Ideally, the security in the MS would work like this: everybody is allowed to use the Media Suite, however, when you want to view content or use the workspace you need to be logged in. Optionally, also the workspace can be used by everyone. We may need to facilitate the creation of user accounts (separate from the federated login) or store session data in that case.
For this we need to create a list per collection/dataset of which parts (content and/or metadata) of it are 'open' and which are restricted (possibly for a certain user group only). Based on such a list we can shield off the content/metadata and leave the rest open