.. _users:

**************************************
User Management
**************************************


.. rubric:: In this chapter:

.. contents::
   :local:

.. _predefined-roles:

Predefined Roles
=================================

FindFace Security provides the following predefined roles:

* Administrator has rights to :ref:`manage cameras <cameras>`, events, FindFace Security users, the :ref:`dossier database <guests>`, and full access to all other functions.

  .. important::
     Whatever the role, the first administrator (Super Administrator) cannot be deprived of its rights.

* Operator can create dossiers manually, receive and acknowledge events, and search for faces on the event list. The other data is available read-only. The :ref:`batch dossier creation <bulk-upload>` is unavailable.
* User has a right to receive and acknowledge events, and to search for faces on the event list. The other data is available read-only.

You can change the predefined roles privileges, as well as create various custom roles.

.. _create-role:

Create Custom Role
================================

To create a custom role, do the following:

#. Navigate to the :guilabel:`Preferences` tab. Click :guilabel:`Roles`.
#. Click :guilabel:`+`.

    |create_role_en|

     .. |create_role_en| image:: /_static/create_role_en.png
        :scale: 50%

     .. |create_role_ru| image:: /_static/create_role_ru.png
        :scale: 50%


#. On the :guilabel:`Information` tab, specify the role name.

     |role_information_en|

     .. |role_information_en| image:: /_static/role_information_en.png
        :scale: 60%

     .. |role_information_ru| image:: /_static/role_information_ru.png
        :scale: 60%

#. Click :guilabel:`Save`. You will see additional tabs appear next to the :guilabel:`Information` tab. You can use these tabs to assign the role privileges for specific watch lists (the :guilabel:`Watch Lists` tab) and camera groups (:guilabel:`Camera Groups`), as well as for entire system functions and entities (:guilabel:`Permissions`). 

   .. note::
      For example, if you set ``None`` for a certain camera group on the :guilabel:`Camera Groups` tab, users with this role won't be able to work with **this** very group of cameras. Setting ``None`` for ``cameragroup`` on the :guilabel:`Permissions` tab will prevent users from viewing and working with **all** camera groups.

   .. note::
      The right for an event consists of the rights for a corresponding camera and watch list. To see unmatched events, you only need the rights for a camera.

   The full list of the FindFace Security entities is as follows:
  
   * ``dossierlist``: :ref:`watch list <guests>`
   * ``dossier``: :ref:`dossier <guests>`
   * ``dossierface``: :ref:`photo in a dossier <guests>`
   * ``cameragroup``: :ref:`camera group <cameras>`
   * ``camera``: :ref:`camera <cameras>`
   * ``listevent``: :ref:`event list <events>`
   * ``eventepisode``: :ref:`episodes <episodes>`
   * ``uploadlist``: list of photos in :ref:`batch upload <batch-upload>` 
   * ``upload``: item (photo) in batch photo upload
   * ``user``: :ref:`user <users>`
   * ``webhook``: :ref:`webhook <webhooks>`
   * ``videoarchive``: :ref:`face identification in offline video <offline-video>`
   * ``counter``: :ref:`counters picking statistics on faces and silhouettes <counters>`
   * ``person``: :ref:`person gallery <persons>`

   You can also enable and disable rights for the following functionality:

   * ``configure_sova``: configuration of Sova integration 
   * ``configure_genetec``: configuration of :ref:`Genetec integration <genetec>` 
   * ``configure_ntls``: configuration of the ``findface-ntls`` :ref:`license server <licensing-principles>`
   * ``batchupload_dossier``: :ref:`batch photo upload <batch-upload>`
   * ``view_runtimesetting``: viewing the FindFace Security :ref:`general preferences <settings>`
   * ``change_runtimesetting``: changing the FindFace Security general preferences


     |role_permissions_en|

     .. |role_permissions_en| image:: /_static/role_permissions_en.png
        :scale: 60%

     .. |role_permissions_ru| image:: /_static/role_permissions_ru.png
        :scale: 60%


Primary and Additional User Privileges
========================================

You assign privileges to a user by using roles:

* :guilabel:`Primary role`: main user role, mandatory for assignment. You can assign only one primary role to a user. 
* :guilabel:`Role`: additional user role, optional for assignment. You can assign several roles to one user. The rights associated with the additional roles will be added to the primary privileges. 

All users belonging to a particular primary role automatically get access to camera groups (and cameras within the group) and watch lists (and dossiers assigned to the watchlist) created by a user with the same primary role, subject to the privileges defined by their additional role(s). 

.. seealso::
   :ref:`create-user`


.. _create-user:  

Create User
===============================

To create a user, do the following:

#. Navigate to the :guilabel:`Preferences` tab. Click :guilabel:`Users`.
#. Click :guilabel:`+`.

    |create_user_en|

     .. |create_user_en| image:: /_static/create_user_en.png
        :scale: 50%

     .. |create_user_ru| image:: /_static/create_user_ru.png
        :scale: 50%

#. Specify such user data as name, login and password. If necessary, add a comment.
#. From the :guilabel:`Roles` drop-down menu, select one or several user roles. Set one of them as the :guilabel:`Primary role`.

     |user_en|
 
     .. |user_en| image:: /_static/user_en.png
        :scale: 60%

     .. |user_ru| image:: /_static/user_ru.png
        :scale: 60%


#. Check :guilabel:`Active`.
#. Click :guilabel:`Create`.


Deactivate or Delete User
=========================================

In order to deactivate a user, uncheck :guilabel:`Active` on the user list (:menuselection:`Preferences -> Users`).

To delete a user from FindFace Security, click on the user login on the list. Click :guilabel:`Delete`.

 
Enable Administrator Privileges for System Plugins
======================================================= 

The FindFace Security package incorporates an extensive set of system plugins that provide the following functionality:

* partner integrations,
* management of distributed dossier database,
* log-in through a crypto certificate.

You have to manually enable the system plugins via the ``findface-security`` configuration file. 

By default, the Administrator role is granted no privileges for any of the plugins. To assign relevant privileges to Administrator, do the following:

#. Enable a system plugin in the ``findface-security`` configuration file.
#. Re-migrate the main database architecture from FindFace Security to :program:`PostgreSQL`. 

   .. code::

      sudo findface-security migrate

#. Re-create user groups in the main database.

   .. code::

      sudo findface-security create_groups

#. Restart the ``findface-security`` service.

   .. code::

      sudo systemctl restart findface-security.service