Authentication and User Management

Authentication

Users will be asked to authenticate when accessing server content from within web pages and applications. Upon authentication a connection token is stored locally on the device that accessed the server. Tokens keep the need to re-authenticate to a minimum. If server content has not been accessed for some time on a device the token expires and the user will need to re-authenticate to refresh the token.

Nucleus Web Login

User Management

This topic is relevant if you decide to share your server.

UI

Click the “User Management” toggle to access user accounts and groups.

Nucleus Web User Management Toggle

Select a user in the list (#1) to manage the account in the details panel (#2).

Nucleus Web User Management Mode

Register Account

The easiest way to add users to your server is to share it and provide them with a link to the server.

Once users can access your server they can join by clicking the “Create Account” button.

Nucleus Web Login

Create Account & Invite User

An administrator can create accounts and invite users to join a server:

  1. Make sure the server is shared.

  2. Activate the “User Management” mode.

  3. Right-click in the users listing and choose “Create User” from the context menu.

  4. Once the user is created click the “Invite user” button in the details panel. A link to a registration page will be copied to the clipboard. Anyone with the link can access the registration page so send the link in a private message to the user.

The link will take the user to a login page where a password can be set.

Nucleus Web Invited User Login

Known Issues

Assigning a user to groups prior to inviting the user enables the administrator to control how the user is able to access content upon joining the server. With this version of Nucleus there is a known issue with that approach:

If an administrator creates a new user and assigns this user to a group before the user has authenticated once, the administrator will also have to manually assign this user to the “users” group. Failing to do so will result in the user not seeing any contents on your shared server.

To work around the issue:

  1. Navigate to User Management.

  2. Select the “Users” item.

  3. In the list of users - select the user you created.

  4. In the pane on the right displaying the user details, locate the “Assigned Groups” section.

  5. Enter “users” in the “Add group” field and click the plus sign.

This will allow the user to see contents on the server.

Note

This problem can easily be avoided by creating the user and allowing them to log in prior to adding them to additional groups.

Admins can generate invite and file URLs for other users to open. There is a known issue with this:

Invite/file URLs generated in localhost:8080 cannot be opened by non-local users. If they try to open these URLs from their own machines, they will not work.

To workaround the issue:

  1. In a web browser, admin connects to <server IP address>:8080 instead of localhost:8080

  2. Generate the URL; “Copy URL” for files and folders, or “Invite User” from within User Management

This will generate a link that non-local users can open.

Reset Password

If a user forgets the password (or just wants to change it) an administrator can generate a link by using the “Reset password” button. This works the same as the invitation process: the user will be taken to a page where a new password can be set and then access the server again.

Anyone with the link can access the password reset page so send the link in a private message to the user.

Grant Admin Access

Having admin access means having full access to all content and being able to access User Management features.

Use the “Grant admin access” button in the account details panel to grant or revoke this level of access.

Enable/Disable Account

When account should no longer have access it can be disabled. File metadata will still indicate the user as the creator or most recent user to have modified a file where applicable.

Should the account need to be accessed again it can be re-enabled.

  1. Select the user in the “Users” listing.

  2. Toggle the enabled state with the “Disable”/”Enable” button.

User Groups

Many users can be combined into groups. This is especially helpful when managing permissions.

Create Group

Right click on “Groups” and select “Add Group” in the context menu. Provide a name.

Nucleus Web Groups

Modify Group Membership

New groups are empty. Select the group and start typing the name of a user in the Add User field in the detail panel. A list will appear. Select a user and click the plus/add button in the field.

Remove a user by clicking the delete icon next to the username in the “Assigned Users” list.

Nucleus Web Modify Group

Restore Access

Use these options if the administrator of a workstation server loose access by forgetting the password.

Ask Other Admin for Help

One admin can reset the password for another admin. This is by far the easiest way to restore access: Reset Password

Use a System Account

  1. Locate the Nucleus installation directory. If Nucleus was installed via the Omniverse Launcher then look at the Launcher’s “Settings” window and the “Library” path.

  2. Once in the installation directory, browse for “collaboration/nucleus-workstation [version]/Auth/configs/users.default.json”.

  3. Open this file in a text editor and look at the list of credentials. Try using the credentials to gain access and then reset the “admin” account password in the browser.

Deleting Auth Database

Warning: Using this method could result in data loss. Use this only as a last resort. Make sure all other options have been exhausted first.

See Auth Database Management first to be familiar with the database.

On Workstation
  1. Use the System Monitor to stop the “Nucleus” and “Auth” service.

  2. Locate the Launcher data folder. This is available in the Launcher’s “Settings” window.

  3. Once in the data folder, locate the file ./data/Auth/db.sqlite.
    1. Make a backup.

    2. Delete the original file.

  4. Use the System Monitor to start the Nucleus and Auth service.

  5. At this point the admin account should be have its default admin password again.

  6. Verify that other accounts are able to access the server as before.

In Docker
  1. Locate, back up (if desired), and delete the database.

  2. At this point the omniverse account should have it’s default password as provided during the installation process.

Auth Database Management

The database with all the user accounts is managed by Nucleus Authentication Service. It contains all accounts and credentials.

Groups memberships are managed and stored by Nucleus Core.

Depending on the type of installation, the files will be located in:

  • For Workstation installs, in the Auth subdir under the data directory

  • For Docker installs, in the local-accounts-db subdir of the data directory