Guides
  1. Best Practices

Security

Best practices for securing your Nomad Media API integration.

Security

Tag-Based Access Control

Nomad Media supports restricting security groups to specific tags, enabling fine-grained access control where users can only see assets tagged with their permitted tags.

Requirement: Nomad Media Fall 2024 Release or later. Security must be enabled system-wide.

Setup Steps

1. Assign tags to a security group

In the Admin Console, navigate to your security group and assign the tags you want to restrict access to. Administrator permission is not required — assign the minimum permissions needed for the use case.

2. Assign the restricted security group to users

Assign the new restricted security group to all users who should have restricted access.

Note: If you created a new security group, refresh the server cache, log out, clear your browser cache, and log back in to see it as an available dropdown option for users.

3. Assign assets to the restricted tag

Assign the tag to assets and to all parent folders of those assets. Do not include the top-level Content folder. You do not need to assign the restricted security group directly to assets.

Troubleshooting: If users see no folders after this setup, they may need the "Everyone" security group assigned in addition to the restricted group. "Everyone" is a core security group required by Nomad Media.

API Security Best Practices

  • Use bearer tokens, not credentials, in API calls. Never pass raw usernames or passwords in API requests after the initial login.
  • Rotate tokens using the refresh flow. Tokens expire (default: 1 hour). Use the refresh token endpoint to get new tokens without re-authenticating.
  • Store credentials in AWS Secrets Manager. For Lambda integrations, never hardcode credentials in code. Use Secrets Manager and retrieve credentials at runtime.
  • Use individual IAM accounts. Never use shared IAM credentials across users or Lambda functions. This maintains accountability and enables credential rotation per user.
  • Restrict IAM permissions to minimum required. Follow the principle of least privilege for all IAM policies.
  • Enable CloudTrail and CloudWatch logging. Ensure all API activity is auditable. See Architecture for logging details.