LMS - LAN Management System 1.11-git
Prev	Chapter 2. Installation and configuration	Next

2.7. Access rights

2.7.1. Idea

In LMS you may define up to 256 rules to access the system. Each can permit or deny access to defined modules. Each user can have any combination of access rules assigned to his account.

By default following access rules list is defined:

full access
read only (excluding Helpdesk)
nodes connection/disconnection
finances management
configuration reload
customers management
nodes management
traffic stats
messaging (email, sms)
Helpdesk (RT) administration
Helpdesk (RT) operation
hosting management
configuration
networks and devices management
timetable management
daemon management and configuration
cash operations
customers groups management
nodes groups management
customers to groups assignment
nodes to groups assignment
voip accounts management
Userpanel management
users edition and addition forbidden
no access

Most of them grant access to modules and two denies. Modules that user has always access are: welcome, copyrights, logout, chpasswd (chpasswd can change only own password), access to all others is defined by rules.

If you don't define any access rule for user, then LMS defines 0 rule for him, which mean: full access.

2.7.2. How does it work?

Algorithm that decides whether user has access to given module or not is as following:

- First of all: checking list of modules that user always has access.

- Next: checking if module match rules in each levels user has access to.

- Finally: Decision if user is permitted to access modules. If module match to any level that denies access then access will be forbidden even if user has level that permits access to module. For example, if someone has full access and no access to "add computer" module, then he won't able to access module. If module matches level that permits access to module, then LMS will grant access to module, but if module does not match at any level then no-access-message also will be printed.

2.7.3. User-defined access rules

Advanced users can define any additional access rules or redefine existing ones. In order to do that you must make PHP script based on file lib/accesstable.php. Then set option custom_accesstable in [phpui] section to created file name.

In that way it's possible to define your own rules to allow or deny access for any modules. Module is a name of PHP file in modules directory, given without extension in access rules. For example, it's possible to define rule for invoices display (e.g. for lms-sendinvoices script) in the following way:

<?php
$access['table'][100]['name']      = 'invoices display';
$access['table'][100]['allow_reg'] = '^invoice$';
?>

Prev	Home	Next
Basic Configuration	Up	Upgrade