.. _RST_Authentication_And_User_Management: Authentication and User Management ================================== Authentication -------------- Users will be asked to authenticate when accessing server content from within web pages and applications. Upon authentication a *connection token* is stored locally on the device that accessed the server. Tokens keep the need to re-authenticate to a minimum. If server content has not been accessed for some time on a device the token expires and the user will need to re-authenticate to refresh the token. .. image:: /content/images/nucleus_web_auth_login.png :align: center :alt: Nucleus Web Login User Management --------------- This topic is relevant if you decide to :doc:`share your server <../workstation/usage>`. .. _RST_User_Management_UI: UI ^^ Click the "User Management" toggle to access user accounts and groups. .. image:: /content/images/nucleus_web_usermgmt_btn.png :align: center :alt: Nucleus Web User Management Toggle Select a user in the list (#1) to manage the account in the details panel (#2). .. image:: /content/images/nucleus_web_usermgmt_mode.png :align: center :alt: Nucleus Web User Management Mode Register Account ^^^^^^^^^^^^^^^^ The easiest way to add users to your server is to :doc:`share it <../workstation/usage>` and provide them with a link to the server. Once users can access your server they can join by clicking the "Create Account" button. .. image:: /content/images/nucleus_web_auth_login.png :align: center :alt: Nucleus Web Login Create Account & Invite User ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ An administrator can create accounts and *invite* users to join a server: 1. Make sure the server is :doc:`shared <../workstation/usage>`. 2. Activate the "User Management" mode. 3. Right-click in the users listing and choose "Create User" from the context menu. 4. Once the user is created click the "Invite user" button in the details panel. A link to a registration page will be copied to the clipboard. Anyone with the link can access the registration page so send the link in a private message to the user. The link will take the user to a login page where a password can be set. .. image:: /content/images/nucleus_web_auth_new_user_login.png :align: center :alt: Nucleus Web Invited User Login Known Issues """""""""""" Assigning a user to groups prior to inviting the user enables the administrator to control how the user is able to access content upon joining the server. With this version of |nuc_short| there is a known issue with that approach: If an administrator creates a new user and assigns this user to a group *before the user has authenticated once*, the administrator will also have to manually assign this user to the "users" group. Failing to do so will result in the user not seeing any contents on your shared server. To work around the issue: 1. Navigate to User Management. 2. Select the "Users" item. 3. In the list of users - select the user you created. 4. In the pane on the right displaying the user details, locate the "Assigned Groups" section. 5. Enter "users" in the "Add group" field and click the plus sign. This will allow the user to see contents on the server. .. Note:: This problem can easily be avoided by creating the user and allowing them to log in prior to adding them to additional groups. Admins can generate invite and file URLs for other users to open. There is a known issue with this: Invite/file URLs generated in localhost:34080 cannot be opened by non-local users. If they try to open these URLs from their own machines, they will not work. To workaround the issue: 1. In a web browser, admin connects to **:34080** instead of localhost:34080 2. Generate the URL; "Copy URL" for files and folders, or "Invite User" from within User Management This will generate a link that non-local users can open. .. _RST_Auth_Reset_Password: Reset Password ^^^^^^^^^^^^^^ If a user forgets the password (or just wants to change it) an administrator can generate a link by using the "Reset password" button. This works the same as the invitation process: the user will be taken to a page where a new password can be set and then access the server again. Anyone with the link can access the password reset page so send the link in a private message to the user. .. _RST_Grant_Admin_Access: Grant Admin Access ^^^^^^^^^^^^^^^^^^ Having admin access means having full access to all content and being able to access User Management features. Use the "Grant admin access" button in the account details panel to grant or revoke this level of access. This Enable/Disable Account ^^^^^^^^^^^^^^^^^^^^^^ When account should no longer have access it can be disabled. File metadata will still indicate the user as the creator or most recent user to have modified a file where applicable. Should the account need to be accessed again it can be re-enabled. 1. Select the user in the "Users" listing. 2. Toggle the enabled state with the "Disable"/"Enable" button. .. _RST_User_Management_User_Groups: User Groups ^^^^^^^^^^^ Many users can be combined into groups. This is especially helpful when :doc:`managing permissions `. .. note:: The GM Group "General Management" is the group all users with Administrator level permissions are added. This group is created automatically, and these users will have the ability to * Add and remove users from Nucleus * Create, Delete, and Modify User Groups on Nucleus * Modify ACLs on any path on Nucleus * Delete, Rename or Move any path on Nucleus * Create root level directories or files on Nucleus Create Group """""""""""" Right click on "Groups" and select "Add Group" in the context menu. Provide a name. .. image:: /content/images/nucleus_web_user_groups.png :align: center :alt: Nucleus Web Groups Modify Group Membership """"""""""""""""""""""" New groups are empty. Select the group and start typing the name of a user in the *Add User* field in the detail panel. A list will appear. Select a user and click the *plus*/*add* button in the field. Remove a user by clicking the delete icon next to the username in the "Assigned Users" list. .. image:: /content/images/nucleus_web_modify_group.png :align: center :alt: Nucleus Web Modify Group Restore Access ^^^^^^^^^^^^^^ Use these options if the administrator of a workstation server loose access by forgetting the password. Ask Other Admin for Help """""""""""""""""""""""" One admin can reset the password for another admin. This is by far the easiest way to restore access: :ref:`RST_Auth_Reset_Password` Use a System Account """""""""""""""""""" 1. Locate the |nuc_short| installation directory. If |nuc_short| was installed via the Omniverse Launcher then look at the Launcher's "Settings" window and the "Library" path. 2. Once in the installation directory, browse for "collaboration/nucleus-workstation [version]/Auth/configs/users.default.json". 3. Open this file in a text editor and look at the list of credentials. Try using the credentials to gain access and then reset the "admin" account password in the browser. Deleting Auth Database """""""""""""""""""""" **Warning:** Using this method could result in data loss. **Use this only as a last resort.** Make sure all other options have been exhausted first. See :ref:`Auth_Database_Management` first to be familiar with the database. On Workstation ++++++++++++++ #. Use the System Monitor to stop the "Nucleus" and "Auth" service. #. Locate the Launcher data folder. This is available in the Launcher's "Settings" window. #. Once in the data folder, locate the file ``./data/Auth/db.sqlite``. #. Make a backup. #. Delete the original file. #. Use the System Monitor to start the ``Nucleus`` and ``Auth`` service. #. At this point the ``admin`` account should be have its default ``admin`` password again. #. Verify that other accounts are able to access the server as before. In Enterprise +++++++++++++ #. :ref:`Locate `, back up (if desired), and delete the database. #. At this point the ``omniverse`` account should have its default password as provided during the :doc:`installation <../enterprise/installation/planning>` process. .. _Auth_Database_Management: Auth Database Management ------------------------ The database with all the user accounts is managed by |nuc_short| Authentication Service. It contains all accounts and credentials. Groups memberships are managed and stored by |nuc_short| Core. Depending on the type of installation, the files will be located in: * For :doc:`Workstation <../workstation/installation>` installs, in the ``Auth`` subdir under the data directory * For :doc:`Enterprise <../enterprise/installation/planning>` installs, in the ``local-accounts-db`` subdir of the data directory