Assigning permissions

The role of each user account controls what that user can do with their company's Shutterstock account. Each customer has one or more of these roles:

  • browse-only: The user can browse and search media, view and edit collections, and download media that has already been licensed and is available for redownload. The user cannot license media. Users that have this role cannot have any other role.
  • subscription-debitor-license: The user can license and download media.
  • subscription-debitor-comp: The user can download media by using comps. This role is meaningful only if your account allows comp downloads.

Users with the browse-only role cannot have any other role. Users can have both the subscription-debitor-license and the subscription-debitor-comp roles if they need to be able to download both comps and licensed media.

Prerequisites

Before you can assign a role to a user, you must ensure that the user has an organization or that your account has a default organization. See Assigning organizations.

Assigning roles to users

To assign roles to users or change users' roles, add the roles as a custom attribute in the SAML assertion that your identity provider (IdP) sends to Shutterstock. This attribute is named roles and includes one or more value tags with the roles for the user. Check your identity provider's documentation for information about how to configure the SAML assertion.

The attribute looks like this example, which assigns the user both the subscription-debitor-license and the subscription-debitor-comp roles:

<saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">subscription-debitor-comp
  </saml2:AttributeValue>
  <saml2:AttributeValue
    xmlns:xs="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">subscription-debitor-license
  </saml2:AttributeValue>
</saml2:Attribute>

To verify that your SAML assertion is set up correctly, compare it with the example in Next steps.

Now when the user accesses Shutterstock, that user is assigned to the specified roles. To change users' roles, send different roles in the SAML assertion the next time that the user logs in.

Assigning roles (Okta)

Here are instructions for setting up role provisioning if you are using Okta:

  1. In the Okta SAML 2.0 application that represents Shutterstock, add a custom attribute with these fields:

    • Display name: A meaningful name for the attribute, such as "Role"
    • Type: string array
    • Name: roles
    • External namespace: TODO ???
  2. Add these enumerated values for the attribute:

    • Browse only
      • Display name: Browse
      • Value: browse-only
    • Subscription Debitor (Comp)
      • Display name: Subscription Debitor (Comp)
      • Value: subscription-debitor-comp
    • Subscription Debitor (License)
      • Display name: Subscription Debitor (License)
      • Value: subscription-debitor-license
  3. Set the attribute to be a required field.

  4. Set the Group Priority for the attribute to Combine values across groups.

  5. In the application, create a group for the four possible role combinations. For example, you can structure the groups like this:

    • Group 1: Shutterstock_browseOnlyUsers
    • Group 2: Shutterstock_LicenseOnlyUsers
    • Group 3: Shutterstock_compOnlyUsers
    • Group 4: Shutterstock_compLicenseUsers
  6. Assign the Shutterstock application to each group and set the correct role combination to each group. In the previous example, the Shutterstock_LicenseOnlyUsers group has the Subscription Debitor (License) attribute value, and the Shutterstock_compLicenseUsers group has both the Subscription Debitor (Comp) and Subscription Debitor (License) attribute values.

Changing roles

To change the role that a user has, send the new role or roles in the SAML assertion. For example, to remove a user's permission to license media, set their role to browse-only.

Verifying a user's role

To see what roles a user is assigned, log in to shutterstock.com as that user, expand the user's information at the top right-hand corner of the page, and click Team. The Permission field shows whether the user can license images, download comps, or only search and browse media.

Wir haben mehr als 475 Mio. Assets auf Shutterstock.com (Stand: 30. November 2023).

© 2003-2024 Shutterstock Inc.