Skip to main content
Skip table of contents

Content Usage Rules for OTT for MDRM eCommerce

1. Overview

SSP supports declaration and enforcement of content usage rules that define how content shall be used by the client device, for instance regarding output control.

For OTT content, usage rules can be defined in two different ways in SSP:

  1. The preferred method and the most generic is to use Usage Rules Profiles.

    1. It consists in referencing a Usage Rules ProfileId .

    2. It can apply to live channels defined in IMS or to Content authorization tokens.

    3. SSP comes with four default profile values that can be customized and additional profiles can be defined.

    4. If no usage rules profiles are specified in IMS or in the Content authorization tokens or in the authorization callback mode, then SSP will automatically apply the Default profile of the DRM.

  2. The second method (23.48) Content Usage Rules for OTT for MDRM eCommerce#Generic Usage Rules is deprecated but still supported by SSP. It is supported only in Content authorization tokens and consists in declaring the usage rules in a generic format (see details in Content Authorization token definition)

2. Default Usage Rules Profiles per DRM

For OTT contents, SSP supports Usage Rule Profiles (aka UR Profiles). A UR Profile is a set of DRM specific values for the content usage rules defined below and tagged with an identifier. For convenience, a profile identifier can then be used to replace the list of rules in the IMS API as well as in Content authorization tokens.

SSP is delivered with the default set of four content usage rules profiles.

To use one of those profiles, simply use the profile identifier above ("Test" / "SD" / "HD" / "UHD") in the channel definition in IMS or in the Content Authorization token.

  • Profile "Test" should only be used for integration purposes.

  • New profiles can be added into the system.

For all the parameters highlighted, the DRM is proactively validating the value against the challenge data coming from the request.

2.1. Widevine

Usage rules

Profile "Test"

Profile "SD"

Profile "HD"

Profile "UHD"

Profile "default"
(default system values)

Comments

Widevine    

minimumSecurityLevel

5

3

3

1

3

Value compared with the device security level defined by Widevine.

In case the security level is not accessible in the license request, SSP will consider the device security level to be 5. This could happen with test devices.

This value can be set to 0 to prevent acquisition of Widevine licenses.

Possible values :

  • 0 (Reject license requests)

  • 1 (Hardware security level)

  • 3 (Software security level)

  • 5 (Not accessible)

policySecurityLevel

1

1

1

4

1

Value set in the license and used by the DRM client.

EME format (from 1 to 5).

Possible values :

  • 1 (SOFTWARE SECURE CRYPTO)

  • 2 (SOFTWARE SECURE DECODE)

  • 3 (HARDWARE SECURE CRYPTO)

  • 4 (HARDWARE SECURE DECODE)

  • 5 (HARDWARE SECURE ALL)

When dealing with L1 Browser requests, an automatic conversion takes place to align the security level between the Widevine policy and PlayReady security levels :

  • 1-3 (Widevine) => 150 (PlayReady)

  • 4 (Widevine) => 2000 (PlayReady)

  • 5 (Widevine) => 3000 (PlayReady)

hdcp

0

0

1

5

5

Possible values :

  • 0 (HDCP_NONE)

  • 1 (HDCP_V1)

  • 2 (HDCP_V2)

  • 3 (HDCP_V2_1)

  • 4 (HDCP_V2_2)

  • 5 (HDCP_V2_3)

disableAnalogOutput

FALSE

FALSE

TRUE

TRUE

TRUE

Indicates if the analog output has to be disabled.

In case the analog output has to be disabled, if the device doesn’t have the ability to do it then the request will be proactively rejected.

For devices with an analog output, the ability to disable it indicates whether the content can be disabled/restricted on the analog interface via the license’s key control block.

  • If “True” - Analog output is present and output can be disabled/restricted.

  • If “False” - Analog output is present and output cannot be disabled/restricted.

  • If “Unknown” - Analog output is either not present or cannot be determined

Possible values :

  • TRUE

  • FALSE

overrideDeviceRevocation

TRUE

FALSE

FALSE

FALSE

FALSE

If true, a license is generated even if the device is revoked.

Permanently revoked devices cannot be overriden.

If the device is revoked and the override is disabled then the licence will be rejected.

Possible values :

  • TRUE

  • FALSE

allowUnverifiedPlatform

TRUE

FALSE

FALSE

FALSE

FALSE

Indicates if unverified platforms are allowed.

A license request will fail if VMP status is unverified or tampered for a desktop browser.

The Verified Media Path (VMP) feature is implemented for desktop browser platforms.

Set this field to 'true' to allow license request to succeed when VMP status is unverified.

Related status :

PLATFORM_UNVERIFIED

requireL3SecureStorage

FALSE

FALSE

FALSE

FALSE

FALSE

Used to require a secure storage on software verified platforms.

The device platform status was verified at the software level and the device has secure storage which is required for license storage persistence.

Applicable for desktop browsers only.

Related status : PLATFORM_SECURE_STORAGE_SOFTWARE_VERIFIED

maxDeviceVulnerabilityLevel

-

-

-

-

-

Optional

Describes how secure a device is, over time. It determines if a device is exposed to vulnerabilities.

If unset, the UR is not applied.

Default value per profile will be set in future releases.

Only applicable to SDK mode.

Possible values :

  • NONE

  • LOW

  • MEDIUM

  • HIGH

  • CRITICAL

allowUnspecifiedDeviceVulnerabilityLevel

-

-

-

-

-

Optional

Allow devices which vulnerability level is unspecified.

Default for all profiles : TRUE

Default value per profile will be set in future releases.

