Intelligent Roadway Information System

User Roles

Select View ➔ System ➔ Users and Roles menu item

IRIS contains a set of user accounts which are allowed to access the system. Each account must be assigned to a specific role. During login, the user account is checked for validity. For a successful login, the user and role must both be enabled. If the user has a distinguished name (dn), then authentication is performed using LDAP. Otherwise, the supplied password is checked against the stored password hash for the account.

API Resources 🕵️
  • iris/api/user_id
  • iris/api/user_id/{name}
Access Primary Secondary
👁️ View name
💡 Manage enabled
🔧 Configure full_name, role dn


A network domain uses CIDR to restrict the IP addresses from which a user can connect to IRIS. To log in, a user must be assigned to a matching enabled domain.


A role defines the set of capabilities associated with a user account (any other capabilities will not be available). The default roles are administrator and operator. The administrator role has capabilities which allow unfettered access to the system. Other roles can be created to allow different capability sets, as needed.

WARNING: if the administrator role or admin user are disabled, the ability to make further changes will be lost immediately.

API Resources 🕵️
  • iris/api/role
  • iris/api/role/{name}
Access Primary
👁️ View name
💡 Manage enabled


A capability is a set of privileges which can be associated with roles. It grants all necessary privileges to perform a specific task.

There are typically 3 capabilities for each device type:

Capabilities can be disabled, preventing all users from having access to them. For example, if a system does not contain any LCS devices, the lcs_tab capability could be disabled, preventing that tab from appearing in the user interface for all users.

WARNING: the base_admin capability can grant access for all IRIS functions.

(NOTE: capabilities are being phased out in favor of permissions)


A privilege grants read or write access to one type of object. There are 5 fields required to fully specify a privilege.

Field Description
Type Object type selected from a list of available types
Object A regular expression to match object names.
Group Used to divide objects into related groups. NOTE: Write access only.
Attribute Write access to a specific attribute of an object type can be specified with this field.
Write When this checkbox is checked, write access is granted. Otherwise, the privilege grants read access. To be granted write access, a role must also have read access to the object type.

(NOTE: privileges are being phased out in favor of permissions)


Whenever certain client events occur, a time-stamped record is added to the client_event table:

These records are purged automatically when older than the value of the client_event_purge_days system attribute.