Skip to main content
Version: 4.5.x LTS

Managing Users and Groups via REST

Introduction

In nevisAdmin 4, it is possible to restrict access to various functions by defining permissions for users and groups of users. Users and groups can be configured in two ways:

  • Via the file-based REST API. This is the recommend approach, see below for further information.
  • Via the low-level REST API, see Managing in

When using [Active Directory Integration], users and their group memberships are retrieved from Active Directory. In nevisAdmin 4, you then only have to specify the mapping between Active Directory groups and nevisAdmin 4 groups. This is documented below.

You can manage project- and inventory-level permissions in the GUI, see Editing Project Permissions. There is currently no GUI support for managing users and groups or for setting tenant-level permissions.

User Types

Users in nevisAdmin 4 can be of two types: ldapor local.

  • LDAP users: Users that were created from a successful authentication against an LDAP directory, such as Active Directory.
  • Local users: Users that were created via file or via the low-level REST API.

Groups

The purpose of having groups is to manage permissions in an easier way.

Instead of assigning permissions to users in

Groups can be used to model roles. As a simple example, create the groups DEVELOPERS and OPERATORS:

  • Give the DEVELOPERS permission to modify projects and deploy to development inventories.
  • Give the OPERATORS permission to modify and deploy to production inventories.

Managing Users and Groups via File

Via REST API you can get a file containing all the local users and groups within nevisAdmin 4. With this file you can modify existing groups and users, delete them, create new ones and add or remove permissions to them. The file also eases setting permissions from user and group perspective. Permissions are set by user or group, not by project or inventory.

To manage permissions from project or inventory perspective, see Editing Project Permissions]File Format

The inventory file uses YAML syntax. To get familiar with the YAML syntax, use one of the many tutorials available online.

In YAML, indentation is a crucial part of the syntax and is done with spaces. If tab stops are used, this leads to syntax errors in YAML.

The file is

File sections

localUsers:
  <user 1>
  <user 2>
  ...

groups:
  <group 1>
  <group 2>
  ...

localUsers

In the example below, you can see how to define a user within the localUsers list:

User example

john:
  email: [email protected]
  givenName: John
  familyName: Doe
  password: mysecretpassword
  globalPermissions:
    - "VIEW_PROJECT"
  tenantPermissions:
    DEV:
      - "MODIFY_PROJECT"
  projectPermissions:
    DEV-SIVEN-MASTER:
      - "ADMIN_PROJECT"
  inventoryPermissions:
    DEV-SIVEN-INVENTORY:
      - "DEPLOY_INVENTORY"

These are the possible attributes that you can define for a user:

  • userKey:

  • email:

  • givenName:

  • familyName:

  • password:

  • globalPermissions:

  • tenantPermissions:

  • projectPermissions:

  • inventoryPermissions:

And these are the actions you can perform with the list of users:

  • Create user: Adds a new user to the list and uploads the file again. Set the password to the new user to create it successfully.
  • Update user: Modifies the values of a user from the list and uploads the file again.
  • Change password of user: Adds the password attribute with the value of the new password to an already existing user and uploads the file again.
  • Delete user: Removes the whole a user from the list and uploads the file again with the identityDeletion parameter set to true.
  • Add permission to user: Adds a permission to a user from the list and uploads the file again.
  • Delete permission from user: Removes a permission from a user in the list and uploads the file again.

groups

In the example below, you can see how a group from the groupslist should look in the file:

Group example

DEVS:
  description: "Group of developers"
  ldapDNs:
    - "ou=admin4-devs,o=Siven,c=ch"
  localUsers:
    - "john"
  globalPermissions:
    - "VIEW_PROJECT"
    - "VIEW_INVENTORY"
  tenantPermissions:
    DEV:
      - "CREATE_PROJECT"
      - "CREATE_INVENTORY"
  projectPermissions:
    DEV-SIVEN-MASTER:
      - "MODIFY_PROJECT"
  inventoryPermissions:
    DEV-SIVEN-INVENTORY:
      - "DEPLOY_INVENTORY"

These are the possible attributes that you can define for a group:

  • groupKey:

  • description:

  • ldapDNs:

  • localUsers:

  • globalPermissions:

  • tenantPermissions:

  • projectPermissions:

  • inventoryPermissions:

And these are the actions you can perform with the list of groups:

  • Create group: Adds new group to the list and uploads the file again.
  • Update a group: Modifies the values of a group from the list and uploads the file again.
  • Add user to group: Adds a new userKey to the localUsers list of a group list and uploads the file again.
  • Delete user from group: Removes a userKey from the localUsers list of a group and uploads the file again.
  • Delete group: Removes the whole a group from the list and uploads the file again with the identityDeletion parameter set to true.
  • Add permission to group: Adds a permission to a group from the list and uploads the file again.
  • Delete permission from group: Removes a permission from a group in the list and uploads the file again.

