Permissions is used to protect sensitive parts of JMRI, for example preventing the loading and storing of the table content and panels file by unauthorized users.
Edit ⇒ Preferences ⇒ Permissions has the configuration for the permission manager.
| User | Password | Role |
|---|---|---|
| admin | jmri | Administrator |
| guest | Guest | |
| remote guest | Remote guest |
These three users cannot be deleted. If you don't want to use the admin user, you can unselect all the roles. It will then not have any permissions at all.
New users will get the Standard user role when created.
Note that the guest and remote guest users cannot have a password.
| Permission | Roles with this permission as standard |
|---|---|
| Edit preferences | Administrator |
| Edit permissions | Administrator |
| Change user's own password | Administrator and Standard user |
| Load table content and panels file | Administrator |
| Store table content and panels file | Administrator |
The Panels permission can provide control of a set of panel actions.
The Panels permission is currently applied to all panels. Future changes will include the ability assign specific roles to a panel.
There are two options.
The simplest way is to delete the file .permissions.xml in the PREFERENCES folder. Note: This is the Settings Location in Help ⇒ File Locations.
By deleting the file, the permission configuration is removed.
The second option is to edit that file with a text editor or an xml editor. The beginning of the file looks like this:
<Permissions>
<Settings>
<Enabled>no</Enabled>
<AllowEmptyPasswords>no</AllowEmptyPasswords>
</Settings>
...
</Permissions>
Change <Enabled>yes</Enabled> to <Enabled>no</Enabled>. It disables permission checking but retains the permission configuration.
If an unauthorized user is able to delete or edit files on the computer running JMRI, he might be able to disable the permissions and then override them. See the section I have looked myself out! above.
If you want to protect from that, you could protect that file from being changed. On Linux, it can be done by changing the owner of the file to root and to have it read only for other users. This assumes that the OS user that runs JMRI does not have OS administrative authority.
sudo chown root ~/.jmri/.permissions.xml
sudo chmod 644 ~/.jmri/.permissions.xml
On Linux the .permissions.xml file can deleted even when write access is denied. To prevent this, the .jmri parent directory also needs to be protected. However, doing so can result in JMRI errors.
If JMRI is unable to connect to the layout during startup, a dialog is shown with the options Quit PanelPro, Continue and Edit connections. If the permission manager is enabled, a user with the Guest role probably doesn't have the permission to edit the connections. In this case, select Continue to start JMRI. When you do, a dialog will open with the message Permission denied. Ignore that, log in with an authorized user and then open the preferences. Now edit the connection.
The normal PanelPro shutdown process checks for changes that have not been stored. If change detection is enabled, changes have been made and the user is not authorized to store changes, a dialog is displayed.
If it is possible to login with the necessary authority, then click on Yes, login and do the store process. If not, click on No.
For production environments, change detection can be disabled. This will eliminate shutdown issues. See the Shutdown preference.