Authentication Roles

26 Apr

Revision for “Authentication Roles” created on April 26, 2017 @ 12:31:21

Title
Authentication Roles
Content
The ability to create <em>tokens</em> to control better control access to and usage of a Nightscout site was introduced with Grilled Cheese (0.9). With current authentication options, you can create certain limited-use roles to: <ul> <li>Allow a caregiver the ability to see the site data but <strong>not</strong> make CarePortal/treatment entries <li>Allow a caregiver the ability to see the site <strong>and</strong> make CarePortal/treatment entries <li>Allow a caregiver <strong>total access</strong> to see the site, make entries, and use admin tools <li>Turn off access to someone that previously had access by removing their token (only possible if the site default is "denied"; see below) </ul> <h2>To Take Advantage of Roles, Turn Off Unauthorized Access to Your Site</h2> In a default setup, anyone with your Nightscout URL can view your site. (Depending on whether or not the treatment_auth variable (now deprecated) is set, using CarePortal may or may not require authorization with the API_SECRET.) The new authentication roles (and AUTH_DEFAULT_ROLES variable) allow you to further control and limit access. If you want to ensure that ONLY someone with permission to view your site (e.g., a token) is able to view the data, you should configure the <span class="redText">AUTH_DEFAULT_ROLES</span> variable in Azure or Heroku. Set the value as: <span class="redText">denied</span>. This creates a scenario in which a token will be required for all access. <h2>Create Authentication Tokens for Users</h2> To access the Authentication options, click the settings panel (three horizontal bars in the top right) in your website and select Admin Tools. The Authentication options are at the top of the Admin page. (Note: you must be logged in with your API SECRET to access these tools.) <a href="http://www.nightscout.info/wp-content/uploads/2016/10/grilledcheese-admin-authenticate.png"><img src="http://www.nightscout.info/wp-content/uploads/2016/10/grilledcheese-admin-authenticate.png" alt="grilledcheese-admin-authenticate" width="450" class="wikiImage" /></a> <h3>Roles</h3> <ul> <li><strong>admin</strong>: full access <li><strong>careportal</strong>: can view the site and make CarePortal/treatment entries <li><strong>readable</strong>: read-only access; no ability to make CarePortal/treatment entries. This user CAN see reports and profile information. <li><strong>denied</strong>: no access (this role only works if the AUTH_DEFAULT_ROLES setting is also "denied." You can't have a site that is readable to everyone and create a "denied" token for a specific user.) <li><strong>devicestatus-upload</strong>: used by devices </ul> <strong>Note:</strong> There is currently no way to limit a user so that the user can not view the Reports section, if the user has access to the site. Time/date-based roles are not currently possible. <strong>Note:</strong> devicestatus-upload is a workaround that should <strong>only</strong> be used with older uploader applications. <h3>Create a Token</h3> <ul> <li>Click the "Add New Subject" button. </li> <li>Fill in the name of the subject and the "role" you are giving this subject (from the list of roles shown). <a href="http://www.nightscout.info/wp-content/uploads/2016/10/grilledcheese-admin-authenticate-2.png"><img src="http://www.nightscout.info/wp-content/uploads/2016/10/grilledcheese-admin-authenticate-2.png" alt="grilledcheese-admin-authenticate-2" width="289" height="240" class="wikiImage" /></a></li> <li>Click save.</li> <li>The token will be shown. Copy the token URL (right-click on it in the browser and select the option to copy the link address) and provide it to the user (e.g., paste it into an email). If the user enters the entire URL (with token), the token will be in effect. Note: if the user copies only your core URL into a browser, and your site is readable by default, the token will be bypassed. (Possible strategies to ensure the user puts the role-based URL into a browser include using a tinyurl or bit.ly.) <a href="http://www.nightscout.info/wp-content/uploads/2016/10/grilledcheese-admin-authenticate-token.png"><img src="http://www.nightscout.info/wp-content/uploads/2016/10/grilledcheese-admin-authenticate-token.png" alt="grilledcheese-admin-authenticate-token" width="193" height="49" class="wikiImage" /></a> </li> <li>You can edit a subject by clicking the edit icon, making changes, and saving.</li> <li>You can delete a subject by clicking the "x" icon to remove the subject from the list.</li> </ul> <h3>Word of Caution</h3> If you provide a user a URL with a token, the user will see the main URL for the site and could access the site through the URL (without the token). <em><strong>Submit any bugs, feedback, or issues via GitHub.</strong></em>
Excerpt


OldNewDate CreatedAuthorActions
April 26, 2017 @ 12:31:21 Amy Cowen
October 16, 2016 @ 14:39:50 Amy Cowen
October 16, 2016 @ 14:27:45 Amy Cowen
October 16, 2016 @ 14:07:05 Amy Cowen
October 14, 2016 @ 17:07:15 Amy Cowen
October 14, 2016 @ 16:57:21 Amy Cowen
October 14, 2016 @ 16:51:58 Amy Cowen