13. Managing users

User roles in DynFi allow controlling what users are allowed to do.

13.1. Admin role

Each DynFi instance can contain many user roles and has the admin role. The admin role always present, cannot be deleted or renamed. Users assigned to admin role can perform any kind of action in DynFi, only custom device groups can limit the devices they can access (see Device groups for more details).

13.2. Custom role(s)

In case of need custom user roles can be added in DynFi. To create a new user group, the user needs to have a proper privilege. A new group needs a unique name.

Each user role can have many privileges, at least one privilege is required for each role.

When one user is assigned to many roles, the permissions are additive. This means that each role is a set of permissions and the users is granted the sum of all permissions. DynFi does not support subtractive/negative permissions.

Note

Be careful with assigning users to roles which have the permission “Change any password” enabled. It is because users assigned to a role with “Change any password” enabled can change passwords of other users and effectively gain control of their accounts.

13.3. Assigning users to roles

Users can be assigned to many roles, including admin role, at least one role for each account is required all the time. This can be done when the user account is created or later in edit user form. Logged-in users cannot grant other users roles they do not have assigned to their account. Therefore it might be important to keep at least one user in the system with the role admin.

13.4. Device Groups vs. User Roles

Please see Device groups vs. user roles.

13.5. Managing user roles

To start managing user roles (which require proper privileges), the users needs to select the “people” icon in the right side of the top menu and then select “Manage roles” submenu, as shown below:

_images/go-to-user-roles-management.png

Opening user roles management

13.6. Resetting user accounts

The easiest approach to reset one user account is to ask another user who has sufficient privileges, e.g. is assigned to the admin role and ALL device group.

However, it might happen that the password of the user(s) accounts with admin role and ALL device groups is forgotten or such account(s) has been “degraded” somehow. DynFi provides fallback mechanism available by CLI (Command Line Interface). Before proceeding with the procedure it is important to know the login or e-mail address of the user account to reset and the location of the DynFi’s JAR file.

Note

If DynFi has been installed using official APT repository (as described in Installing DynFi on Ubuntu), then the DynFi JAR file can be found in directory /usr/share/dynfi/lib.

13.6.1. Resetting user’s password in CLI

In order to reset user’s password in CLI, please run the following command:

java -jar /path/to/dynfi-version.jar resetPassword --user username [--config /path/to/custom/dynfi.config] [--password newPassword]

In the –user parameter the user’s unique login or e-mail address is required. Additionally, path to custom config file can be provided (if the default file is meant to be skipped) using –config parameter. By default the new password is read in interactive mode. To skip that (although it is not recommended), it is possible to use the “batch” mode and provide the new password using –password parameter. When using the –password parameter please make sure the password is not saved in your CLI history.

13.6.2. Resetting user’s roles and device groups in CLI

In order to assign the user’s account to the admin group and permit managing ALL device grup in CLI, please run the following command:

java -jar /path/to/dynfi-version.jar resetPrivileges --user username [--config /path/to/custom/dynfi.config]

In the –user parameter the user’s unique login or e-mail address is required. Additionally, path to custom config file can be provided (if the default file is meant to be skipped) using –config parameter.