Controlling Viewer Access with Roles

In this topic, you will learn how to present content to viewers based on their assigned roles. You will manage roles in your external VMS and the Brightcove Beacon CMS.


This feature, Secure Experiences, ensures that content is only viewable by viewers whose role matches the role set on the content.

Roles allow you to filter content and experience elements for groups of specific viewers. You can expose content for viewers within a group and hide it from all other viewers.

Content types can be shown or hidden based on the viewer's role. In Beacon Studio, you can create roles and assign them to the following content types:

  • Movies
  • Series, Seasons, and Episodes
  • Channels and Live events
  • Playlists and Pages


The following is needed for Secure Experiences:

  • An external Viewer Management System (VMS)
  • OpenID Connect (OIDC) authentication enabled for your account

To associate viewers with roles, you will use your external VMS. These user role definitions will be connected to Brightcove Beacon using OIDC tokens

During viewer authentication with a Beacon app using OIDC, a token is passed to Beacon with the viewer's role(s).

OIDC is an authentication protocol used to verify the identity of a user to a client service. For details about using OIDC, see the OIDC Authentication Configuration and Testing document.


The following workflows are associated with Secure Experiences:

Viewer workflow

Your app viewers will experience the following:

  1. Viewers will exist in your external Viewer Management System (VMS) and may have one or more roles assigned to them.

  2. During viewer authentication with OIDC, a token is passed to Brightcove Beacon with the viewer's role(s).
  3. Viewers have access to assets/pages that match any of the viewer's roles.
Viewer workflow diagram

Admin workflow

You or your admin person will perform the following tasks:

  1. Assign roles to viewers in your external VMS (or sets up rules to assign roles)
  2. Connect external VMS to Brightcove Beacon

  3. Add the roles to Brightcove Beacon (these roles must match what is defined in your VMS)
  4. Assign roles to assets/pages
Admin workflow diagram

Assigning roles to viewers

You will use your external Viewer Management System (VMS) to assign viewers with specific roles. For example, you might want your employees and partners to have access to the latest training videos, but not your prospects and customers.

Contact your Customer Success Manager to connect your VMS to the Brightcove Beacon CMS.

Adding a role

You will add roles in the Brightcove Beacon CMS.

  1. Return to the Brightcove Beacon CMS and click Gear icon.

    Top navigation
  2. In the left navigation, select Roles.

    Roles navigation
  3. Click Add new role.

  4. In the Create New Role dialog, enter a name for the role and click Save.

    New role dialog
  5. To edit an existing role, click it's corresponding role ID.

  6. In the Edit role dialog, update the role name and click Update.

    Edit role dialog

Assigning roles to content

The following content types can be shown or hidden based on the viewer's role:

  • Movies
  • Series, Seasons, and Episodes
  • Channels and Live Events
  • Playlists and Pages

You will use the Brightcove Beacon CMS to assign roles to your content. These content types use a similar field for entering roles.

Let's walk through the steps for adding roles to a series.

  1. In the top navigation, select Programs. In the left navigation, select Series.

    Programs/series navigation
  2. In the Edit series screen, select Rights & Scheduling.

    Rights & Scheduling
  3. Click Select/Unselect All Roles to select all available roles.

    Select all roles
  4. Or, click inside the Asset roles input area and select a role from the list of available roles.

    Select a role
  5. You can assign roles to other content types in the Rights & Scheduling tab. The other content types include movies, series, seasons, episodes, channels, live events, playlists, and pages.

Understanding the viewer experience

The viewer will only see content in the Beacon app if their user account is has any of the roles associated with the content.

  1. In the Beacon app, I have logged in as jdoktor. Notice the movies that display in the playlist for the BCLS page include Mom and Fawn.

    BCLS playlist page
  2. Let's see why this video appears for this user while logged in. In the Beacon CMS, the Mom and Fawn movie has a Asset role of docs_admin.

    Beacon cms for movie
  3. Next, let's look at the roles for this app user.

    1. In the top navigation, select Commerce.
    2. In the left navigation, select App Users.
    3. Select the app user ID.

    Notice the roles assigned to this user:

    • docs_admin
    • docs_reviewer
    App user roles
  4. Since the user has a role associated with the asset, then the user can view this asset.
  5. Now, let's log into the Beacon app as a different user. Notice that this user does not see the Mom and Fawn movie in the playlist.

    BCLS playlist page
  6. If we look at the roles for this app user, we see that docs_admin is not included in their roles.

    App user2 roles
  7. Remember, if an asset has no Asset roles, then all users can see that asset.