libeufin permissions and user management

1 files changed, 44 insertions, 0 deletions

diff --git a/libeufin/nexus-tutorial.rst b/libeufin/nexus-tutorial.rst
index 8c0d941f..6ef78829 100644
--- a/libeufin/nexus-tutorial.rst
+++ b/libeufin/nexus-tutorial.rst
@@ -446,3 +446,47 @@ existing bank account / connection pair.
 At this point, the additional *taler-wire-gateway* (FIXME: link
 here to API here) API becomes offered by the Nexus.  The purpose
 is to let a Taler exchange to rely on Nexus to manage its bank account.
+
+
+Managing Permissions and Users
+==============================
+
+This guide has so far assumed that a superuser is accessing the LibEuFin Nexus.
+However, it is advisable that the Nexus is accessed with users that only have a
+minimal set of permissions.
+
+The Nexus currently only has support for giving non-superusers access to Taler
+wire gateway facades.
+
+To create a new user, use the ``users`` subcommand of the CLI:
+
+.. code-block:: console
+
+  $ libeufin-cli users list
+  # [ ... shows available users ... ]
+
+  $ libeufin-cli users create $USERNAME
+  # [ ... will prompt for password ... ]
+
+Permissions are managed with the ``permissions`` subcommand.
+The following commands grant permissions to view the transaction history
+and create payment initiations with a Taler wire gateway facade:
+
+
+.. code-block:: console
+
+  $ libeufin-cli permissions grant \
+     user $USERNAME \
+     facade $FACADENAME \
+     facade.talerWireGateway.history
+
+  $ libeufin-cli permissions grant \
+     user $USERNAME \
+     facade $FACADENAME \
+     facade.talerWireGateway.transfer
+
+The list of all granted permissions can be reviewed:
+
+.. code-block:: console
+
+  $ libeufin-cli permissions list