total cost, fees, support, license etc. Not as much in the way of detail.
One of the things we are doing is getting temp. admin accounts from both vendor, so we can look at that side of the site…although as i think about that, it will not be what makes the decision – that will be things on the front end – usage related things – that has more people interested. I think, not sure. The people who are admins are not really concerned about the interface or how to do things, they are more concerned with what can it do and how easy it is, intuitive.
Today, I discovered one of our districts, ironically, our local high school, were the BOCES is located, is using one of the two options we are considering, Blackboard SchoolWires. Its a good change for me to look around a little more closely to see how different the service is from the old one, Blackboard schoolWorld option. Additionally, there is another BOCES in our state that has upgraded to Blackboard SchoolWires, Naussa BOCES. Another good place to look around a little.
I did notice in both Newark and Naussa Wires sites that they are using the Calendar module. There are feeds avail to allow you to sync up devices like your phone or google calendar to the websites. In other words, the Wires site is the provider of the calendar data. A feed is created for consumer apps, like your phone or some other 3rd party consumer. That is probably not big news for many, but I do not use the calendar much, but other seem to….
Both Wires sites have a calendar presence on their home pages.
And how to look at them differently. Too much philosophy lately, has me looking at this stuff different too. As it should.
The server(s). Three of them in the web cameras system echosphere. I like this view, good and global.
The server is part of a process that includes, software, people, hardware and communication. When the software hiccups, meaning the people logging into it on a daily basis to monitor entrance ways, cannot log in or access – generates a big reaction. A priority 1 for our helpdesk. The helpdesk is another part of the system.
Philosophical view? James should never be the sole person responsible for getting things done when the system goes down. The critical information, whatever that is, needs to be shared and understood by the people in the system. Makes sense.
A more pragmatic view is when the system is down, we need to communicate that with the right people as quickly as poss. so we can get the system back on line.
The system is responsible for creating 30 days worth of video footage for about 90 cameras on three different campuses. That is a good global view of the system. Three servers are responsible for archiving or keeping that footage around and accessible if necessary. After 30 days, the space is recycled. There are two dedicated archive servers in the system with hard drives of over a terabyte. – lots of storage needed for camera video. A picture of the storage capacity of one of the archive servers. Four drives, complete with a recovery drive. Their space should remain consistent – meaning the storage requirement for the cameras for 30 days would not change unless more cameras were added or a high resolution option.
The Genetec software is also installed on the archive servers, not sure why, perhaps to assist in the management of the recorded video footage…? not sure. There is no configuration data associated with the software, I just loaded it up and it is empty.
The main server that does contain configuration information also uses Genetec software to assign cameras IP addresses so they can be visible via the Internet. The main server also has a large capacity hard drive and archives video too.
One of the things I tried to do last week in the system, was change the behavior of my remoting credentials, so my password would not change every 45 days or so. I reset the passwords and shared the information with others in the system and would like for that not to change automatically.
Additionally, I wanted to have the same permissions and behaviors for each of the accounts associated with each server. Namely, the ability to restart the server remotely. Although, from a systematic or operational view, the last couple times the main server hiccuped from either a Windows update or something, our technition had to physically go to the site and reboot the server. A remote session or a reboot would not solve the issue. A service had to be reset or bad drive sectors needed correcting via a checkdsk command, for example.
While researching this, I discovered a neat windows command that allowed me to access properties of my account on the server. Depending on the version of Windows on the server (Windows 7 or Windows server 2008), the command was a little different, and the way the account was implemented was a little different, from server to server. One used groups, the others did not.
So I am wanting two things – really one, a better understanding of what my account can do and why – philosophical. Pragmatically speaking, I need to change the account password reset property and the permission.
The Windows command to access the user account properties is:
Another factor in the system that caused confusion was the arrival of the servers 18 months ago and not getting registered via another system. Consequently, people in this system would be confounded about details of the server, locations etc. I have pieced that information together over the past year and shared it with others in the system. I also made a inquery – action diagram in attempt to provide direction in the system when certain things happen.