Intelligent Roadway Information System
View ➔ System ➔ Users and Roles menu item
IRIS contains a set of user accounts which are allowed to access the system. Each account must be assigned to a specific role. During login, the user account is checked for validity. For a successful login, the user and role must both be enabled. If the user has a distinguished name (dn), then authentication is performed using LDAP. Otherwise, the supplied password is checked against the stored password hash for the account.
|🔧 Configure||full_name, role|
A network domain uses CIDR to restrict the IP addresses from which a user can connect to IRIS. To log in, a user must be assigned to a matching enabled domain.
A role defines the set of capabilities associated with a user
account (any other capabilities will not be available). The default roles
administrator role has
capabilities which allow unfettered access to the system.
Other roles can be created to allow different capability sets, as needed.
WARNING: if the administrator role or admin user are disabled, the ability to make further changes will be lost immediately.
A capability is a set of privileges which can be associated with roles. It grants all necessary privileges to perform a specific task.
There are typically 3 capabilities for each device type:
_tab— Grant view privileges
_control— Grant control privileges
_admin— Grant administration privileges
Capabilities can be disabled, preventing all users from having access to them.
For example, if a system does not contain any LCS devices, the
capability could be disabled, preventing that tab from appearing in the user
interface for all users.
base_admin capability can grant access for all IRIS
(NOTE: capabilities are being phased out in favor of permissions)
A privilege grants read or write access to one type of object. There are 5 fields required to fully specify a privilege.
|Type||Object type selected from a list of available types|
|Object||A regular expression to match object names.|
|Group||Used to divide objects into related groups. This is an experimental feature intended to replace the object field. NOTE: Write access only.|
|Attribute||Write access to a specific attribute of an object type can be specified with this field.|
|Write||When this checkbox is checked, write access is granted. Otherwise, the privilege grants read access. To be granted write access, a role must also have read access to the object type.|
(NOTE: privileges are being phased out in favor of permissions)
Whenever certain client events occur, a time-stamped record is added to the
- FAIL AUTHENTICATION
- FAIL DOMAIN
- CHANGE PASSWORD
These records are purged automatically when older than the value of the
client_event_purge_days system attribute.