With an Enterprise account with SSO enabled on Vimeo, you have the ability to share your content with specific departments or groups within your team. This unlocks the ability for a more customized approach to organizing video content within larger organizations and satisfies the needs of specific departments.
Using groups from your Identity Provider (IdP; such as Okta, OneLogin, Google, etc.) allows you to restrict access to video content to specific groups, personalize video content for specific departments, and regulate the ability to manage content within specific departments to few individuals. Vimeo will identify your groups and keep your groups and group membership information up to date using your IdP either with SAML metadata or with SCIM.
What is SAML?
- SAML (Security Assertion Markup Language) is an XML-based standardized protocol that confirms the identity of a user to external applications and services. It is traditionally used when implementing SSO.
What is SCIM?
- SCIM (System for Cross-domain Identity Management), is an industry-standard for automating the exchange of user identity information between identity domains or IT systems.
What’s the difference?
- The main difference between using SAML and SCIM revolves around when user information on your Vimeo team is updated:
- SAML: Group membership for a specific user becomes available on Vimeo only after that user has logged in to Vimeo. Changes to group membership information is only updated after the user has logged out and re logged-in to Vimeo.
- SCIM: Group membership for a specific user becomes available on Vimeo instantly as soon as SCIM is set up (even before the user has logged in). Group membership information is updated instantly when information is changed on IdP.
SCIM is the preferred method to manage information on a larger scale. With SCIM, you will also have the ability to provision and de-provision user accounts automatically. Learn more about configuring SCIM for Vimeo here.
Note: If you’re an existing Vimeo Enterprise customer and want to set up SSO and/or SCIM, please contact your account manager.
If your organization is using SAML:
In order to pass group membership information using SAML metadata, you need to add a custom SAML attribute named “groups” that contains a comma-separated list of groups a specific user is a member of; this image shows Okta settings, but this step applies to all Identity Providers (IdPs) using SAML.
Sharing Folders with Groups
Once you have groups created in your IdP via either of the above methods, you can also see them in Vimeo and give those groups permission to access specific folders and subfolders with either “Contributor” or “Viewer” access. Folders can include multiple groups with different access permissions. Like individuals, groups can be given access to a folder by either the Owner, Admins, or a Contributor with “Folder admin” access.
To add a group to a folder, go to the video manager, select the folder, and click Share in the upper right corner.
Search the group name and select what level of permissions you’d like the group to have:
- If a group is given Viewer access on a folder, all users in the group will be given Viewer permissions, which allows them to watch and comment on videos in that folder.
- If a group is given Contributor access on a folder, individuals who are Viewers at the account level will still only have Viewer permissions, while users who are Contributors at the account level will be Contributors and can adjust settings for videos in that folder.
After you’ve chosen the group permission, click Invite.
Note: Unlike for individuals, an email will not be sent when giving access to a group. Members of the group will have access immediately and do not need to respond to an invite.
Once you invite the group to a folder, it will appear within the Share modal alongside its permissions.
When a team member logs into the home page, they can see the folders that any groups they are in have access to, along with other folders they have access to via individual permissions and folders shared to the "All" group, which is created by default.
Group Permissions vs. Individual Permissions
If a user is added to a folder through a group but is also added to a folder as an individual, their permissions will behave as follows:
- If an individual user is a Viewer at the account level, they can only be added as a Viewer individually and they will only have Viewer access, even if a Group they are in is given “Contributor” access to a folder.
- If a user is a Contributor at the account level, and added as an individual as well as in a group, then the higher permission between the individual role and group permissions will win out:=
- If an account Contributor is added with a Group with Viewer permissions but individually as a Contributor, they will have Contributor permissions on that folder and all subfolders.
- If an account Contributor is added with a Group with Viewer permissions but individually as a Folder admin, they will have Folder admin permissions on that folder and all subfolders.
- If an account Contributor is added with a Group with Contributor permissions but individually as a Viewer, they will have Contributor permissions on that folder and all subfolders.
- Team Owners and Admins will automatically have Admin access to each folder; being added through a Group will not affect their permissions.
If a Group is added to a folder, all of the subfolders within that folder will inherit the same Group permissions. You can always give higher permissions in a subfolder than in the parent folder, but you cannot lower or remove permissions in a subfolder that are inherited from the parent folder.
As a Team Account Owner or Administrator, you can also revoke a group's permission from a folder. This also is true from an IdP standpoint. If a group assigned to a folder has been removed from the IdP, the users in that group lose access to a folder as soon as IdP is synced up with Vimeo, unless they had also been added individually.
If a team member uses the search bar in the video library or homepage, they will only see content to which they have view or edit permissions in the results. Videos and folders are hidden from search results if the team member does not have access to the folder they live in.