# Role Based Access Control

Starting from version 1.5.0, for role-based access control (RBAC), the following functionalities have been added to the floating server:

* Two Roles: Admin and User.
* Any individual accessing server functionality must be assigned either an Admin or User role.
* Admin Permissions:
  * Add new users and admins.
  * Add and remove licenses (online, offline, and air-gapped).
  * Configure license and management API URLs.
  * Set shared and API keys.
* User Permissions (Admins and non-admin users):
  * Register as a floating user.
  * Add consumptions.
  * Access reports.
  * Check server health.
  * Borrow licenses.
  * Change their own password.

This RBAC model applies to both browser and API access.

### Start the Server

To start the server in authentication mode, use the following command:

{% hint style="info" %}
./floating-server -userAuthentication true
{% endhint %}

### API Access

For API access, users must first log in and obtain a JWT, which is then included in subsequent requests. An example is shown below.

If a user attempts to register without logging in, they will receive an error prompting them to log in first.

```bash
curl -X POST "http://localhost:8080/api/v4/register" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "product": "test",
  "user": "user1",
  "os_hostname": "",
  "ip_local": "0.1.1.1",
  "user_info": "",
  "registered_at": "2024-08-26T12:21:59.776731-07:00",
  "borrowed_until": "0001-01-01T00:00:00Z"
}'
```

Response:

{"message":"Unauthorized: Please log in"}

To log in, users send a request containing their username and password to the /auth endpoint. An example is shown below.

```bash
curl -u 'username':'password' http://localhost:8080/auth -H "Accept: application/json"
```

Response:

{"message":"Login successful","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidXNlciIsInVzZXJuYW1lIjoidXNlcjEifQ.laskPwD\_z36WjODEGKNpVojnouqXYCtKr9HXrLPBqWw"}

This endpoint returns a JWT, which the user must then include in subsequent requests. After receiving the token, the user can resend the registration request using the JWT for authentication.

```bash
curl -X POST "http://localhost:8080/api/v4/register" \
-H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoidXNlciIsInVzZXJuYW1lIjoidXNlcjEifQ.laskPwD_z36WjODEGKNpVojnouqXYCtKr9HXrLPBqWw" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{
  "product": "test",
  "user": "user1",  
  "os_hostname": "",
  "ip_local": "0.1.1.1",
  "user_info": "",
  "registered_at": "2024-08-26T12:21:59.776731-07:00",
  "borrowed_until": "0001-01-01T00:00:00Z"
}'
```

The registration is successful.

### Browser

The login page in authentication mode:

![login page](/files/d52dbbcc19b3151fd2261ee3a7507dd6418d9a24)

The Users Management tab displays a list of all users and their assigned roles.

* Admin Permissions:
  * Admins can add new users or remove existing ones.
  * When adding a user, the admin assigns a temporary password, which the user must change upon their first login.

![](/files/a8a4a4943356779ad548a56083197faa13670930)

Users and admins can change their own password from the Change password tab:

![](/files/a924e8afdeefb051e7c7986048c359edaea78365)

If a non-admin user attempts to perform actions restricted to admins, they will receive an error message, as shown below.

![](/files/2fcf916c74fa5250ef4be39e7bf3ecb4b788f8ea)

### Initialize Users

#### Initializing the First Admin User

{% stepper %}
{% step %}

### Generate password hash

Generate the password hash for the admin's password (e.g., using a bcrypt generator such as <https://bcrypt-generator.com/>).
{% endstep %}

{% step %}

### Add the hash to config

Enter the generated hash into config/config.yaml. This will create an admin user with the username "admin"; the specified password will be registered in the server's database. This admin can then add other users later.
{% endstep %}
{% endstepper %}

Example YAML format for admin setup:

```yaml
Password hash for website login (e.g., https://bcrypt-generator.com/)
websitePassword: $2y$10$lsiMFX54HFoPbceInt3ppe4JW7wGxuYyRJSVLDgGX5RVv4m39aTyG
```

<details>

<summary>Note on version 1.5.0 vs later versions</summary>

In version 1.5.0, user initialization in the config file allowed multiple users with any role to be specified. The configuration format for multiple users looked like this:

```yaml
users:
  user1:
    username: user1
    password: pass1
    role: user

  user2:
    username: user2
    password: pass2
    role: admin
```

Starting from version 1.5.1, user initialization is limited to a single admin user at the setup stage.

</details>

#### Number of Admins

At least one admin is required when running the server in authentication mode. If no admin is configured, the server will fail to launch, displaying an error message requesting you to provide the necessary configuration.

#### Storage

User information is stored in the database, and passwords are securely stored as hashed values.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.licensespring.com/floating-server/floating-server-v1/role-based-access-control.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.