Authentication and Authorization
- Christian Schramm
- Torsten Schmidt
- Robin Sachse
This section covers Authentication and Authorization of NMS Prime with v2.4 and newer.
You can find more information on how to create, edit and delete Users (Authentication), as well as Roles, and Abilities (Authorization).
Authentication
To manage Users, you need to have the ability to update the User model. If you have this permission, the option "Global User Settings" should be available when you click on your name in the top right corner.
In this View, an overview over all Users is displayed and creating, updating and deleting Users is possible like anywhere else in the NMS Prime system.
For GUI Login use your login name and password and for API login use the defined email address and your password.
Use high Password strength
If you create or edit a User, please set a Password, that is at least 8 Characters long and has the following criteria:
- lower-case letters
- upper-case letters
- Numbers
Authorization
To manage Roles and Abilities, you need to have the ability to update the Role model. If you have this permission, the option "User Roles" should be available when you click on your name in the top right corner.
You will be redirected to the standard Interface for managing, where you can create, edit and delete Roles (see Base MVC). The 3 columns will show the name, the rank and the description of the role. The rank is an indicator of how much "power" a role has
The Admin role should ALWAYS have the highest rank (101).
Ranks
The rank of a role determines the ability to edit other users. You can assign values from 0 to 100. (higher is better). If a user has more than one role, the highest rank is used.
If the ability to update users is set, the rank is also checked. Only if the rank of the editor is higher, permission is granted. Furthermore, when creating or updating users, only roles with equal or lower rank can be assigned.
Roles
If you click on a Role inside the table of the index page, you will be redirected to the edit page. Like with every other entity, you will see 3 sections - the Role properties, the Logging information and the abilities side panel.
The Logging information gives Information who changed this Role recently. It is only visible if you click the Logging tab in the upper right.
In Role properties, you can set name, title, description and rank for the role, as well as users who should have this role.
Clicking onto save, will save only the changes you made to the role properties. If you have unsaved changes inside the ability panel, they will be reset.
Assigning the Admin Role to an existing User without the GUI
Please make sure the chosen User is logged out during the process.
If you want to quickly set the role of an user to "admin", we prepared a console command to automate this task.
Just execute the command and fill in the login name of the user you want to "promote".
php artisan auth:admin [ login name ]
Abilities
Abilities determine which permissions the Users with the desired role have. They are roughly divided into two groups. First, custom abilities, which contain special abilities to speed up the set up process or set permissions, for non-entity related properties. The second group are abilities that are bound to a database model.
This panel uses AJAX Requests to be more interactive and update Permissions without a Page reload. If you change something inside the panel, the Changes will affect the User Interface immediately. The Changes are temporary, but if you click on "Save", the changes for that entity will persist. There are "Save" buttons for Modules (which save all changes made for that module) and if a single entity is changed it will display its own "Save" button.
It is possible that a User has many roles. The Abilities are applied together additive, but forbidding an ability has always a higher priority as seen in the diagram.
Custom Abilities
The Custom Abilities tab contains abilities to make setting up authorization a lot easier or to grant special abilities. If you are unsure, you can hover over the question mark to get more information on what this ability does.
All Abilities
The first Ability ("all abilities") is a super set and determines if you allow or forbid abilities by checking them. This is indicated by a red or green badge. If "All Abilities" is checked, all abilities are allowed, except those that are checked. (All authorization requests are allowed) If "All Abilities" is not checked, only the checked abilities are allowed.
All Abilities
If you change "All Abilities" and hit "Save" - all Entities are saved with the corresponding properties. The default behavior is that all Abilities that are checked will become forbidden Abilities. Use this feature with caution. if you are unsure, remove all Abilities before you change the "All Abilities" property.
View Everything
This is another super-set, which allows the role to view every page. Additional adjustments can be made.
Use API and See Income Chart
These two are special abilities, that are independent from all other abilities. They allow to use the API or show the Income chart on the dashboard.
Download Settlement Runs, View Analysis Pages of Modems and CMTS
These Abilities extend the respective Model permissions.
Model Abilities
The Model Abilities shows every entity of NMS Prime that can be changed. They are grouped into groups, with respect to their module origin.
Already without expanding you can use the quick settings to set abilities for all entities within that group. The available permissions are:
- Manage: Allows or forbids every action with the entity. This includes viewing, creating, updating and deleting as well as any custom ability for this entity (i.e. download for Settlement Runs)
- View: Allows to view entities
- Create: Allows or forbids to create entities
- Update: Allows or forbids to update entities
- Delete: Allows or forbids to delete entities
If you want more granularity, you can expand the groups to make changes to individual entities.