This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
useradminpanel [2007/10/01 08:46] faltin |
useradminpanel [2007/10/07 06:16] faltin |
||
---|---|---|---|
Line 2: | Line 2: | ||
{{tools:useradmin.png|}} This is where NAV administrator can control NAV user accounts, group memberships and access privileges. | {{tools:useradmin.png|}} This is where NAV administrator can control NAV user accounts, group memberships and access privileges. | ||
+ | |||
+ | |||
===== Account list ===== | ===== Account list ===== | ||
The main view of the user administration panel shows the account list. Each user has a login (username) and a real name. If the | The main view of the user administration panel shows the account list. Each user has a login (username) and a real name. If the | ||
- | source of the user is based on [[ldapauthentication|LDAP]], the external column will indicate this. | + | user is authenticated externally via [[ldapauthentication|LDAP]], the external column will indicate this. The final column lists the number of groups the user belongs to. |
+ | |||
+ | * To edit the settings for an account, click on the username in question. | ||
+ | * To create a new account, press "Create new account" | ||
:!: A fresh NAV installation will only have one account; admin with membership to the NAV administrator group. User admin has password set to admin. This should be changed at your first login. | :!: A fresh NAV installation will only have one account; admin with membership to the NAV administrator group. User admin has password set to admin. This should be changed at your first login. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Creating a new account (using Account Details) ===== | ||
+ | |||
+ | **Note:** The procedure is the same for editing the values of an existing account, the same buttons to tweek. | ||
+ | |||
+ | * The new user must be given a unique login and password that confirms. | ||
+ | * For existing users you can change their password here. For LDAP bound users, password may not be changed. | ||
+ | |||
+ | Next you may: | ||
+ | |||
+ | * Delete the account | ||
+ | |||
+ | * Add the user to one or more organizations. In turn remove the user from one or more organizations. The organizations are picked from the list you create in [[seedessentials#organization|the organization section of Edit Database]]. Please note that organizational membership of a NAV user has **no effect** in terms of privileges or such (this is on the road map, way up ahead). | ||
+ | |||
+ | * Add the user to one or more groups (use the Add button). In turn remove the user from one or more groups (with the Remove button). Each group has a set of privileges, more below. The user will get the union of privileges of the groups he joins. | ||
+ | |||
+ | **Note:** A new user will be given implicit membership to the groups "authenticated users" and "anonymous users". If you do not tweak on group membership, that will be his/hers set of rights. This also goes for users created with LDAP. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Group List ===== | ||
+ | |||
+ | NAV comes with the following predefined groups (with the explained predifined privileges): | ||
+ | |||
+ | ^ Group ^Description ^ Comment | | ||
+ | ^ Anonymous users |Unauthenticated users (not logged in) |Everyone are implicit members. Gives access to the home page, the traffic map, viewing (but not composing) messages and maintenance | | ||
+ | ^Authenticated users |Any authenticated user (logged in) |New users are implicit members. Gives in addition access to everything **except** the typical admin stuff: user admin, seed database, module delete, composing messages and maintenance setup | | ||
+ | ^NAV Administrators |Full access to everything | This access is implicit, no privileges need to be defined for NAV Administrators. As a member you have access to everything in the web interface. | | ||
+ | ^ SMS |Allowed to receive SMS alerts | | | ||
+ | |||
+ | * To create new groups, simply follow the "Create new group" link. | ||
+ | * To modify an existing group, click on the group. | ||
+ | In both cases you proceed to the "Group Details" tab | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Group Details ===== | ||
+ | |||
+ | Use this to create new groups or edit existing. Each group must have: | ||
+ | |||
+ | * A unique and preferably intuitive name. | ||
+ | * A description that explains what group membership this group authorizes. | ||
+ | |||
+ | The actual definition of the group is shown in the Privileges section. | ||
+ | |||
+ | * To grant new privileges to the group, select the privilege type and then enter your target. If you misspelled your target or something, revoke it and create a new one (you can not edit a privilege). You can add as many privileges as you like to a group. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Understanding privileges ===== | ||
+ | |||
+ | The privileges system of NAV is generally built so that we in the future can expand to new privilege types. | ||
+ | Currently only two privileges are supported and the second one has a very specific scope: | ||
+ | |||
+ | ^Privilege ^Explanation | | ||
+ | ^web_access | Controls what part of the web system a user has access to. Based on regular expression matching against actual NAV URLs. | | ||
+ | ^alert_by | Takes only one valid target: 'sms'. A user is not allowed to receive sms messages from NAV unless he has the "alert_by for sms" on his privilege list. | | ||
+ | |||
+ | **Note:** Confusingly a third privilege is possible to choose; report_access. Since this privilege has no implementation, we will remove the option in a later NAV version (and reintroduce it when/if we actually implement support). | ||
+ | |||
+ | To see examples of how you can use the web_access privilege, take a look at the definitions of the predefined group | ||
+ | "Authenticated users". A [[http://www.amk.ca/python/howto/regex/|HOWTO on regexp]] is also provided as a link under "Grant privileges" | ||
+ | |||
+ | :!: If your initial NAV installation was earlier than 3.3 your "Authenticated users" group may have a different | ||
+ | setting (which you may well have modified yourself). Consider using this default NAV 3.3 reg exp: | ||
+ | |||
+ | <code> | ||
+ | ^/(preferences|status|navAdmin|report|browse|stats|cricket|machinetracker|ipinfo|l2trace|logger|alertprofiles|devicemanagemt/$)/? | ||
+ | </code> | ||
+ | |||