We supply multiple mechanisms for providing control over your media, by whom it’s accessed and how it’s accessed.
Roles
Every access to APIs and the GUI is enabled by Roles enabled on Groups (legacy) or Teams. You can define exactly what different Groups (legacy) or Teams are allowed to do and this is enforced both on the Web-GUI level and via the APIs that it and third-parties can use, with the exception of a few Roles that are just there to turn GUI functions on and off from display.
ACLs
All content and collection of content is controlled by Access Control Lists defining exactly what users and Groups (legacy) or Teams are allowed access to what assets, and with what access they are allowed. For instance a Group (legacy) or Team might only be allowed READ access to assets, whilst another is allowed to just READ, WRITE and/or DELETE the assets that they have uploaded.
External Sharing
Users with the role to share out content can define what is shared, how long it is shared for and what access the external user has when sharing. At any time you Administrate Shares to remove shares or see how many times it’s been accessed.
External Sharing can be disabled for Iconik with Admin Settings.
For additional control over external sharing, Iconik Shield provides Magic Links Email Allowlisting, which allows administrators to specify which email addresses or domains are permitted to authenticate via magic links when accessing shared content.
Support Access
You can enable and disable Iconik’s support access to your Iconik account Admin Settings giving us access when needed to identify problems, and the knowledge that we can’t access your content if we don’t need to.
Please note that by turning this on we will be able to view your assets and associated metadata to help diagnose problems
API
For API requests, we support using App-ID and Token pairs. These are discussed in the api documentation.
Iconik Shield
Iconik Shield is an Iconik Enterprise feature that provides the following security features when enabled:
- IP Allow List - Restricts access by using an allow list of IP addresses or CIDR-prefixes from which users are allowed. The filtering can be applied either for every user, or for certain Groups (legacy) or Teams, so you can define that only users in a Group (legacy) or Team can access from a certain network. The Allow List works both with the GUI frontend, and for access using the API.
- User Audit Log Streaming - Allows you to consume Iconik's audit log as a stream via Amazon AWS SQS or Google Cloud Pub/Sub, so you can forward it to your own SIEM system for near real-time monitoring.
- Magic Links Email Allowlisting - Allows administrators to specify which email addresses or domains are permitted to authenticate via magic links when accessing shared content, controlling who can verify their identity and access shares externally.