User Management
Control Access Securely
SignageStudio provides comprehensive user management with role-based access control. Define who can view, create, or manage content, and control access to specific screens, groups, or features across your organization.
User Management Overview
Access Control Model
┌─────────────────────────────────────────────────────────────────┐
│ ACCESS CONTROL HIERARCHY │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ ORGANIZATION │ │
│ │ (Account-wide settings) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌────────────────┼────────────────┐ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ TEAMS │ │ TEAMS │ │ TEAMS │ │
│ │ Marketing │ │ Retail │ │ Corporate │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ USERS │ │ USERS │ │ USERS │ │
│ │ + Roles │ │ + Roles │ │ + Roles │ │
│ │ + Screens │ │ + Screens │ │ + Screens │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Key Concepts
| Concept | Description |
|---|---|
| User | Individual account with login credentials |
| Role | Set of permissions (Admin, Editor, Viewer) |
| Team | Group of users with shared access |
| Scope | Resources user can access (screens, content) |
| Permission | Specific action user can perform |
User Roles
Built-in Roles
| Role | Description | Typical User |
|---|---|---|
| Owner | Full account control | Account holder |
| Administrator | Full management access | IT, managers |
| Content Manager | Create and publish content | Marketing, comms |
| Editor | Create content, limited publish | Designers |
| Operator | Monitor screens, limited edit | Store managers |
| Viewer | View-only access | Stakeholders |
Role Permissions Matrix
| Permission | Owner | Admin | Manager | Editor | Operator | Viewer |
|---|---|---|---|---|---|---|
| Users | ||||||
| Create users | ✓ | ✓ | ○ | |||
| Edit users | ✓ | ✓ | ○ | |||
| Delete users | ✓ | ✓ | ||||
| Content | ||||||
| Create scenes | ✓ | ✓ | ✓ | ✓ | ||
| Edit scenes | ✓ | ✓ | ✓ | ✓ | ||
| Delete scenes | ✓ | ✓ | ✓ | |||
| Publish content | ✓ | ✓ | ✓ | ○ | ||
| Screens | ||||||
| Add screens | ✓ | ✓ | ✓ | |||
| Edit screens | ✓ | ✓ | ✓ | ✓ | ||
| Delete screens | ✓ | ✓ | ||||
| Remote control | ✓ | ✓ | ✓ | ✓ | ||
| View status | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Settings | ||||||
| Account settings | ✓ | ✓ | ||||
| Billing | ✓ | ○ | ||||
| API keys | ✓ | ✓ | ||||
| Reports | ||||||
| View reports | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
| Export reports | ✓ | ✓ | ✓ |
✓ = Full access | ○ = Limited access | (blank) = No access
Custom Roles
Create custom roles with specific permissions:
- Go to Settings → Roles → Create Role
- Name the role
- Select permissions
- Set scope restrictions
- Save and assign to users
Managing Users
Adding Users
- Navigate to Settings → Users → Add User
- Enter user details:
| Field | Required | Description |
|---|---|---|
| Yes | Login email address | |
| Name | Yes | Display name |
| Role | Yes | Permission level |
| Teams | No | Team membership |
| Screens | No | Specific screen access |
- User receives invitation email
- User sets password and logs in
Bulk User Import
Import multiple users via CSV:
email,name,role,teams
john@company.com,John Smith,Content Manager,"Marketing,Retail"
jane@company.com,Jane Doe,Editor,Marketing
bob@company.com,Bob Wilson,Operator,Retail
User Status
| Status | Description |
|---|---|
| Active | Can log in and use system |
| Pending | Invited, hasn't accepted |
| Suspended | Temporarily disabled |
| Deactivated | Permanently disabled |
Teams and Groups
Creating Teams
Organize users into teams for easier management:
┌─────────────────────────────────────────────────────────────────┐
│ TEAM CONFIGURATION │
│ │
│ Team Name: Marketing │
│ │
│ Members: │
│ ├── Sarah Johnson (Manager) │
│ ├── Mike Chen (Editor) │
│ └── Lisa Brown (Editor) │
│ │
│ Screen Access: │
│ ├── Lobby Displays (View, Edit, Publish) │
│ ├── Window Displays (View, Edit, Publish) │
│ └── Conference Rooms (View only) │
│ │
│ Content Folders: │
│ ├── /Marketing (Full access) │
│ └── /Brand Assets (Read only) │
│ │
└─────────────────────────────────────────────────────────────────┘
Team Permissions
| Setting | Options |
|---|---|
| Screen groups | Which screens team can access |
| Content folders | Which folders team can use |
| Campaign types | What campaigns team can create |
| Reports | Which reports team can view |
Content Access Control
Folder Permissions
Control access to content folders:
| Permission | Description |
|---|---|
| View | See folder contents |
| Upload | Add new content |
| Edit | Modify existing content |
| Delete | Remove content |
| Share | Grant access to others |
Content Approval Workflow
Enable approval for content publishing:
┌─────────────────────────────────────────────────────────────────┐
│ CONTENT APPROVAL WORKFLOW │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Create │ ─► │ Submit │ ─► │ Review │ ─► │ Publish │ │
│ │ │ │ for │ │ by │ │ to │ │
