This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
useradminpanel [2007/10/01 10:31] faltin |
useradminpanel [2007/10/07 06:05] faltin |
||
---|---|---|---|
Line 2: | Line 2: | ||
{{tools:useradmin.png|}} This is where NAV administrator can control NAV user accounts, group memberships and access privileges. | {{tools:useradmin.png|}} This is where NAV administrator can control NAV user accounts, group memberships and access privileges. | ||
+ | |||
Line 7: | Line 8: | ||
The main view of the user administration panel shows the account list. Each user has a login (username) and a real name. If the | The main view of the user administration panel shows the account list. Each user has a login (username) and a real name. If the | ||
- | source of the user is based on [[ldapauthentication|LDAP]], the external column will indicate this. The final column listes the number of groups the user belongs to. | + | user is authenticated externally via [[ldapauthentication|LDAP]], the external column will indicate this. The final column lists the number of groups the user belongs to. |
* To edit the settings for an account, click on the username in question. | * To edit the settings for an account, click on the username in question. | ||
Line 17: | Line 18: | ||
- | ===== Creating a new account (suing Account Details) ===== | + | |
+ | |||
+ | |||
+ | ===== Creating a new account (using Account Details) ===== | ||
**Note:** The procedure is the same for editing the values of an existing account, the same buttons to tweek. | **Note:** The procedure is the same for editing the values of an existing account, the same buttons to tweek. | ||
- | The new user must be given a unique login and password that confirms. Next you may: | + | * The new user must be given a unique login and password that confirms. |
+ | * For existing users you can change their password here. For LDAP bound users, password may not be changed. | ||
+ | |||
+ | Next you may: | ||
* Delete the account | * Delete the account | ||
- | * Add the user to one or more organizations. In turn remove the user from one or more organizations. The organizations are picked from the list you create in [[seedessentials#organization|the organization section of Edit Database]]. Please note that organizational membership of a NAV user has no effect in terms of privileges or such (this is on the road map, way up ahead). | + | * Add the user to one or more organizations. In turn remove the user from one or more organizations. The organizations are picked from the list you create in [[seedessentials#organization|the organization section of Edit Database]]. Please note that organizational membership of a NAV user has **no effect** in terms of privileges or such (this is on the road map, way up ahead). |
* Add the user to one or more groups (use the Add button). In turn remove the user from one or more groups (with the Remove button). Each group has a set of privileges, more below. The user will get the union of privileges of the groups he joins. | * Add the user to one or more groups (use the Add button). In turn remove the user from one or more groups (with the Remove button). Each group has a set of privileges, more below. The user will get the union of privileges of the groups he joins. | ||
- | **Note:** In NAV 3.3 a new user will be given implicit membership to the groups "authenticated users" and "anonymous users". If you do not tweak on group membership, that will be his/hers set of rights. This also goes for users created with LDAP. | + | **Note:** A new user will be given implicit membership to the groups "authenticated users" and "anonymous users". If you do not tweak on group membership, that will be his/hers set of rights. This also goes for users created with LDAP. |
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
===== Group List ===== | ===== Group List ===== | ||
- | NAV comes with the following predefined groups: | + | NAV comes with the following predefined groups (with the explained predifined privileges): |
^ Group ^Description ^ Comment | | ^ Group ^Description ^ Comment | | ||
- | ^ Anonymous users |Unauthenticated users (not logged in) |Everyone are implicit members | | + | ^ Anonymous users |Unauthenticated users (not logged in) |Everyone are implicit members. Gives access to the home page, the traffic map, viewing (but not composing) messages and maintenance | |
- | ^Authenticated users |Any authenticated user (logged in) |New users are implicit members | | + | ^Authenticated users |Any authenticated user (logged in) |New users are implicit members. Gives in addition access to everything **except** the typical admin stuff: user admin, seed database, module delete, composing messages and maintenance setup | |
- | ^NAV Administrators |Full access to everything | | | + | ^NAV Administrators |Full access to everything | This access is implicit, no privileges need to be defined for NAV Administrators | |
^ SMS |Allowed to receive SMS alerts | | | ^ SMS |Allowed to receive SMS alerts | | | ||
* To create new groups, simply follow the "Create new group" link. | * To create new groups, simply follow the "Create new group" link. | ||
- | * To modify an existing group, click on the group. | + | * To modify an existing group, click on the group. |
+ | In both cases you proceed to the "Group Details" tab | ||
+ | |||
+ | |||
+ | ===== Group Details ===== | ||
+ | |||
+ | Use this to create new groups or edit existing. Each group must have | ||
+ | |||
+ | * A unique and preferably intuitive name | ||
+ | * A description that explains what group membership this group authorizes | ||
+ | |||
+ | The actual definition of the group is shown in the Privileges section | ||
+ | |||
+ | * To grant new privileges to the group, select the privilege type and then enter your target. If you misspelled your target or something, revoke it and create a new one. You can add as many privileges as you like to a group. | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== Understanding privileges ===== | ||
+ | |||
+ | The privileges system of NAV is generally built so that we in the future can expand to new privilege types. | ||
+ | Currently only two privileges are supported and the second one has a very specific scope: | ||
+ | |||
+ | ^Privilege ^Explanation | | ||
+ | ^web_access | Controls what part of the web system a user has access to. Based on regular expression matching against actual NAV URLs. | | ||
+ | ^alert_by | Takes only one valid target: 'sms'. A user is not allowed to receive sms messages from NAV unless he has the "alert_by for sms" on his privilege list. | | ||
+ | |||
+ | To see examples of how you can use the web_access privilege, take a look at the definitions of the predefined group | ||
+ | "Authenticated users". A [[http://www.amk.ca/python/howto/regex/|HOWTO on regexp]] is also provided as a link under "Grant privileges" | ||
+ | |||
+ | :!: If your initial NAV installation was earlier than 3.3 your "Authenticated users" group may have a different | ||
+ | setting (which you may well have modified yourself). Consider using this default NAV 3.3 reg exp: | ||
+ | <code> | ||
+ | ^/(preferences|status|navAdmin|report|browse|stats|cricket|machinetracker|ipinfo|l2trace|logger|alertprofiles|devicemanagemt/$)/? | ||
+ | </code> | ||