If you have v2.3 or lower installed, consider upgrading to the current version of NMS Prime.
There were some changes in the Authentication and Authorization system. Please look into the Upgrade Guide v2.4 for more Information
This section covers Authentication and Authorization of NMS Prime with v2.4 and newer.
You can find more information on how to create, edit and delete Users (Authentication), as well as Roles, and Abilities (Authorization).
Authentication
To manage Users, you need to have the ability to update the User model. If you have this permission, the option "Global User Settings" should be available when you click on your name in the top right corner.
In this View, an overview over all Users is displayed and creating, updating and deleting Users is possible like anywhere else in the NMS Prime system.
For GUI Login use your login name and password and for API login use the defined email address and your password.
Use high Password strength
If you create or edit a User, please set a Password, that is at least 10 Characters long and has the following criteria:
- lower-case letters
- upper-case letters
- Numbers
- Special Characters (@, #, ~, ä, ß, etc.)
Authorization
To manage Roles and Abilities, you need to have the ability to update the Role model. If you have this permission, the option "User Roles" should be available when you click on your name in the top right corner.
You will be redirected to the standard Interface for managing, where you can create, edit and delete Roles. The 3 columns will show the name, the rank and the description of the role. The rank is an indicator of how much "power" a role has
The Admin role should ALWAYS have the highest rank (101).
Ranks
The rank of a role determines the ability to edit other users. You can assign values from 0 to 100. (higher is better). If a user has more than one role, the highest rank is used.
If the ability to update users is set, the rank is also checked. Only if the rank of the editor is higher, permission is granted. Furthermore, when creating or updating users, only roles with equal or lower rank can be assigned.
Roles
If you click on a Role inside the table of the index page, you will be redirected to the edit page. Like with every other entity, you will see 3 sections - the Role properties, the Logging information and the abilities side panel.
The Logging information gives Information who changed this Role recently. It is only visible if you click the Logging tab in the upper right.
In Role properties, you can set name, title, description and rank for the role, as well as users who should have this role.
Clicking onto save, will save only the changes you made to the role properties. If you have unsaved changes inside the ability panel, they will be reset.
Assigning the Admin Role to an existing User without the GUI
When the system is fresh or you want to quickly make a User "admin", we prepared a console command to automate this task.
Just execute the command and fill in the login name of the user you want to "promote".
Please make sure the chosen User is logged out during the process.
php artisan auth:admin [ login name ]
Troubleshooting Authentification
Abilities
Abilities determine which permissions the Users with the desired role have. They are roughly devided into two groups. First, custom abilities, which contain special abilities to speed up the set up process or set permissions, for non-entity related properties. The second group are abilities that are bound to a database model.
Custom Abilities
Model Abilities
Troubleshooting Authorization