A step towards customers: meet the new system of user rights in Watcher
September 23, 2019
The main customers of Flussonic Watcher are Internet service providers (ISP), who deal with subscriber requests to install video surveillance cameras, provide video recording in the cloud archive, and give users access to these cameras via the Internet. Such services are used by many small businesses that do not want to spend money on the purchase, installation and administration of their own servers for video surveillance. In addition, there is always the question of access of different users to certain surveillance cameras. Here is an example of the task with which subscribers come to ISPs: The owner of a small business, for example, a pharmacy, decides to install cameras inside the office to monitor the work of employees and prevent theft. He wants to do it via the Internet without installing special equipment.
For 7 years, our software Flussonic Watcher helps customers to organize access to video from IP cameras and to recorded video archives via the Internet by using a browser or mobile phone. The system is deployed in data centers of ISPs. Subscribers of Telecom operators have already purchased Internet service for their apartments, houses, and offices, and are paying a subscription fee for it. So ISPs can use the same communication channel when selling video surveillance services – the Internet. Because existing subscribers already pay for the Internet, the cost of video surveillance services becomes very pleasant. Subscribers of ISP services, who install cameras at home, in the summer houses, in the office, and connect them to the Internet, can now at any time watch video from the cameras, record it and receive notifications about what is happening in the field of camera view (for example, movement).
ISPs have thousands of subscribers, and Watcher aims to provide convenience of work with cameras and users and allow to manage access rights of users to different cameras.
How it was before in Watcher
Previously, Watcher was based on combining an arbitrary number of users and cameras into one logical group. It worked like this: all users in the group were given access to all the cameras in the group. The group was assigned an administrator who could manage the list of cameras and the list of users in the group, but the administrator was not able to assign different rights to users within the group due to the nature of the permission system.
At first it seemed the best solution for us, but over time it became clear that it was not. Let’s continue with the example of a pharmacy that wants to install cameras. The pharmacy turned to our client – an ISP, and they mounted the cameras and gave the pharmacy access to the video surveillance service deployed on Flussonic Watcher. All employees had access to all the cameras of this pharmacy. It seemed convenient but then the business owner wanted to limit access to the camera in his office – the staff was not supposed to view the owner’s camera. There was no simple solution in Watcher. It was possible to set up two groups: one combining all employees with all cameras except the camera in the owner’s office, and the other combining only the owner (director) with all cameras.
It would seem that a solution was found, but then the business owner opened a branch in another city, appointed a director there, and hired employees. The situation is similar. Branch employees must not see what is happening in the director’s office, but the business owner must see all the cameras. Again, two additional groups were created. Then another issue came up. The business owner decided to install an additional camera. Instead of adding the camera to the system in one click, the ISP staff had to add it 4 times to all groups related to this pharmacy.
At first we did not notice the difficulties experienced by our customers working with groups, but one day our client – an ISP who used Watcher and administered the video surveillance system of that pharmacy, opened a ticket, where he asked us how to properly charge a subscriber who haв so many groups in which almost all the cameras intersected.
For a long time we did not know how to answer our client to make his life easier, and eventually we decided to start the answer with the words “We are going to do everything differently and according to your needs…”. It became clear that groups would not allow the system to develop the way we wanted, and we decided to come up with a replacement.
What we did next
Having done a lot of experiments with the architecture of the access rights system in Watcher, we found a solution that was given to our customers in Watcher 19.08.
Since the principle of groups has long served us faithfully, the first thing we tried was to develop this principle into something more. But the word had to be dropped — we decided that users would not appreciate the idea of “grouping groups into subgroups, creating hierarchical groups.”
In our company, we have imposed a ban on the word “group” with the penalties for employees. Having gorged the pizza several times on the proceeds from fines, and starting to feel the lack of money in our pockets, we understood the shortcomings of overeating and the prospects for further starvation. This way, fines and pizza encouraged us to hurry up with finding a new solution to replace groups.
