Playback permissions
Session Recording administrators and their playback permissions
Session Recording administrators are Citrix Cloud administrators assigned a permission to access the Session Recording service. For an overview of Session Recording administrators and their playback permissions, see the following table:
Type of Session Recording administrator | Playback permission | Remarks |
---|---|---|
Citrix Cloud administrator assigned full access | Can play all recordings | Shows as a full admin on the Playback Permissions page of the Session Recording service |
Citrix Cloud administrator assigned the Cloud Administrator, All role | Can play all recordings | Shows as a full admin on the Playback Permissions page of the Session Recording service |
Citrix Cloud administrator assigned the Session Recording-FullAdmin, All role | Can play all recordings | Shows as a full admin on the Playback Permissions page of the Session Recording service |
Citrix Cloud administrator assigned the Session Recording-PrivilegedPlayerAdmin, All role | Can play all recordings | Shows as a privileged player on the Playback Permissions page of the Session Recording service |
Citrix Cloud administrator assigned only the Session Recording-ReadOnlyAdmin, All role | Can play all recordings except restricted recordings by default, or can play only recordings that originate from users and groups, published applications and desktops, and delivery groups and VDAs you specify. | Shows as a full admin on the Playback Permissions page of the Session Recording service by default, or shows as a read-only admin on the Playback Permissions page of the Session Recording service when you specify the scope. |
-
For information about restricted recordings, see Place access restrictions on recordings.
-
Citrix Cloud administrators assigned only the Session Recording-ReadOnlyAdmin, All role are called Session Recording read-only administrators later in this article. For more information, see Types of Session Recording administrators. You can limit playback permissions so that Session Recording read-only administrators can play only specific recordings from a target site.
Limit the playback permission of a Session Recording read-only administrator
To limit the playback permission of a Session Recording read-only administrator, complete the following steps:
-
Select Configuration > Playback Permissions from the left navigation of the Session Recording service.
Note:
-
The Playback Permissions menu in the left navigation of the Session Recording service is invisible for the administrators that are added through Azure AD groups. It is also invisible for Session Recording read-only administrators.
-
All Session Recording administrators are listed on the Playback Permissions page.
-
- Select a target site.
- Target an administrator on the Playback Permissions page. To make the administrator a Session Recording read-only administrator, complete the following steps:
- Go to the Identity and Access Management > Administrators tab of the Citrix Cloud console.
-
Locate the target administrator, click the ellipsis button, and select Edit access.
-
Select Custom access.
- Click the angle bracket to expand all roles.
-
Clear the check marks next to Cloud Administrator, All, Session Recording-FullAdmin, All, and Session Recording-PrivilegedPlayerAdmin,All. Select the check mark next to Session Recording-ReadOnlyAdmin, All.
-
Click Save.
-
Return to and refresh the Playback Permissions page of the Session Recording service. The Citrix Cloud administrator you edited shows as a Session Recording read-only administrator.
-
Click the Edit icon in the row of the Session Recording read-only administrator.
Tip:
A Session Recording read-only administrator can have full permission to play all recordings, limited permission to play only specific recordings, or no permission to play any recordings. Unless otherwise specified, a Session Recording read-only administrator has full permission to play all recordings.
-
To limit the recordings that the Session Recording read-only administrator can play, choose Limited on the Edit Playback Permission page. The Scope section appears on the Edit Playback Permission page.
-
Click Configure to specify the scope of recordings that the Session Recording read-only administrator can play. Playback is allowed if a recording meets any of the following criteria.
-
Users and user groups. Sets that the Session Recording read-only administrator can replay only the sessions that are opened by specific users and user groups. Both Azure Active Directory (Azure AD) and Active Directory identity types are supported.
Note:
-
The Azure AD identity support for configuring playback permissions is available with Session Recording server 2402 and later. It is a preview feature. Preview features might not be fully localized and are recommended for use in non‑production environments. Citrix Technical Support doesn’t support issues found with preview features.
-
The corresponding identity type is displayed only when the site is connected to AD or Azure AD through Citrix Cloud’s Identity and Access Management (IAM). You can check it on the Authentication tab of Citrix Cloud’s IAM.
-
- Published applications and desktops. Sets that the Session Recording read-only administrator can replay only specific application and desktop sessions.
- Delivery groups and VDA machines. Sets that the Session Recording read-only administrator can replay only the sessions of specific delivery groups and VDAs.
Your settings might not show on the Playback Permissions page. The issue occurs after you upgrade to Session Recording 2204 or the initial release of Session Recording 2203 LTSR. As a workaround, run the following script in SQL Server Management Studio (SSMS) that corresponds to your Session Recording database:
ALTER procedure [dbo].[EnumPlayerUserDeliveryGroupPoliciesOnCloud] as begin set nocount on select 3 as RoleType, a.ID as RoleAccountID, h.principleName as PrincipleName, a.IsEnabled as IsEnabled, e.name as PolicyType, d.DeliveryGroupID as AccountMemberAccountID, g.Name as AccountMemberName from PlayerUserCloudAccountRoleConfigure a, PlayerUserPolicyConfigSetMember b, PlayerUserPolicyDeliveryGroupSetMember d, PlayerUserPolicyType e, DeliveryGroup g, PlayerUserCloudAccount h where e.id=5 and b.PlayerUserPolicyTypeID = e.ID and a.PlayerUserPolicyConfigSetID = b.PlayerUserPolicyConfigSetID and b.PolicySetID = d.PlayerUserPolicyDeliveryGroupSetID and g.ID=d.DeliveryGroupID and h.ID=a.CloudAccountID end <!--NeedCopy-->
[SRT-8028]
-