ID: 13285

Print Friendly, PDF & Email

Permissions with shared storage (NAS/SAN)

Several Zoom services depend on shared storage provided by a NAS or SAN in order to process files across multiple machines or Zoom services. The permissions (read/write/delete) on files or folders on these shared storage devices need to be setup to ensure requirements listed below are met for various deployment configurations for Zoom:

Term Description
Direct Ingested Asset
  • Actual asset is stored in Zoom DB including metadata
  • Supports Versioning, De-duplication for edits such as project files, images, documents
  • Requires checkout to client’s working copy folder for edits & linking
External Asset
  • Large files that are do not change much such as raw videos, rendered image sequences, final exports for delivery
  • Stored on an external storage volume
  • Instead of the actual asset, a proxy is directly ingested/stored in Zoom MAM database
  • Metadata is applied to the proxy for search
  • Links to the actual external asset can be made via drag-n-drop from Asset Browser
Hi-Res Videos
  • Treated as an external asset
  • Videos from Camera Cards
  • Footages recorded in studios
  • Stock footage downloaded from a content provider or a website
Low-Res Proxy
  • MP4/H.264 encoding of the Hi-Res Videos
  • Compressed to 1-10% 
  • Same dimensions as the original video
  • Stored in Zoom database as a proxy for the Hi-Res videos on an external volume
Mid-Res File
  • Often an Apple ProRes 422 LT or 422 encoding of the Hi-Res videos used for post-production edit workflows
  • If Hi-Res file is already encoded as ProRes 422 LT or 422 it is not encoded again
  • Also referred to as a mezzanine proxy
Protected SAN (PSAN) or External Asset Volume
  • Volume on a NAS or a SAN reserved for external assets
  • VideoFX setup: Only certain Zoom services & customer admins can write into it, users don’t have write access
  • VideoLX setup: Users and Zoom services have full read/write access
User SAN (USAN)
  • Only used with VideoFX deployment
  • Volume on NAS/SAN reserved for editors/users
  • Users and Zoom have write access to this volume
User Working Copy
  • Parent folder under which user stores and edits their own project files
  • VideoFX: User working copy folders can also reside on a user specific folder on the USAN
  • Zoom checkout app can store the .zm folder  on a configured folder on the USAN instead of $HOME on the local disk

 

 

Service Name Storage Permissions required Explanation
Zoom Database Service External asset volume None Zoom Database server doesn’t need to access external assets directly
  Database volume Read, Write, Delete In order to manage direct ingested assets. If interacting with an Archive Job Hub, ensure both processes have read/write/delete access to files created by them
Zoom Preview Service External asset volume Read May need to transcode or transfer out external assets
Zoom Transcode Service External asset volume Read Generating low-res proxies that are checked-in the Zoom database
  External asset volume Write Iff writing mid-res proxies to the external asset volume. This is rare with a VideoLX setup.
Zoom Archive Job Hub External asset volume Read, Write, Delete In order to move external assets to an offline archive tier will need all 3 permissions
  Database volume Read, Write, Delete In order to move direct ingested assets to an offline archive tier will need all 3 permissions
Check-in app (desktop or embedded in web clients) External asset volume Read, Write, Delete

To copy external media also sometimes called “hi-res” files, the check-in app needs to write into the external volume. 

After the check-in app modifies the files, the permissions need to work with any of the above services that need to access the external media. Best practice is to arrange shared groups, such as LDAP/AD, that can over-ride individual user permissions on external files. This topic requires an experience storage admin well versed with shared storage permissions such as Windows ACL, POSIX permissions etc.

  Source folder

Read (7.4+)
Write (7.3 or older)

Folder from which external content is ingested into Zoom by check-in app

 

 

Service Name Storage Permissions required Explanation
Zoom Database Service External asset volume None Zoom Database server doesn’t need to access external assets directly
  Database volume Read, Write, Delete In order to manage direct ingested assets. If interacting with an Archive Job Hub, ensure both processes have read/write/delete access to files created by them
Zoom Preview Service External asset volume Read May need to transcode or transfer out external assets
Zoom Ingest Service External asset volume Read, Write, Delete Copying external assets into the external asset volume (PSAN) from USAN staging or user’s working copies on USAN
  USAN staging Read, Write, Delete Ingest server will handshake with Check-in app using the transient staging area in order to copy files into the external asset volume or PSAN
  USAN Read, Write, Delete If using a USAN for storing user’s working copy files, then ingest service will need full access
3rd party Hardware Transcoder External asset volume Read, Write, Delete  External transcoder like Telestream Vantage need full access to write proxy files
Zoom Archive Job Hub External asset volume Read, Write, Delete In order to move external assets to an offline archive tier will need all 3 permissions
  Database volume Read, Write, Delete In order to move direct ingested assets to an offline archive tier will need all 3 permissions
Check-in app (desktop or embedded in web clients) External asset volume Read

Since ingest server will write into the PSAN, the check-in app doesn’t require write access, for linking with external assets just read access is needed

  USAN staging Read, Write, Delete

If user’s working copy is not already on the USAN, the check-in app needs to write into a transient storage on the USAN that is also accessible by the Ingest server.

  Source folder

Read (7.4+)
Write (7.3 or older)

Folder from which external content is ingested into Zoom by check-in app
  USAN

Read, Write, Delete

Each user needs read/write/delete access to only their USAN working copy area. Best practice to only allow owner to have access to keep others users out. Ingest server will need to have read, write, delete access to each user’s USAN.

 

 

Service Name Storage Permissions required Explanation
Data Migration desktop app External asset volume Read, Write, Delete

To copy external media also sometimes called “hi-res” files, the app needs to write into the external volume during migration even if VideoFX is deployed. 

  Source folder

Read (7.4+)
Write (7.3 or older)

Folder from which external content is ingested into Zoom by data migration app