diff --git a/docs/operate/customize/restrict_access.md b/docs/operate/customize/restrict_access.md index 05d91412..0c7a02e6 100644 --- a/docs/operate/customize/restrict_access.md +++ b/docs/operate/customize/restrict_access.md @@ -11,7 +11,7 @@ While most features in InvenioRDM are guarded by configurable permission policie For these exceptions, as well as extra precautions generally, it can be beneficial to restrict access on an `nginx` level. !!! info "Current exceptions" - At the time of writing, one of these exceptions is the administration panel which has a hard-coded check for the `administration-access` action. + At the time of writing, one of these exceptions is the administration panel. Access to the panel entry point is controlled by the `admin-view` action, and access to individual admin views by the `administration-access` action. See [Administration access control](../../use/administration.md#access-control) for details on granting these actions to roles. An access restriction based on the client's IP address can be put into place via the `nginx` configuration, e.g. by adding nested `location` directives in the existing configuration: diff --git a/docs/use/administration.md b/docs/use/administration.md index a0b81d0e..d46dc066 100644 --- a/docs/use/administration.md +++ b/docs/use/administration.md @@ -3,6 +3,48 @@ The administration panel is a feature in InvenioRDM introduced in v10 that provides a graphical user interface for managing your instance. It is designed to be used by administrators and superusers of the repository. For more technical details you can read the [developer guide to the InvenioRDM administration panel](../maintenance/internals/administration_panel.md), detailing its programmatic interface and usage. +## Access control + +Access to the administration panel is controlled by two Invenio actions: + +| Action | Controls | +|--------|----------| +| `admin-view` | Visibility of the **"Administration"** link in the user menu and access to the dashboard | +| `administration-access` | Access to **individual admin views** (records, users, OAI-PMH sets, etc.) | + +### Granting full administrator access + +To give a role full access to the administration panel and all its views, grant both actions: + +```shell +invenio roles create administration +invenio access allow admin-view role administration +invenio access allow administration-access role administration +``` + +Then assign the role to a user: + +```shell +invenio roles add administration +``` + +### Granting access to specific views only + +You can grant a role access to the administration panel entry point without giving it access to all admin views. This is useful for roles that only need access to certain sections (e.g. a curator role that only manages specific resources): + +```shell +invenio roles create curator +invenio access allow admin-view role curator +``` + +Individual admin views can then be restricted to specific roles by overriding the `permission` attribute on the view class. See the [developer guide](../maintenance/internals/administration_panel.md) for details. + +!!! info + + See [Create and assign roles](../operate/customize/users.md#create-and-assign-roles) for more information on managing user roles. + +--- + **As an administrator** you can access the administration panel at `/administration`. This is also available through the user menu in the top right corner of your instance: ![User Menu Admin](./imgs/banners/user_menu_admin.png)