Page Comparison

This section covers Authentication and Authorization of NMS Prime with v2.4 and newer.

You can find more information on how to create, edit and delete Users (Authentication), as well as Roles, and Abilities (Authorization).

Authentication

To manage Users, you need to have the ability to update the User model. If you have this permission, the option "Global User Settings" should be available when you click on your name in the top right corner.

In this View, an overview over all Users is displayed and creating, updating and deleting Users is possible like anywhere else in the NMS Prime system.

For GUI Login use your login name and password and for API login use the defined email address and your password.

Authorization

To manage Roles and Abilities, you need to have the ability to update the Role model. If you have this permission, the option "User Roles" should be available when you click on your name in the top right corner.

You will be redirected to the standard Interface for managing, where you can create, edit and delete Roles (see Base MVC). The 3 columns will show the name, the rank and the description of the role. The rank is an indicator of how much "power" a role has

The Admin role should ALWAYS have the highest rank (101).

Roles

If you click on a Role inside the table of the index page, you will be redirected to the edit page. Like with every other entity, you will see 3 sections - the Role properties, the Logging information and the abilities side panel.

The Logging information gives Information who changed this Role recently. It is only visible if you click the Logging tab in the upper right.

In Role properties, you can set name, title, description and rank for the role, as well as users who should have this role.

Clicking onto save, will save only the changes you made to the role properties. If you have unsaved changes inside the ability panel, they will be reset.

Assigning the Admin Role to an existing User without the GUI

If you want to quickly set the role of an user to "admin", we prepared a console command to automate this task.

Just execute the command and fill in the login name of the user you want to "promote".

php artisan auth:admin [ login name ]

php artisan auth:nms
php artisan auth:admin [ your login name ]
php artisan tinker

$user = App\User::where('login_name','[your login name]')->first();
$user->password = Hash::make('[your new password]');
$user->save();
quit # or ctrl+c

php artisan tinker

$user = App\User::where('login_name','[your login name]')->first();
$user->roles()->detach() # this removes all roles from the user
quit # or ctrl+c

Abilities

Abilities determine which permissions the Users with the desired role have. They are roughly divided into two groups. First, custom abilities, which contain special abilities to speed up the set up process or set permissions, for non-entity related properties. The second group are abilities that are bound to a database model.

This panel uses AJAX Requests to be more interactive and update Permissions without a Page reload. If you change something inside the panel, the Changes will affect the User Interface immediately. The Changes are temporary, but if you click on "Save", the changes for that entity will persist. There are "Save" buttons for Modules (which save all changes made for that module) and if a single entity is changed it will display its own "Save" button.

It is possible that a User has many roles. The Abilities are applied together additive, but forbidding an ability has always a higher priority as seen in the diagram.

Custom Abilities

The Custom Abilities tab contains abilities to make setting up authorization a lot easier or to grant special abilities. If you are unsure, you can hover over the question mark to get more information on what this ability does.

All Abilities

The first Ability ("all abilities") is a super set and determines if you allow or forbid abilities by checking them. This is indicated by a red or green badge. If "All Abilities" is checked, all abilities are allowed, except those that are checked. (All authorization requests are allowed) If "All Abilities" is not checked, only the checked abilities are allowed.

View Everything

This is another super-set, which allows the role to view every page. Additional adjustments can be made.

Use API and See Income Chart

These two are special abilities, that are independent from all other abilities. They allow to use the API or show the Income chart on the dashboard.

Download Settlement Runs, View Analysis Pages of Modems and CMTS

These Abilities extend the respective Model permissions.

Model Abilities

The Model Abilities shows every entity of NMS Prime that can be changed. They are grouped into groups, with respect to their module origin.

Already without expanding you can use the quick settings to set abilities for all entities within that group. The available permissions are:

• Manage: Allows or forbids every action with the entity. This includes viewing, creating, updating and deleting as well as any custom ability for this entity (i.e. download for Settlement Runs)
• View: Allows to view entities
• Create: Allows or forbids to create entities
• Update: Allows or forbids to update entities
• Delete: Allows or forbids to delete entities

If you want more granularity, you can expand the groups to make changes to individual entities.

php artisan auth:nms
php artisan auth:admin [ your login name ]