====== The user administration panel ====== {{tools:useradmin.png|}} This is where NAV administrator can control NAV user accounts, group memberships and access privileges. ===== Account list ===== The main view of the user administration panel shows the account list. Each user has a login (username) and a real name. If the user is authenticated externally via [[ldapauthentication|LDAP]], the external column will indicate this. The final column lists the number of groups the user belongs to. * To edit the settings for an account, click on the username in question. * To create a new account, press "Create new account" :!: A fresh NAV installation will only have one account; admin with membership to the NAV administrator group. User admin has password set to admin. This should be changed at your first login. ===== Creating a new account (using Account Details) ===== **Note:** The procedure is the same for editing the values of an existing account, the same buttons to tweek. * The new user must be given a unique login and password that confirms. * For existing users you can change their password here. For LDAP bound users, password may not be changed. Next you may: * Delete the account * Add the user to one or more organizations. In turn remove the user from one or more organizations. The organizations are picked from the list you create in [[seedessentials#organization|the organization section of Edit Database]]. Please note that organizational membership of a NAV user has **no effect** in terms of privileges or such (this is on the road map, way up ahead). * Add the user to one or more groups (use the Add button). In turn remove the user from one or more groups (with the Remove button). Each group has a set of privileges, more below. The user will get the union of privileges of the groups he joins. **Note:** A new user will be given implicit membership to the groups "authenticated users" and "anonymous users". If you do not tweak on group membership, that will be his/hers set of rights. This also goes for users created with LDAP. ===== Group List ===== NAV comes with the following predefined groups (with the explained predifined privileges): ^ Group ^Description ^ Comment | ^ Anonymous users |Unauthenticated users (not logged in) |Everyone are implicit members. Gives access to the home page, the traffic map, viewing (but not composing) messages and maintenance | ^Authenticated users |Any authenticated user (logged in) |New users are implicit members. Gives in addition access to everything **except** the typical admin stuff: user admin, seed database, module delete, composing messages and maintenance setup | ^NAV Administrators |Full access to everything | This access is implicit, no privileges need to be defined for NAV Administrators. As a member you have access to everything in the web interface. | ^ SMS |Allowed to receive SMS alerts | | * To create new groups, simply follow the "Create new group" link. * To modify an existing group, click on the group. In both cases you proceed to the "Group Details" tab ===== Group Details ===== Use this to create new groups or edit existing. Each group must have: * A unique and preferably intuitive name. * A description that explains what group membership this group authorizes. The actual definition of the group is shown in the Privileges section. * To grant new privileges to the group, select the privilege type and then enter your target. If you misspelled your target or something, revoke it and create a new one (you can not edit a privilege). You can add as many privileges as you like to a group. ===== Understanding privileges ===== The privileges system of NAV is generally built so that we in the future can expand to new privilege types. Currently only two privileges are supported and the second one has a very specific scope: ^Privilege ^Explanation | ^web_access | Controls what part of the web system a user has access to. Based on regular expression matching against actual NAV URLs. | ^alert_by | Takes only one valid target: 'sms'. A user is not allowed to receive sms messages from NAV unless he has the "alert_by for sms" on his privilege list. | **Note:** Confusingly a third privilege is possible to choose; report_access. Since this privilege has no implementation, we will remove the option in a later NAV version (and reintroduce it when/if we actually implement support). To see examples of how you can use the web_access privilege, take a look at the definitions of the predefined group "Authenticated users". A [[http://www.amk.ca/python/howto/regex/|HOWTO on regexp]] is also provided as a link under "Grant privileges" :!: If your initial NAV installation was earlier than 3.3 your "Authenticated users" group may have a different setting (which you may well have modified yourself). Consider using this default NAV 3.3 reg exp: ^/(preferences|status|navAdmin|report|browse|stats|cricket|machinetracker|ipinfo|l2trace|logger|alertprofiles|devicemanagemt/$)/?