Only applicable to SDK mode.

Possible values :

  • TRUE

  • FALSE

cgmsFlag

CGMS_NONE

COPY_NEVER

CGMS_NONE

CGMS_NONE

CGMS_NONE

Value set in the license and used by the DRM client.

Indicates whether CGMS is required.

Possible values :

  • CGMS_NONE

  • COPY_FREE

  • COPY_ONCE

  • COPY_NEVER

2.2. PlayReady

Usage rules

Profile "Test"

Profile "SD"

Profile "HD"

Profile "UHD"

Profile "default"
(default system values)

Comments

PlayReady

minimumSecurityLevel

150

2000

2000

3000

2000

This value can be set to 5000 to prevent acquisition of PlayReady licenses.

hdcpType

-

-

0

1

1

Value set in the license and used by the DRM client.

Optional

Minimum HDCP protection.

To be set in the license, the parameter “uncompressedDigitalVideoOutputProtection” must be higher than 271.

Possible values :

  • Empty (HDCP type not set in the license)

  • 0 (HDCP not engaged - The content protection mechanism is not active)

  • 1 (HDCP engaged - The content protection mechanism is active)

digitalVideoOnly

FALSE

FALSE

TRUE

TRUE

TRUE

Value set in the license and used by the DRM client.

PlayReady products may only pass the video portion of decrypted A/V content to Digital Video Outputs.

Possible values :

  • TRUE

  • FALSE

agcAndColorStrip

0

0

0

0

0

Value set in the license and used by the DRM client.

Only applicable if the parameter “digitalVideoOnly” is set to FALSE.

Possible values :

  • 0 (AGC and Color Strip OFF)

  • 1 (AGC ON and Color Strip OFF)

  • 2 (AGC OFF and Color Strip ON)

  • 3 (AGC ON and Color Strip ON)

minimumAnalogTelevision

100

200

300

300

300

Value set in the license and used by the DRM client.

If a PlayReady product asses the video portion of decrypted A/V Content to Analog Television Outputs, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

  • 100

  • 150

  • 200

  • 300

uncompressedDigitalVideoOutputProtection

100

100

300

300

300

Value set in the license and used by the DRM client.

If a PlayReady product passes the video portion of uncompressed decrypted A/V Content, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

  • 100

  • 250

  • 270

  • 300

compressedDigitalVideoOutputProtection

500

500

500

500

500

If a PlayReady product passes the video portion of compressed decrypted A/V Content, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

  • 400

  • 500

uncompressedDigitalAudioOutputProtection

100

100

300

300

300

Value set in the license and used by the DRM client.

If a PlayReady product passes the audio portion of uncompressed decrypted A/V Content, the PlayReady product must follow restrictions.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

  • 100

  • 150

  • 200

  • 250

  • 300

compressedDigitalAudioOutputProtection

100

100

300

300

300

Value set in the license and used by the DRM client.

If a PlayReady product passes the audio portion of compressed decrypted A/V Content, the PlayReady product must follow restrictions as specified.

Minimum value.

Check the PlayReady compliance rules for more details.

Possible values :

  • 100

  • 150

  • 200

  • 250

  • 300

dtcpExport

FALSE

FALSE

FALSE

FALSE

FALSE

Value set in the license and used by the DRM client.

Digital Transmission Content Protection, designed to protect audio and video content as it's transmitted between devices.

A PlayReady product may export decrypted PlayReady A/V Content to DTCP.

Applicable only for offline licenses.

Possible values :

  • TRUE

  • FALSE

2.3. FairPlay

Usage rules

Profile "Test"

Profile "SD"

Profile "HD"

Profile "UHD"

Profile "default"
(default system values)

Comments

FairPlay

airPlayAllowed

TRUE

TRUE

TRUE

FALSE

FALSE

Determines if AirPlay can be activated.

Possible values :

  • TRUE

  • FALSE

digitalAvAdapter

TRUE

TRUE

TRUE

TRUE

TRUE

Determines if digital AV Adapter are allowed.

Possible values :

  • TRUE

  • FALSE

hdcpStrictEnforcement

FALSE

FALSE

TRUE

TRUE

TRUE

Value compared with the hdcp enforcement flag coming from the SPC message.

Mismatches lead to device hdcp protection errors (error code 4044).

Possible values :

  • TRUE

  • FALSE

hdcpLevel

0xEF72894CA7895B78

0xEF72894CA7895B78

0x40791AC78BD5C571

0x285A0863BBA8E1D3

0x285A0863BBA8E1D3

Value set in the license and used by the DRM client.

If the hdcp is not sctrictly enforced, the hdcp level cannot be set to Type 0 or 1.

Possible values :

  • 0xEF72894CA7895B78 (HDCP not required)

  • 0x40791AC78BD5C571 (HDCP Type 0 is required)

  • 0x285A0863BBA8E1D3 (HDCP Type 1 is required)

3. URP usage

3.1. With Content Authorization Tokens

SSP Content Authorization tokens can include a UR profile identifier both at ContentRights level as well as at Track level (field "usageRulesProfileId" in the ContentAuthZ token definition)

When using UR profile with tokens, the following rules will apply:

  • If an SSP Content authorization token refer to a UR profile that does not exist, the respective license request will be rejected.

  • Profiles and rules are mutually exclusive: a given Content AuthZ token can contain either a UR profile identifier or an explicit list of usage rules, but not both (otherwise the license request will be rejected).

  • If the token does not contain neither a profile identifier nor explicit usage rules, then default values are applied for each usage rule. The list of default values is detailed above.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close