The initial idea of using hierarchical groups did not last long. It was very difficult to implement and it was very difficult to convey to the focus group of our clients from among those who experienced difficulties with the previous structure. The essence of hierarchical groups was that not only cameras and users could, as before, be added to the same group, but also that other groups could be added inside a group, and those subgroups would also consist of cameras and users. The same cameras and users could be present in groups on different levels of hierarchy. However, the solution did not make clear:
1. How to differentiate rights to control cameras and to view video from them within one group of users. 2. How to properly inherit rights in situations where one user in a higher-level group may have fewer rights than in a lower-level group. 3. How to read a subscriber’s statistics. This is important because an ISP bills the subscriber based on the root level group.
Classical CCTV systems allows managing lists of cameras and access rights in the form of hierarchical trees. But we needed one more business entity with which to divide subscribers within one Watcher and provide comfort in billing and billing integration. And that entity was the Organization within Watcher. Organizations and hierarchical trees of cameras perfectly complemented each other and fully solved all problems arising for subscribers:
• giving users different rights to different cameras
• organization of billing services and payments
• controlling a large number of cameras.
The new architecture applied to our client
So, we updated Watcher at our client (an ISP), and their subscriber – the pharmacy – had received a new system of rights, which worked like this: the pharmacy became an Organization for our client. We removed four established groups for the pharmacy and now administrators at our client’s worked with a single Organization. Many billing problems were solved. The Organization was assigned a single administrator, who headed the account for the use of the services. This administrator was the owner of the pharmacy. It can also manage the list of cameras, users and distribute access rights.
The next important problem that the new architecture solved was the convenience of working with a large number of cameras. Cameras were ordered into separate Folders. Thus, cameras installed in one branch were merged into one folder, and cameras installed in another branch were merged into another folder. Subfolders were created in each folder so that private cameras of both Directors could be added there. Employees have access to some folders, and Directors to all folders at once. The entire list of cameras has been transformed into a clear hierarchical structure consisting of folders and cameras placed in them. The navigation among folders was easier than in a long list of cameras
Also, the access rights of employees of branches of the pharmacy were changed. The administrator can assign the following rights to each pharmacy employee in the Organization:
- Camera control
- User management
- Viewing Organization statistics.
Access rights can also be configured for the appropriate camera folders. Everyone had access to shared folders, and only Directors had access to private folders with cameras.
So the system successfully worked for our client for some time. When the pharmacy wanted to add a new camera, it was easy. The administrator added the camera to the required folder, and the access rights to this camera were assigned by the system automatically based on the rights that the administrator initially assigned to users to the appropriate folders.
Here’s how it looked through the eyes of the subscriber:
The camera list is now organized into folders and subfolders within your Organization.
Here are the rights you can configure for users in relation to each folder with cameras:
- Viewing live (live broadcast from the camera) - Viewing live and archive - Viewing live and archive, managing PTZ devices.
These rights correspond to icons that you can activate with one click on the user setting page:
The Director is given full access to all cameras from the root folder Cameras.
And the Employee user only has access to cameras from the Public Cameras folder:
As you can see, the organization Pharmacy has a root folder Cameras. All the cameras of the organization are added to Cameras or distributed further to the appropriate subfolders. The organization Pharmacy is the subscriber’s space in Watcher, and the subscriber pays a subscription fee to the ISP for the placement of cameras in this space and for access to them. The subscriber can add users in the Organization and give them access to various folders with cameras. If the subscriber grants a user access to the root folder, the access is automatically extended to all folders located lower in the hierarchy. If a user should not have access to all cameras, the subscriber will select a folder and give access to it.
We have done a lot of work to implement a flexible system of access rights to cameras in Watcher. Now our customers and partners – ISPs can easily provide cloud video surveillance services to both organizations and individuals.
For example, the girl Alina can install cameras at home to monitor children and in the country to ensure the safety of property. In the same way as the owner of the pharmacy, Alina can add cameras to folders (Apartment and Cottage) and give access to these folders to her relatives and neighbors of the cottage.
Our new architecture allows you to address a variety of business cases that arise when providing cloud video surveillance services. We invite You to try the new architecture on your case, having ordered a trial on our website: https://flussonic.ru