Permissions Table

The table below lists all permissions that are supported by nevisAdmin 4, and the scope for which they are valid (global, tenant, project or inventory).

PermissionScope
SUPER_ADMINGlobal
ADMIN_TENANTGlobal, tenant
CREATE_PROJECTGlobal, tenant
CREATE_INVENTORYGlobal, tenant
VIEW_PROJECTGlobal, tenant, project
MODIFY_PROJECTGlobal, tenant, project
ADMIN_PROJECTGlobal, tenant, project
VIEW_INVENTORYGlobal, tenant, inventory
MODIFY_INVENTORYGlobal, tenant, inventory
ADMIN_INVENTORYGlobal, tenant, inventory
DEPLOY_INVENTORYGlobal, tenant, inventory

Configuring Additional Administrator Users

The default adminaccount has all the permissions from the table above as global permissions. You can grant the same permissions to other users or to a group.

Here is an example configuration snippet for a group called ADMINS, which contains users that are memberOf the LDAP group admin4-admins:

ADMINS:
  description: "Group of administrators"
  ldapDNs:
    - "ou=admin4-admins,o=Siven,c=ch"
  globalPermissions:
    - "SUPER_ADMIN"  
    - "ADMIN_INVENTORY"
    - "ADMIN_PROJECT"
    - "ADMIN_TENANT"
    - "CREATE_INVENTORY"
    - "CREATE_PROJECT"
    - "DEPLOY_INVENTORY"
    - "MODIFY_INVENTORY"
    - "MODIFY_PROJECT"
    - "VIEW_INVENTORY"
    - "VIEW_PROJECT"

It is technically possible to delete the default local admin user. We do not recommend this, because this user may be useful in the future to 'rescue' your installation, for example if LDAP authentication stops working or if, for some reason, permissions were wrongly set.

Instead, we recommend you to completely rely on Active Directory for instructions.

Downloading and Uploading the File via REST

Suggested workflow

  1. Download the file.
  2. Modify the just downloaded file.
  3. After finishing your modifications, upload the file back to nevisAdmin 4.

To prevent losing any user or group data, working this way is highly recommended. Old files will most probably contain outdated data of users and groups. Therefore, uploading such a file will end up in unwanted changes (for example, users and groups data updated with old values or permissions removed and added wrongly). Applying the changes to a recently downloaded version of the file and uploading the file right after finishing the modification will prevent such unintended changes.

Execute the following steps to to work with the file containing the users and groups within nevisAdmin 4:

  1. Log in to get the authentication token.

Preparation: Login to get authentication token

export NEVISADMIN_URL=http://localhost:9080
export ADMIN_USER=admin
export ADMIN_PASSWORD=admin
# for https, you can add the -k flag to all curl commands to skip certificate verification
export AUTH_RESPONSE=$(curl -v -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d "{\"userKey\":\"${ADMIN_USER}\",\"password\":\"${ADMIN_PASSWORD}\"}" "$NEVISADMIN_URL/nevisadmin/api/v1/login?tokenType=bearer")
export TOKEN=$(echo $AUTH_RESPONSE | sed -nE 's/.*"token" : "(.*)" }/\1/p')
  1. Download the file.

Get users and groups file

curl --header "Accept: text/yaml" --header "Authorization: Bearer $TOKEN" --request GET $NEVISADMIN_URL/nevisadmin/api/v1/identities -o identities.yml
  1. Modify the file.
  2. Upload the file back to nevisAdmin 4 (change IDENTITY_DELETION to 'true' to allow deletion of users and groups missing in the file):

Upload users and groups file

export FILE_NAME=identities.yml
export FILE_PATH=C:/Users/john/Desktop/MyFolder/$FILE_NAME
export IDENTITY_DELETION=false
curl --header "Content-Type: multipart/form-data" --header "Authorization: Bearer $TOKEN" --request PUT -F "yamlFile=@$FILE_PATH" $NEVISADMIN_URL/nevisadmin/api/v1/identities?identityDeletion=$IDENTITY_DELETION