IRIS
Intelligent Roadway Information System
User Roles
Select View ➔ System ➔ Users and Roles menu item
IRIS contains a set of user accounts which are allowed to access the system. Each account must be assigned to a specific role. During login, the user account is checked for validity. For a successful login, the user and role must both be enabled. If the user has a distinguished name (dn), then authentication is performed using LDAP. Otherwise, the supplied password is checked against the stored password hash for the account.
Resources
iris/api/useriris/api/user/{name}
| Access | Minimal |
|---|---|
| Read Only | name |
| 💡 Plan | enabled |
| 🔧 Configure | full_name, role |
Domains
A network domain uses CIDR to restrict the IP addresses from which a user can connect to IRIS. To log in, a user must be assigned to a matching enabled domain.
Roles
A role defines the set of capabilities associated with a user
account (any other capabilities will not be available). The default roles
are administrator and operator. The administrator role has
capabilities which allow unfettered access to the system.
Other roles can be created to allow different capability sets, as needed.
WARNING: if the administrator role or admin user are disabled, the ability to make further changes will be lost immediately.
Role Resources
iris/api/roleiris/api/role/{name}
| Access | Minimal |
|---|---|
| Read Only | name |
| 💡 Plan | enabled |
Capabilities
A capability is a set of privileges which can be associated with roles. It grants all necessary privileges to perform a specific task.
There are typically 3 capabilities for each device type:
_tab— Grant view privileges_control— Grant control privileges_admin— Grant administration privileges
Capabilities can be disabled, preventing all users from having access to them.
For example, if a system does not contain any LCS devices, the lcs_tab
capability could be disabled, preventing that tab from appearing in the user
interface for all users.
WARNING: the base_admin capability can grant access for all IRIS
functions.
(NOTE: capabilities are being phased out in favor of permissions)
Privileges
A privilege grants read or write access to one type of object. There are 5 fields required to fully specify a privilege.
| Field | Description |
|---|---|
| Type | Object type selected from a list of available types |
| Object | A regular expression to match object names. |
| Group | Used to divide objects into related groups. This is an experimental feature intended to replace the object field. NOTE: Write access only. |
| Attribute | Write access to a specific attribute of an object type can be specified with this field. |
| Write | When this checkbox is checked, write access is granted. Otherwise, the privilege grants read access. To be granted write access, a role must also have read access to the object type. |
(NOTE: privileges are being phased out in favor of permissions)
Events
Whenever certain client events occur, a time-stamped record is added to the
client_event table:
- CONNECT
- DISCONNECT
- AUTHENTICATE
- FAIL AUTHENTICATION
- FAIL DOMAIN
- CHANGE PASSWORD
These records are purged automatically when older than the value of the
client_event_purge_days system attribute.