Skip to main content

mDIS User Management

mDIS User Management

System administration task.
More system administration
List of 3rd-Party Code dependencies
Roles on "developer" page.

Users and Roles

This page describes how to manage mDIS users and mDIS roles.

These are tasks that are usually performed rarely. Actually, for many DIS customers, the creation of a few generic users is a one-off task. Often, this happens only once, during the setup and configuration of the mDIS system.

mDIS can always use its own, small, internal user database; alternatively, it can be connected to an LDAP server. User management needs to be carried out by mDIS users who have been granted specific roles.

User Management GUI

This section describes user management tasks performed after logging into mDIS with your browser.

Creating a New User

and Assignment of User Credentials

mDIS credentials are based on Role-Based Access Controlopen in new window (RBAC).

mDIS Administrators perform the registration of a new mDIS user by means of a special-purpose web form, url-path /user/admin/create.

Unlike those webpages and forms that work with science data, this page does not use the mDIS REST API. Instead, the user management pages use the widget sets and the APIs of the Yii framework directly.

However, adding users is a task performed rarely. It must be implemented in a secure manner, so we decided to rely on built-in features of Yii's RBAC capabilities directly. These are provided by a 3rd party code dependency,

2amigos/yii2-usuario | 1.5.1 | Highly customizable and extensible user management-

Password Assignment

The user's password is initially assigned by the mDIS administrator, or, if the new user is physically present with the mDIS Admin at registration time, entered by the new user personally.

TBC

At this time, the mDIS user cannot change the password at a later time.

Email sent at registration time does not inform the user about privileges that he can do. (Role Assignment happens AFTER the email is sent.)

User administration should also happen via the REST API.

Login to the mDIS

If you have sufficient access rights, then you can access the user management GUI using the menu entry "Settings," visible inside the sidebar, the "drawer." After clicking on the user management page (the blue tile in the figure below), you can edit users, groups, and their respective roles. You can also assign specific permissions to these roles.

tiles

mDIS Roles and Permissions

A role represents the function a user has inside the mDIS.

In the tab "Roles," you can see the set of roles already present with their names and descriptions.
You can create as many more roles as you need using the menu button "Create." You can edit or delete a role using the icons in the right column of the table.

roles

Next to the name and description, every role can have children. You can add other roles, meaning the role inherits the permissions of these other roles. Additionally, you can add explicit permissions (view or edit) for the forms.

Some permission assignments are updated automatically. The role viewer has view access to all forms; the role operator has edit access to all forms. Every time a form is created, updated, or deleted, these permissions are updated.

Some roles have some implicit permissions:

  • Only members of role _administrator_ have access to the user management.
  • Members of role developer have access to the template manager.

These role names have been chosen to be backwards-compatible with "Legacy DIS," a desktop app.

Users

mDIS Users should be assigned to the roles mentioned above.

Users can log in to the mDIS application using their username and password. Preferably, every user should have his own account.
In the tab "Users," you can see the list of users. As usual, you can sort the table by clicking on the headers. You can see the username, the email address, and the time of last login into the system.
You can block a user, so he cannot log in anymore. With a click on the pencil, you can edit the properties of a user.

users

Not shown as a figure here, but easy to get to after clicking on the pencil icon 📝 on the right of the screenshot:

  • You can edit the email address, username, and password using the tab "Account details."
  • In the tab "Assignments," you can see and edit his roles (see below) and permissions.
  • When you click on an empty area in the input field "items," you get a list of all roles and permissions. Permissions can be set for every single data-entry form, if necessary.

Pro Tip:

If you have several users with the same permissions, you should create a new Role, assign the permissions to that role, and then assign only that one role to these users, without assigning any specific permissions to users. This is more flexible and easier to maintain.

The "My Account" tile

In the section above, "Login to the mDIS", there was a third tile, "My Account."

Here users can set their own email addresses and passwords.

Roles and Permissions

Standard Role Hierarchy

  • _administrator_ - described at the top of this page - can manage user permissions, tables, and forms
  • developer - can edit forms and tables, create new forms
  • operator - can edit data, cannot change form and table design
  • viewer - read-only access to full tables
  • under construction guest - an even less privileged user who can see only subsets of the data. This can only see datasets labeled as "published," but cannot see data labeled as "embargoed" or "under moratorium" (although this data is physically stored in the same tables).

administrator Roles and Permissions

The role _administrator_ is the most powerful role in mDIS. The administrator role, as well as the developer role (see below), can define new tables and columns.

And with regard to user management, administrator is the only role that can do the following:

  • the administrator role can define new frontend users and roles
  • the administrator role can assign access permissions and privileges to roles
  • the administrator role can assign users to roles
  • the administrator role can define file access permissions roles relevant to the upload area

Role 'developer'

A user having the predefined Role developer can interact with mDIS as defined in the PHP dektriumopen in new window Role-Based-Access-Control (RBAC) User Management library.
The name developer of this role was chosen for backward compatibility with Legacy DIS.
This role implies a user can design forms and customize an mDIS production system; however, with less privileges than an mDIS Sysadmin (_administrator_ role). An mDIS developer role, as defined in the MySQL your_mDISdb.auth_assignment table, cannot create new users or change the permissions of other users.
This role also cannot modify tables/models (e.g., add columns).
This role therefore has less privileges than an mDIS Sysadmin (_administrator_ role). An mDIS developer role, as defined in the MySQL your_mDISdb.auth_assignment table, cannot create new users or change the permissions of other users. This role also cannot modify tables/models (e.g., add columns).

Backend / OS Layer

Unix Users and Groups

Linux-centric explanation

This explanation is a bit brief and Linux/Debian-centric. Sorry about that.

With regard to the PHP/Webserver/Operating System layer, there is no predefined 'administrator' role. There are, however, the operating system users root (on Unix-based systems) and administrator on Windows-based systems. In VirtualBox, we often use mdis or vagrant. You choose that name at the time of first installation. These OS users have a role equivalent to the sysadmin _administrator_ role in the frontend. They have the sudo role. As "Sudoers"open in new window, they can (must) do everything inside the host OS and the guest OS, in particular:

  • installation tasks on the host system and within the VirtualBox guest
  • seamless rebuilds of predefined forms and tables from within the VirtualBox ('yii migration' tasks)
  • can upload anything and set OS-related file access permissions relevant to the upload directories

However, managing Linux users and their access rights is a complex topic that we do not have the space to describe here.

For a deeper dive, see also the developer page.

Even more System Administration

OS-Updates, Email...

See extra document

The document describes optional special-purpose tasks related to working inside mDIS (OS updates, sending email, ...)

List of 3rd-Party Code dependencies

A unified list of references is given at the bottom of the for-developers page.