Permissions with shared storage (NAS/SAN)

Several Zoom services depend on shared storage provided by a NAS or SAN in order to process files across multiple machines or Zoom services. The permissions (read/write/delete) on files or folders on these shared storage devices need to be setup to ensure requirements listed below are met for various deployment configurations for Zoom:

Terminology

TermDescription
Direct Ingested Asset
  • Actual asset is stored in Zoom DB including metadata
  • Supports Versioning, De-duplication for edits such as project files, images, documents
  • Requires checkout to client’s working copy folder for edits & linking
External Asset
  • Large files that are do not change much such as raw videos, rendered image sequences, final exports for delivery
  • Stored on an external storage volume
  • Instead of the actual asset, a proxy is directly ingested/stored in Zoom MAM database
  • Metadata is applied to the proxy for search
  • Links to the actual external asset can be made via drag-n-drop from Asset Browser
High-Res Videos
  • Treated as an external asset
  • Videos from Camera Cards
  • Footages recorded in studios
  • Stock footage downloaded from a content provider or a website
Low-Res Proxy
  • MP4/H.264 encoding of the High-Res Videos
  • Compressed to 1-10% 
  • Same dimensions as the original video
  • Stored in Zoom database as a proxy for the High-Res videos on an external volume
Mid-Res File
  • Often an Apple ProRes 422 LT or 422 encoding of the High-Res videos used for post-production edit workflows
  • If High-Res file is already encoded as ProRes 422 LT or 422 it is not encoded again
  • Also referred to as a mezzanine proxy
Protected SAN (PSAN) or External Asset Volume
  • Volume on a NAS or a SAN reserved for external assets
  • VideoFX setup: Only certain Zoom services & customer admins can write into it, users don’t have write access
  • VideoLX setup: Users and Zoom services have full read/write access
User SAN (USAN)
  • Only used with VideoFX deployment
  • Volume on NAS/SAN reserved for editors/users
  • Users and Zoom have write access to this volume
User Working Copy
  • Parent folder under which user stores and edits their own project files
  • VideoFX: User working copy folders can also reside on a user specific folder on the USAN
  • Zoom checkout app can store the .zm folder  on a configured folder on the USAN instead of $HOME on the local disk

Zoom VideoLX deployment

Service NameStoragePermissions requiredExplanation
Zoom Database ServiceExternal asset volumeNoneZoom Database server doesn’t need to access external assets directly
 Database volumeRead, Write, DeleteIn order to manage direct ingested assets. If interacting with an Archive Job Hub, ensure both processes have read/write/delete access to files created by them
Zoom Preview ServiceExternal asset volumeReadMay need to transcode or transfer out external assets
Zoom Transcode ServiceExternal asset volumeReadGenerating low-res proxies that are checked-in the Zoom database
 External asset volumeWriteIff writing mid-res proxies to the external asset volume. This is rare with a VideoLX setup.
Zoom Archive Job HubExternal asset volumeRead, Write, DeleteIn order to move external assets to an offline archive tier will need all 3 permissions
 Database volumeRead, Write, DeleteIn order to move direct ingested assets to an offline archive tier will need all 3 permissions
Check-in app (desktop or embedded in web clients)External asset volumeRead, Write, Delete

To copy external media also sometimes called “high-res” files, the check-in app needs to write into the external volume. 

After the check-in app modifies the files, the permissions need to work with any of the above services that need to access the external media. Best practice is to arrange shared groups, such as LDAP/AD, that can over-ride individual user permissions on external files. This topic requires an experience storage admin well versed with shared storage permissions such as Windows ACL, POSIX permissions etc.

 Source folder

Read (7.4+)
Write (7.3 or older)

Folder from which external content is ingested into Zoom by check-in app

Zoom VideoFX deployment

Service NameStoragePermissions requiredExplanation
Zoom Database ServiceExternal asset volumeNoneZoom Database server doesn’t need to access external assets directly
 Database volumeRead, Write, DeleteIn order to manage direct ingested assets. If interacting with an Archive Job Hub, ensure both processes have read/write/delete access to files created by them
Zoom Preview ServiceExternal asset volumeReadMay need to transcode or transfer out external assets
Zoom Ingest ServiceExternal asset volumeRead, Write, DeleteCopying external assets into the external asset volume (PSAN) from USAN staging or user’s working copies on USAN
 USAN stagingRead, Write, DeleteIngest server will handshake with Check-in app using the transient staging area in order to copy files into the external asset volume or PSAN
 USANRead, Write, DeleteIf using a USAN for storing user’s working copy files, then ingest service will need full access
3rd party Hardware TranscoderExternal asset volumeRead, Write, Delete External transcoder like Telestream Vantage need full access to write proxy files
Zoom Archive Job HubExternal asset volumeRead, Write, DeleteIn order to move external assets to an offline archive tier will need all 3 permissions
 Database volumeRead, Write, DeleteIn order to move direct ingested assets to an offline archive tier will need all 3 permissions
Check-in app (desktop or embedded in web clients)External asset volumeRead

Since ingest server will write into the PSAN, the check-in app doesn’t require write access, for linking with external assets just read access is needed

 USAN stagingRead, Write, Delete

If user’s working copy is not already on the USAN, the check-in app needs to write into a transient storage on the USAN that is also accessible by the Ingest server.

 Source folder

Read (7.4+)
Write (7.3 or older)

Folder from which external content is ingested into Zoom by check-in app
 USAN

Read, Write, Delete

Each user needs read/write/delete access to only their USAN working copy area. Best practice to only allow owner to have access to keep others users out. Ingest server will need to have read, write, delete access to each user’s USAN.

Data Migration app

Service NameStoragePermissions requiredExplanation
Data Migration desktop appExternal asset volumeRead, Write, Delete

To copy external media also sometimes called “high-res” files, the app needs to write into the external volume during migration even if VideoFX is deployed. 

 Source folder

Read (7.4+)
Write (7.3 or older)

Folder from which external content is ingested into Zoom by data migration app