From 361d82e6281398502b73d8397eef395da28bb30b Mon Sep 17 00:00:00 2001
From: Andy Wick <andywick@amazon.com>
Date: Mon, 23 Sep 2024 11:54:52 -0400
Subject: [PATCH] add user-role-mappings

---
 _data/settings/user-role-mappings.yml | 30 +++++++++++++++++++++++++++
 faq.html                              |  2 +-
 settings.html                         |  1 +
 3 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 _data/settings/user-role-mappings.yml

diff --git a/_data/settings/user-role-mappings.yml b/_data/settings/user-role-mappings.yml
new file mode 100644
index 0000000..60061ec
--- /dev/null
+++ b/_data/settings/user-role-mappings.yml
@@ -0,0 +1,30 @@
+name: user-role-mappings
+before: |
+  <p>
+    Starting with 5.4.1 it is now possible to dynamically update the roles associated with a user when using header or oidc authMode.
+    When using this section, all possible roles must be defined, one per line, and any role no longer enabled for the user will be removed.
+    The rules are evaluated on login, and the user's roles are updated accordingly.
+  </p>
+  <p>
+    Each line is of the format <code>rolename=javascript expression</code>.
+    The jaascript expression can use two variable, <code>this</code> which allows you to reference any user fields and <code>vals</code> which allows you to access any of the request headers for header auth or the oidc info for oidc auth.
+  </p>
+
+after: |
+  <p>
+    Example:
+  </p>
+  <pre><code>[user-role-mappings]
+  # Everyone is arkimeUser
+  arkimeUser=true
+  # userAdmin have -svc extension in userId
+  userAdmin=this.userId.endsWith('-svc')
+  # fred and wilma are superAdmin
+  superAdmin=this.userId === 'fred' || this.userId === 'wilma'
+  # custom role based on header value
+  role-special=vals.roles.includes('special')
+  </code></pre>
+
+settings:
+  - key: "[role]="
+    text: A javascript expression using this for user fields and vals for request headers or oidc info.
diff --git a/faq.html b/faq.html
index 74a5f6e..d4317e4 100644
--- a/faq.html
+++ b/faq.html
@@ -2473,7 +2473,7 @@ <h3 class="subsection"id="how-do-i-import-existing-pcaps">
         </li>
       </ul>
       <p class="alert alert-secondary">
-        <span class="fa fa-exclamation-triangle"></span> By default importing offline pcap does NOT make a copy of the pcap file, Arkime saves a reference to the original file. If you want to make a copy of the pcap file, use the <code>--copy</code> option with capture.
+        <span class="fa fa-exclamation-triangle"></span> By default importing offline pcap does NOT make a copy of the pcap file, Arkime saves a reference to the original file, which shows up as locked on the files tab. If you want to make a copy of the pcap file, use the <code>--copy</code> option with capture.
         </p>
       <h4>Enable Arkime UI to upload</h4>
       <p>
diff --git a/settings.html b/settings.html
index c120796..f53cbbf 100644
--- a/settings.html
+++ b/settings.html
@@ -54,6 +54,7 @@
   - packet-drop-ips
   - remote-clusters
   - multi-viewer-settings
+  - user-role-mappings
   - vlan-vni-collapse
   - wise-types