.. _users: ************************************** Role and User Management ************************************** .. rubric:: In this chapter: .. contents:: :local: .. _predefined-roles: Predefined Roles ================================= FindFace CIBR provides the following predefined roles: * Administrator is granted full access to the FindFace CIBR functionality, integrative and administrative tools. .. important:: Whatever the role, the first administrator (Super Administrator) cannot be deprived of its rights. * Operator is granted full access to the FindFace CIBR functionality. * User is granted rights to modify their profile and manage cases. The other functions are available read-only. You can change the predefined roles privileges, as well as create various custom roles. .. _create-role: Create Custom Role in UI ================================ To create a custom role in the web interface, do the following: #. Navigate :guilabel:`Settings` -> :guilabel:`Roles`. #. Click :guilabel:`+ Add new role`. |role_create_en| .. |role_create_en| image:: /_static/role_create_en.png :scale: 70% .. |role_create_ru| image:: /_static/role_create_ru.png :scale: 70% #. On the :guilabel:`Information` tab, specify the role name. Save the role. |role_information_en| .. |role_information_en| image:: /_static/role_information_en.png :scale: 70% .. |role_information_ru| image:: /_static/role_information_ru.png :scale: 70% #. After saving the role, you will see the following tabs appear next to the :guilabel:`Information` tab: |role_watchlists_en| .. |role_watchlists_en| image:: /_static/role_watchlists_en.png :scale: 65% .. |role_watchlists_ru| image:: /_static/role_watchlists_ru.png :scale: 65% * :guilabel:`Watch Lists`: role privileges for specific watch lists * :guilabel:`Permissions`: role privileges for entire system functions and entities Set role privileges, subject to your needs. Note that there is a distinction between role privileges for a specific watch list and a system entity with the name ``watchlist``. For example, if you set ``Off`` for a certain watch list on the :guilabel:`Watch lists` tab, users with this role won't be able to work with **this** very watch list. Deselecting all checkboxes for the ``watchlist`` entity on the :guilabel:`Permissions` tab will prevent users from viewing and working with **all** watch lists. The full list of the FindFace CIBR entities which are used in the current version is as follows: * ``all_own_sessions``: all :ref:`sessions ` of the current user on different devices .. note:: If relevant permissions for this entity are set, users will be able to view (``view``) and close (``delete``) all their sessions on different devices. Otherwise, users will be only allowed to view and close their session on the current device. Working with sessions takes place on the :guilabel:`Sessions` tab (:guilabel:`Settings`). * ``case``: case file * ``dailysearchevent``: daily search * ``deviceblacklistrecord``: :ref:`blocklist ` * ``faceobject``: face photo in a :ref:`record ` * ``group``: :ref:`roles ` * ``humancard``: :ref:`record of an individual ` * ``remotemonitoringrecord``: :ref:`remote monitoring ` * ``report``: :ref:`report ` * ``searchrequest``: remote search * ``upload``: item (photo) in batch photo upload * ``uploadlist``: list of photos in batch upload * ``user``: :ref:`user ` * ``videoarchive``: object identification in video files * ``watchlist``: :ref:`watch list ` You can also enable and disable rights for the following functionality: * ``batchupload_cards``: :ref:`bulk record upload ` * ``change_runtimesetting``: changing the FindFace CIBR general settings * ``view_auditlog``: viewing and working with the :ref:`audit logs ` * ``configure_ntls``: configuration of the ``findface-ntls`` :ref:`license server ` * ``view_runtimesetting``: viewing the FindFace CIBR :ref:`general settings ` #. Save the changes. Primary and Additional User Privileges ======================================== You can assign privileges to a user by using roles: * :guilabel:`Primary role`: main user role, mandatory for assignment. You can assign only one primary role to a user. * An additional user role, optional for assignment. You can assign several roles to one user. The rights associated with the additional roles will be added to the primary privileges. All users belonging to a particular primary role automatically get access to video archives within the group and watch lists (and records in the watch list) created by a user with the same primary role, subject to the privileges defined by their additional role(s). .. seealso:: :ref:`create-user` .. _create-user: Create User Account Manually =============================== To create a user account manually, do the following: #. Navigate :guilabel:`Settings` -> :guilabel:`Users`. #. Click :guilabel:`+ Add new user`. |create_user_en| .. |create_user_en| image:: /_static/create_user_en.png :scale: 60% .. |create_user_ru| image:: /_static/create_user_ru.png :scale: 60% #. On the :guilabel:`Information` tab, specify user data such as name, login, and password. If necessary, add a comment. .. note:: When setting a password, mind password requirements: * at least 8 characters long * not only numerals * not within the list of 20000 commonly used passwords * not similar to other user attributes * only Latin letters, numerals, and special characters are allowed #. From the :guilabel:`Roles` drop-down menu, select one or several user roles. Set one of them as the :guilabel:`Primary role`. #. On the :guilabel:`Photos` tab, attach user's photo(s). #. Save the user account. |user_en| .. |user_en| image:: /_static/user_en.png :scale: 65% .. |user_ru| image:: /_static/user_ru.png :scale: 65% .. _create-role-console: Work with Roles and Users via Console ========================================= In case :ref:`predefined roles ` have been removed from the system, use the following command to create them: .. code:: sudo docker exec -it findface-cibr-findface-multi-identity-provider-1 /opt/findface-security/bin/python3 /tigre_prototype/manage.py create_groups To create a user with Super Administrator rights (``superuser``), execute the following command, mind that ``password`` is a required argument: .. code:: sudo docker exec -it findface-cibr-findface-multi-identity-provider-1 /opt/findface-security/bin/python3 /tigre_prototype/manage.py create_default_user --password Deactivate or Delete Users ========================================= In order to deactivate a user, move the :guilabel:`Active` slider to inactive position on the user list (:guilabel:`Settings` -> :guilabel:`Users`). If you are going to deactivate multiple users, select them on the user list and then click :guilabel:`Deactivate selected`. |delete_user_en| .. |delete_user_en| image:: /_static/delete_user_en.png :scale: 70% .. |delete_user_ru| image:: /_static/delete_user_ru.png :scale: 70% To delete users from FindFace CIBR, select them on the user list and then click :guilabel:`Delete selected`.