Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 19 Next »

If you have v2.3 or lower installed, consider upgrading to the current version of NMS Prime.

There were some changes in the Authentication and Authorization system. Please look into the Upgrade Guide v2.4 for more Information

This section covers Authentication and Authorization of NMS Prime with v2.4 and newer.

You can find more information on how to create, edit and delete Users (Authentication), as well as Roles, and Abilities (Authorization).

Authentication

To manage Users, you need to have the ability to update the User model. If you have this permission, the option "Global User Settings" should be available when you click on your name in the top right corner.

In this View, an overview over all Users is displayed and creating, updating and deleting Users is possible like anywhere else in the NMS Prime system.

For GUI Login use your login name and password and for API login use the defined email address and your password.


Use high Password strength

If you create or edit a User, please set a Password, that is at least 10 Characters long and has the following criteria:

  • lower-case letters
  • upper-case letters
  • Numbers
  • Special Characters (@,  #,  ~,  ä,  ß, etc.)

Authorization

To manage Roles and Abilities, you need to have the ability to update the Role model. If you have this permission, the option "User Roles" should be available when you click on your name in the top right corner.

     


You will be redirected to the standard Interface for managing, where you can create, edit and delete Roles (see Base MVC). The 3 columns will show the name, the rank and the description of the role. The rank is an indicator of how much "power" a role has

The Admin role should ALWAYS have the highest rank (101).


Ranks

The rank of a role determines the ability to edit other users. You can assign values from 0 to 100. (higher is better). If a user has more than one role, the highest rank is used.

If the ability to update users is set, the rank is also checked. Only if the rank of the editor is higher, permission is granted. Furthermore, when creating or updating users, only roles with equal or lower rank can be assigned.

Roles

If you click on a Role inside the table of the index page, you will be redirected to the edit page. Like with every other entity, you will see 3 sections - the Role  properties, the Logging information and the abilities side panel.

The Logging information gives Information who changed this Role recently. It is only visible if you click the Logging tab in the upper right.

In Role properties, you can set name, title, description and rank for the role, as well as users who should have this role.

Clicking onto save, will save only the changes you made to the role properties. If you have unsaved changes inside the ability panel, they will be reset.


     

Assigning the Admin Role to an existing User without the GUI

Please make sure the chosen User is logged out during the process.


When the system is fresh or you want to quickly make a User "admin", we prepared a console command to automate this task.

Just execute the command and fill in the login name of the user you want to "promote".

Make an existing User Admin
php artisan auth:admin [ login name ]

Troubleshooting Authentification


 If you get "No Permission" Errors or can't access the "Global User Settings" or "User Role" setting
Please log out and log in again. If the error persists, log out and do the command again.
 If you promoted the wrong user...
Unfortunately, you have to go into the GUI to resolve this. Make sure to remove the admin role from that user and assign the desired roles.

Abilities

Abilities determine which permissions the Users with the desired role have. They are roughly divided into two groups. First, custom abilities, which contain special abilities to speed up the set up process or set permissions, for non-entity related properties. The second group are abilities that are bound to a database model.

This panel uses AJAX Requests to be more interactive and update Permissions without a Page reload. If you change something inside the panel, the Changes will affect the User Interface immediately. The Changes are temporary, but if you click on "Save", the changes for that entity will persist. There are "Save" buttons for Modules (which save all changes made for that module) and if a single entity is changed it will display its own "Save" button.

Custom Abilities

The Custom Abilities tab contains abilities to make setting up authorization a lot easier or to grant special abilities. The first Ability ("all abilities") is a super set and determines if you allow or forbid abilities by checking them. This is indicated by a red or green badge. If you are unsure, you can hover over the question mark to get more information on what this ability does.

All Abilities


All Abilities

If "All Abilities" is checked, all abilities are allowed, except those that are checked.

If "All Abilities" is not checked, only the checked abilities are allowed.

If you change "All Abilities" and "Save" - all Entities are saved with the corresponding properties.




Model Abilities



Troubleshooting Authorization


 If the user was logged in...
make sure to log out and log in again to avoid errors and unwanted behavior.
 If you promoted the wrong user...
Unfortunately, you have to go into the GUI to resolve this. Make sure to remove the admin role from that user and assign the desired roles.
  • No labels