│ │ (Editor) │ │ Approval │ │ (Manager)│ │ Screens │ │
│ └──────────┘ └──────────┘ └──────────┘ └──────────┘ │
│ │ │
│ ▼ │
│ ┌──────────┐ │
│ │ Reject │ │
│ │ with │ │
│ │ comments │ │
│ └──────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
Approval Settings
| Setting | Options |
|---|---|
| Require approval | All content, or by content type |
| Approvers | Specific users or role |
| Notification | Email when pending approval |
| Auto-approve | Certain users exempt |
| Expiration | Auto-reject after X days |
Single Sign-On (SSO)
Supported Protocols
| Protocol | Description |
|---|---|
| SAML 2.0 | Enterprise standard |
| OAuth 2.0 | Modern authorization |
| OpenID Connect | Identity layer on OAuth |
| Active Directory | Windows AD integration |
| LDAP | Directory services |
SAML Configuration
┌─────────────────────────────────────────────────────────────────┐
│ SAML SSO CONFIGURATION │
│ │
│ Identity Provider: │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Entity ID: https://idp.company.com/saml2 │ │
│ │ SSO URL: https://idp.company.com/saml2/sso │ │
│ │ Certificate: [Upload IdP Certificate] │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Service Provider (SignageStudio): │
│ ┌─────────────────────────────────────────────────────────┐ │
│ │ Entity ID: https://signage.me/saml/your-company │ │
│ │ ACS URL: https://signage.me/saml/your-company/acs │ │
│ │ Metadata: [Download SP Metadata] │ │
│ └─────────────────────────────────────────────────────────┘ │
│ │
│ Attribute Mapping: │
│ ├── email → user.email │
│ ├── firstName → user.firstName │
│ ├── lastName → user.lastName │
│ └── groups → user.groups │
│ │
└─────────────────────────────────────────────────────────────────┘
SSO Providers
| Provider | Integration |
|---|---|
| Okta | Full support, app in catalog |
| Azure AD | Full support |
| Google Workspace | Full support |
| OneLogin | Full support |
| Ping Identity | Full support |
| Custom SAML | Manual configuration |
Just-in-Time Provisioning
Automatically create users on first SSO login:
| Setting | Description |
|---|---|
| Enable JIT | Create users automatically |
| Default role | Role for new users |
| Default team | Team assignment |
| Attribute mapping | Map IdP attributes |
Security Settings
Password Policy
| Setting | Options |
|---|---|
| Minimum length | 8-32 characters |
| Complexity | Require uppercase, numbers, symbols |
| Expiration | 30, 60, 90, never |
| History | Prevent reuse of last N passwords |
| Lockout | After N failed attempts |
Multi-Factor Authentication
| MFA Method | Support |
|---|---|
| Authenticator app | Google, Microsoft, Authy |
| SMS | Text message codes |
| Email verification | |
| Hardware key | YubiKey, FIDO2 |
Session Management
| Setting | Description |
|---|---|
| Session timeout | Auto-logout after inactivity |
| Concurrent sessions | Allow multiple logins |
| Remember device | Skip MFA on trusted devices |
| Force re-auth | For sensitive actions |
Audit Logging
Logged Activities
| Category | Events Logged |
|---|---|
| Authentication | Login, logout, failed attempts |
| User management | Create, edit, delete users |
| Content | Create, edit, delete, publish |
| Screens | Add, remove, control commands |
| Settings | Configuration changes |
Audit Log Example
┌─────────────────────────────────────────────────────────────────┐
│ AUDIT LOG │
│ │
│ Time User Action Details │
│ ───────────────────────────────────────────────────────────── │
│ 10:45:23 john@co.com Login success IP: 192.168.1.1 │
│ 10:47:12 john@co.com Scene created "New Promo" │
│ 10:52:08 john@co.com Campaign published "March Sales" │
│ 11:03:45 jane@co.com Login failed Bad password │
│ 11:04:02 jane@co.com Login failed Bad password │
│ 11:04:15 jane@co.com Account locked 3 failures │
│ 11:15:00 admin@co.com User unlocked jane@co.com │
│ 11:16:22 jane@co.com Login success IP: 192.168.1.2 │
│ │
└─────────────────────────────────────────────────────────────────┘
Log Retention
| Plan | Retention |
|---|---|
| Free | 7 days |
| Pro | 90 days |
| Enterprise | 1 year + export |
Best Practices
Security Recommendations
| Practice | Benefit |
|---|---|
| Use SSO | Centralized authentication |
| Enable MFA | Additional security layer |
| Least privilege | Minimal required permissions |
| Regular review | Audit user access quarterly |
| Offboarding process | Remove access promptly |
Organization Tips
| Tip | Implementation |
|---|---|
| Name conventions | Consistent user/team naming |
| Document roles | Clear role definitions |
| Team structure | Mirror org chart |
| Access requests | Formal request process |
| Training | Onboard new users properly |
Frequently Asked Questions
Next Steps
- Platform Overview - SignageStudio features
- Getting Started - Initial setup
- Security Best Practices - Security hardening
- API Reference - User management API
User Management documentation maintained by MediaSignage. For enterprise features, contact sales@digitalsignage.com