Versions Compared

Old Version 8

changes.mady.by.user Alexander Zangerl

Saved on

compared with

New Version 9

changes.mady.by.user Alexander Zangerl

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: extended the authorisation documentation

...


This adds the user testuser for the purpose of Authentication. Now the application needs to be also told about the users' Authorisation.

...

User names and case

User names in many systems are not case sensitive, so NMIS will handle usernames in lower case, when adding users to Users.nmis, ensure that the name is all in LOWER CASE.

Spaces in User Names

At great expense to Opmantek, support for usernames with spaces has been added, this is in the next release to be numbered 8.3.14G or higher.

Authorisation in NMIS

NMIS 8 uses the concepts "Privileges", "Access Policy" and "Groups" to determine what resources or actions a particular user should have access to.

  • The Groups setting for a user lists all the node groups this user may see (there is also the wildcard "all" with obvious meaning). Every node in NMIS belongs to exactly one group, but a user can be associated with any number of groups. Please note that group visibility checks are performed independent of the other authorisation mechanisms.
  • The Privilege setting describes, on a very high level, the operations this user should be able to perform; these also control the visibility of certain parts of the NMIS GUI. A user account has exactly one privilege. Each privilege has a (free-form) name.
  • Each privilege is translated into a single numeric access level. As a user account has exactly one privilege, it also has exactly one access level.
    By default NMIS uses level numbers 0 to 5.
  • Particular operations and views are associated with Access Policy elements, and these list what access levels are considered sufficient for granting access.

This infrastructure is configured using three configuration files:

  1. Users.nmis defines the existing users and their privileges. In the GUI this is accessibe in the System menu, under System Configuration -> Users.
  2. PrivMap.nmis defines the mapping from textual privilege to numeric access level. In the GUI you'll find that under System -> System Configuration -> Privilege Map.
  3. Access.nmis defines which numeric access levels shall have access to what operations and views. The GUI presents this under System -> System Configuration -> Access Policy.
    Access levels are treated independently. If a user belongs to level 3 for example, then that does not imply anything about his or her access to level 4 or level 2 operations. 
    Please note that the GUI for this lists the access levels by their privilege name (inverse mapping via PrivMap), whereas the underlying configuration file uses the numeric levels exclusively.

Setting up a User's Authorisations

Login to the NMIS Portal, as an administration user, the normal URL is http://nmisserver/cgi-nmis8/nmiscgi.pl

Using the menu access "System -> System Configuration -> Users", select "add" from the top right, and then complete the form, specifying the User which matches the user added using htpasswd, specify Privilege and Groups, using "all" if all groups are permitted, multiple groups can be selected.

User names and case

User names in many systems are not case sensitive, so NMIS will handle usernames in lower case, when adding users to Users.nmis, ensure that the name is all in LOWER CASE.

Spaces in User Names

At great expense to Opmantek, support for usernames with spaces has been added, this is in the next release to be numbered 8.3.14G or higher.