Node Permissions and Users
User Permissions
Interactions with the Nerve node are governed by statically defined permissions. The predefined permissions ensure that authenticated users are restricted to authorized information and actions only.
| Permission | Description |
|---|---|
| Admin | The node admin has full control on all functions available on the Local UI. |
| Node Viewer | Grants solely view permissions to all dashboards in the Local UI. No other interaction is possible with the node. |
| Remote Connection Controller | This permissions grants viewer access to all dashboards in the Local UI. It also allows the management and usage of configured Remote Connections. |
Users must have at least one permission granted to access to the Local UI. The assignment of these permissions to a user is done only in a Management System. Please refer to Assigning a role to a user for this purpose.
User Accounts
In addition to the Default User Accounts, Management System users can be assigned predefined node permissions. Depending on the assigned permissions, users can operate specific functions on onboarded nodes using their individual credentials, streamlining workflows and enhancing efficiency.
Management System users
At login attempt of a Management System user into the Local UI of an onboarded and online Nerve node, the user credentials are checked against the Management System the node is onboarded to. Once a user has logged into the Local UI, the user credentials are stored in a node local user cache to allow login even when the node is offline.
Note
Users with the default "Admin" role in the Management System are automatically granted "Admin" permissions for Nerve nodes.
Users with the default "User" role in the Management System are automatically granted "Viewer" permissions for Nerve nodes, unless the role was modified on the Management System.
Note
When a user with Node Admin permissions logs in to the node for the first time using the user Management System credentials, the node Local UI Admin Default User Accounts is deactivated.
Updating or deleting user privileges
In order to centralize credential management and enhance overall security by eliminating the risk of managing accounts through external methods, the user accounts are manageable only on the Management System.
The menu to change the password as depicted in Local UI dashboard is not visible for managed user accounts.
Managed users can change their password or other user data only on the Management System.
Changes to user credentials or account details within the Management System trigger an immediate logout of the user from all active node sessions. The user receives a notification detailing the cause of the disconnect. If the user is removed all node related permissions on the Management System, the subsequent login to the node for this user is denied and the user credentials are removed from the local user cache.
Note
If a node is offline at the time of the changes on the user privileges on the Management System, the user will still be granted role based access to this node. Once the node comes back online, user data in the local user cache will be updated and the user will be logged out (if the user was logged in at that time).
Managing Node Local User Cache
The node local user cache can be manually managed by user having the Node user management permissions listed in Nodes access API permissions
Users with Node user management permission can get a list of all users currently cached on a node. This can be done through an API endpoint on Management System, by providing nodes serial number, or through the Local UI endpoint. Refer to Nerve Management System API documentation for this purpose.
The List returns a JSON object containing an array of user data. Each object within the array will include at least the user's username and their last login date.
Users with Node user management permissions can delete individual or all cached users on a node. A full username is required for individual deletions. This functionality is accessible via API endpoints on both the Management System and Local UI. Refer to Nerve Management System API documentation for this purpose
Default User Accounts
Two node User accounts are provisioned with the installation of the Nerve node:
- A Local UI Admin for configuration purpose
- A Nerve host user with SSH access for advanced node administration
The login credentials for both accounts can be found in the customer profile.
Security recommendation
It is strongly recommended to change the host access password after the installation for security reasons.
It is strongly recommended to change the default Local UI Admin password after the installation for security reasons OR have the default Local UI Admin disabled, by onboarding the Node to a Management system and log into the Local UI with any admin account.
The default Local UI Admin account can be used only when there is no user in the local node cache with Node Admin permissions from the Management System.
When a user with Node Admin permission logs into a node's Local UI using Management System credentials for the first time while the node is online, the default Local UI Admin account is deactivated. It is reactivated if the node is offboarded from the Management System.
Changing the password for host access
Once changed, the host access password remains unaffected by updates. Node updates will automatically reset the host access password to its default value if the original default password has not been changed.
Note
Access to the Linux host system of Nerve is provided for advanced use cases. Using host access requires expert Linux knowledge as system internal changes can be performed. Note that changes may impact the Nerve system.
- Select Node configuration in the navigation on the left.
-
Select Change SSH password
-
Enter the following information:
Item Description Old password Enter the old password for host access. New password Enter the new password here. The new password must be 8 characters or longer and it can only consist of alphanumeric characters. Confirm new password Enter the new password again. Both passwords must match in order to proceed. -
Select Save to set the new password.
If the process was successful, the Local UI will display the dashboard with a green notice confirming the change in the upper-right corner.
Changing the password for the Local UI
Note
The default Local UI Admin password can only be changed as long default admin account is active. When a user with Node Admin permissions logs into the node for the first time using the Management System credentials, the default Local UI Admin account is deactivated and cannot be further updated.
Changing the password of the Local UI Admin makes it persist through version updates. If the default password is not changed, updating the node to a newer version will change the Local UI Admin password to a new default.
-
Select the user icon (User settings) in the upper-right.
Note
Alternatively, it is also possible to change the password in the Node configuration menu. Select Node configuration in the navigation on the left and select Change password to reach the password form.
-
Enter the following information:
Item Description Old password Enter the old password to the Local UI. New password Enter the new password here. The new password must be 8 characters or longer and it can only consist of alphanumeric characters. Confirm new password Enter the new password again. Both passwords must match in order to proceed. -
Select Save to set the new password.
If the process was successful, the Local UI will display the dashboard with a green notice confirming the change in the upper-right corner.
