The web portal uses a model where users are distinct from resource holders.
A user is an entity that is granted permission to utilize the web portal. Each
user account has an associated password that is used to log in to the web
portal.
The web portal maintains an access control list that specifies which resource
holders the user is allowed to manage. If a user is authorized to manage more
than a single resource holder, the user will be presented with a list of the
resource holders upon login.
Database tables: irdbd.auth_user and irdbd.app_confacl
The password for a user may be changed via the web portal, or on the command
line:
$ rpki-manage changepassword <USER>
A user account with the superuser bit set has the special capability that it
may assume the role of any resource holder managed by the local RPKI service.
Superusers are created via the command line interface:
$ rpki-manage createsuperuser
When logged into the web portal with a #superuser account, select the web
users link in the sidebar, and then click on the create button at the
bottom of the page. You may optionally select one or more resource holders
that this user is granted authorization to manage.
Note that creating a user does not create a matching #resource-holder. See
creating resource holders.
When logged into the web portal with a #superuser account, select the web
users link in the sidebar, and then click on the Delete icon next to the
user you wish to delete.
Note that this action does not remove any of the resource holders the user
is granted authorization to manage.
Resource holders are entities that have authority to manage a set of Internet
number resources. When a user logs into the web portal, they select which
resource holder role to assume. The user may choose to assume the role of a
different resource holder by clicking on the select identity link in the
sidebar.
The list of resource holders managed by the local RPKI service can be viewed
with a #superuser account by clicking on the resource holders link in the
sidebar of the web portal. From this page the super can manage the resource
holders.
Database table: irdbd.irdb_resourceholderca (via irdbd.app_conf proxy
model)
Note that creating a new resource holder does not create a user account.
See #create-user.
When logged into the web portal with a #superuser account, select the
resource holders link in the sidebar, and then click on the create
button at the bottom of the page.
If the new resource holder is going to be a child of another resource holder
hosted by the local RPKI service, you may optionally select the parent
resource holder from the dropdown box, and the parent-child relationship will
automatically be established when the new resource holder is created.
Additionally, one or more #users authorized to manage the new resource holder
may be selected from the Users list on the creation form.
You can also create resource holders on the command line:
$ rpkic -i <HANDLE> initialize
$ rpkic synchronize
where HANDLE is the name of new resource holder. Note that this new
resource holder will initially only be allowed to be managed by #superuser
accounts. You may wish to create a matching user account, but the name of the
user need not be the same as the handle of the resource holder. Additionally,
you can manage the list of users allowed to manage this resource holder via
the web portal; click on the Edit icon next to the resource holder, and
select the users you wish to grant permission to manage.
Note that deleting a resource holder does not remove any user accounts.
When logged into the web portal with a #superuser account, select the
resource holders link in the sidebar, and then click on the delete
button next to the resource holder you wish to delete.
Or you may use the command line interface:
$ rpkic -i <HANDLE> delete_self
$ rpkic synchronize
where HANDLE is the name of the resource holder you wish to destroy.
Each resource holder may be managed by one or more user accounts. The list of
users authorized to assume the role of a particular resource holder may be
changed in the web portal. When logged into the web portal with a #superuser
account, select the resource holders link in the sidebar, and then click
on the Edit icon next to the resource holder, and select the users you
wish to grant permission to manage.
