sulu: doc update on how to add sulu user

sulu/Readme.md

@@ -101,3 +101,73 @@ CONFIG_SULU_PWA_KEYS_PATH="/somepath_with_pwa.{crt,key}"
 ```
 
 >Note: Replacing/changing the keys might requires uninstall/install of PWA App and CTRL+Shift+R in browser to drop the cached site and load the new site with new keys.
+
+# How to create a new Sulu user with Role Based Access Controller
+Sulu has a predefined set of users, but if it is required to add user with more/less datamodel access rights, that can be done from a USP Controller(sulu etc) or by using the command line tool.
+
+In the below example, I use command line tool, but same operations can be done from controller as well to configure it, so we need
+- New user
+- New user role
+- Changes in UserInterface Instance to use the new user role
+- A ControllerTrust role to define datamodel access aligned with user role
+- Update the sulu controller to use the above role
+
+Some global variables before proceeding further
+
+UNAME=osync
+
+## Create an User Role
+
+```bash
+ROLE="$(obuspa -c add Device.Users.Role. |cut -d " " -f 2)"
+
+obuspa -c set ${ROLE}.RoleName ${UNAME}
+obuspa -c set ${ROLE}.Enable 1
+```
+
+## Create an User
+
+```bash
+USER="$(obuspa -c add Device.Users.User. |cut -d " " -f 2)"
+
+obuspa -c set ${USER}.Username ${UNAME}
+obuspa -c set ${USER}.Password osync123
+obuspa -c set ${USER}.RoleParticipation ${ROLE}
+obuspa -c set ${USER}.Enable 1
+```
+
+## Update UserInterface to use the new UserRole
+
+Sulu has a reload hook to setup the necessary obuspa/mosquitto configuration
+
+```bash
+bbfdmd -c set Device.UserInterface.HTTPAccess.1.AllowedRoles "Device.Users.Role.1,${ROLE}"
+
+sleep 30
+```
+
+## Create a ControllerTrust role aligned with user role
+
+In this example, full access of Device. added for the new user
+
+```bash
+CTROLE="$(obuspa -c add Device.LocalAgent.ControllerTrust.Role. | cut -d " " -f 2)"
+
+PERM="$(obuspa -c add ${CTROLE}.Permission. |cut -d " " -f 2)"
+
+obuspa -c set ${PERM}.Targets Device.
+obuspa -c set ${PERM}.Param rw-n
+obuspa -c set ${PERM}.Obj rw-n
+obuspa -c set ${PERM}.InstantiatedObj rw-n
+obuspa -c set ${PERM}.CommandEvent r-xn
+obuspa -c set ${PERM}.Enable 1
+obuspa -c set ${CTROLE}.Enable 1
+```
+
+## Set new role to Controller
+
+```bash
+obuspa -c set Device.LocalAgent.Controller.[EndpointID==self::sulu-${UNAME}].AssignedRole "${CTROLE}"
+```
+
+After these configuration, sulu should be able to login with newly added user

sulu/sulu-builder/Makefile

@@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=sulu-builder
-PKG_VERSION:=3.1.61
+PKG_VERSION:=3.1.62
 PKG_RELEASE:=1
 
 PKG_SOURCE_PROTO:=git

sulu/sulu-builder/files/etc/sulu/sulu.sh

@@ -45,9 +45,7 @@ function _get_sulu_user_roles() {
 	roles=$(uci -q get userinterface._sulu_s.role)
 
 	for role in ${roles}; do
-		if [ -f "/etc/users/roles/$role.json" ]; then
-			sulu_user_roles="${sulu_user_roles} ${role}"
-		fi
+		sulu_user_roles="${sulu_user_roles} ${role}"
 	done
 
 	if [ -n "${sulu_user_roles}" ]; then
@@ -284,9 +282,9 @@ function update_obuspa_config() {
 }
 
 function configure_sulu() {
-	update_obuspa_config
-	_create_acl
 	generate_sulu_conn_config
+	_create_acl
+	update_obuspa_config
 }
 
 while getopts ":r" opt; do