With an Enterprise account with SSO enabled on Vimeo, you have the ability to grant access to your content with specific departments or groups within your team. This unlocks the ability for a more customized approach to organizing video content within larger organizations and satisfies the needs of specific departments.
Using groups from your Identity Provider (IdP; such as Okta, OneLogin, Google, etc.) allows you to restrict access to content, personalize content to particular departments, and grant the ability to manage content to certain individuals. Vimeo will identify your groups and keep your groups and group membership information up to date using your IdP either with SAML metadata or with SCIM.
In this article:
- What is SAML?
- What is SCIM?
- If your organization is using SAML
- Groups tab
- Group Permissions vs. Individual Permissions
What is SAML?
- SAML (Security Assertion Markup Language) is an XML-based standardized protocol that confirms the identity of a user to external applications and services. It is traditionally used when implementing SSO.
What is SCIM?
- SCIM (System for Cross-domain Identity Management), is an industry standard for automating the exchange of user identity information between identity domains or IT systems.
What’s the difference?
- The main difference between using SAML and SCIM revolves around when user information on your Vimeo team is updated:
- SAML: Group membership for a specific user becomes available on Vimeo only after that user has logged in to Vimeo. Changes to group membership information are only updated after the user has logged out and re-logged in to Vimeo.
- SCIM: Group membership for a specific user becomes available on Vimeo instantly as soon as SCIM is set up (even before the user has logged in). Group membership information is updated instantly when information is changed on IdP.
SCIM is the preferred method to manage information on a larger scale. With SCIM, you will also have the ability to provision and de-provision user accounts automatically. Learn more about configuring SCIM for Vimeo here.
Note: If you’re an existing Vimeo Enterprise customer and want to set up SSO and/or SCIM, please contact your account manager.
If your organization is using SAML
In order to pass group membership information using SAML metadata, you need to add a custom SAML attribute named “groups” that contains a comma-separated list of groups a specific user is a member of; this image shows Okta settings, but this step applies to all Identity Providers (IdPs) using SAML.
Groups tab
All the Enterprise SSO group members will have access to the Groups tab on their Vimeo account. The Groups tab, which is present in the left navigation tab, will:
- List all the groups and group members synced onto your account. You can access and search any groups and group members by name.
- You can click on any of the groups and view all the members in that group.
- You can sort groups by Name.
- You can access the Show Groups tab for each member from the ellipsis tab on the team management page to view all the group memberships of that individual.
💡 Tip: To learn more about sharing folders with groups, see Sharing folders with Groups.
Group Permissions vs. Individual Permissions
If a user is added to a folder through a group but is also added to a folder as an individual, their permissions will behave as follows:
- If an individual user is a Viewer at the account level, they can only be added as a Viewer individually and they will only have Viewer access, even if a Group they are in is given “Contributor” access to a folder.
-
If a user is a Contributor at the account level and added as an individual as well as in a group, then the higher permission between the individual role and group permissions will win out
- If an account Contributor is added with a Group with Viewer permissions but individually as a Contributor, they will have Contributor permissions on that folder and all subfolders.
- If an account contributor is added to a Group with Viewer permissions but individually as a folder admin, they will have folder admin permissions for that folder and all subfolders.
- If an account Contributor is added to a Group with Contributor permissions but individually as a Viewer, they will have Contributor permissions on that folder and all subfolders.
- Team Owners and Admins will automatically have Admin access to each folder; being added through a Group will not affect their permissions.
If a Group is added to a folder, all of the subfolders within that folder will inherit the same Group permissions. You can always give higher permissions in a subfolder than in the parent folder, but you cannot lower or remove permissions in a subfolder that are inherited from the parent folder.
As a Team Account Owner or Administrator, you can also revoke a group's permission from a folder. This also is true from an IdP standpoint. If a group assigned to a folder has been removed from the IdP, the users in that group lose access to a folder as soon as IdP is synced up with Vimeo, unless they had also been added individually.
If a team member uses the search bar in the video library or homepage, they will only see content to which they have view or edit permissions in the results. Videos and folders are hidden from search results if the team member does not have access to the folder they live in.