IRIS
Intelligent Roadway Information System
User Roles
Select View ➔ System ➔ Users and Roles
menu item
IRIS contains a set of user accounts which are allowed to access the system. Each account must be assigned to a specific role. During login, the user account is checked for validity. For a successful login, the user and role must both be enabled. If the user has a distinguished name (dn), then authentication is performed using LDAP. Otherwise, the supplied password is checked against the stored password hash for the account.
API Resources
iris/api/user
iris/api/user/{name}
Access | Minimal |
---|---|
Read Only | name |
💡 Manage | enabled |
🔧 Configure | full_name, role |
Domains
A network domain uses CIDR to restrict the IP addresses from which a user can connect to IRIS. To log in, a user must be assigned to a matching enabled domain.
Roles
A role defines the set of capabilities associated with a user
account (any other capabilities will not be available). The default roles
are administrator
and operator
. The administrator
role has
capabilities which allow unfettered access to the system.
Other roles can be created to allow different capability sets, as needed.
WARNING: if the administrator role or admin user are disabled, the ability to make further changes will be lost immediately.
API Resources
iris/api/role
iris/api/role/{name}
Access | Minimal |
---|---|
Read Only | name |
💡 Manage | enabled |
Capabilities
A capability is a set of privileges which can be associated with roles. It grants all necessary privileges to perform a specific task.
There are typically 3 capabilities for each device type:
_tab
— Grant view privileges_control
— Grant control privileges_admin
— Grant administration privileges
Capabilities can be disabled, preventing all users from having access to them.
For example, if a system does not contain any LCS devices, the lcs_tab
capability could be disabled, preventing that tab from appearing in the user
interface for all users.
WARNING: the base_admin
capability can grant access for all IRIS
functions.
(NOTE: capabilities are being phased out in favor of permissions)
Privileges
A privilege grants read or write access to one type of object. There are 5 fields required to fully specify a privilege.
Field | Description |
---|---|
Type | Object type selected from a list of available types |
Object | A regular expression to match object names. |
Group | Used to divide objects into related groups. NOTE: Write access only. |
Attribute | Write access to a specific attribute of an object type can be specified with this field. |
Write | When this checkbox is checked, write access is granted. Otherwise, the privilege grants read access. To be granted write access, a role must also have read access to the object type. |
(NOTE: privileges are being phased out in favor of permissions)
Events
Whenever certain client events occur, a time-stamped record is added to the
client_event
table:
- CONNECT
- DISCONNECT
- AUTHENTICATE
- FAIL AUTHENTICATION
- FAIL DOMAIN
- CHANGE PASSWORD
These records are purged automatically when older than the value of the
client_event_purge_days
system attribute.