User Management

From Allegro Packets Product Wiki
Jump to navigation Jump to search

The user management page allows managing users which can use the Allegro Network Multimeter. It is possible to:

  • Create new users (Local users, LDAP users, TACACS+ users)
  • Edit user parameters
    • Change the password
    • Use two-factor authentication with time-based one-time password (TOTP) algorithm. When this option is enabled, a QR code is displayed that needs to be scanned by a TOTP generator (e.g. FreeOTP or Google Authenticator). The Allegro Network Multimeter and the TOTP generator will generate a one-time password independently which needs to be given at login. Both devices needs to be time synchronized (e.g. via NTP).
    • Modify user roles/restrictions
    • Adjust user session timeout/time out in minutes
  • Disable users
Disabled users are not able to login, but their settings are kept.
  • Delete users.
  • It is not possible to delete or disable the admin account.
  • It is not possible to delete or disable the currently logged in user.

Roles and permissions

Multiple roles can be defined per user to allow different permissions.

Only users with the admin role can:

  • start captures
  • change system settings
  • manage users
  • use WebDAV

Beginning with firmware 3.5 roles can be created or deleted (except for admin). A role may have several permissions. Permissions are categorized in live view, replay view and 4-eyes authorization. For each category there is a list of permissions that are granted by this role. E.g. if only the permission 'pcap' is selected in live view, the role only allows performing capturing in the corresponding view.

Following permissions exist:

  • all: All permissions are granted. This contains all other permissions mentioned below.
  • pcap: Captures and Webshark access is permitted.
  • voip: Access to SIP and RTP statistics is permitted.
  • other: Access to everything else.

Following pre defined roles exist:

  • users: Users with this role can see all measurement data, but they are not able to change settings.
  • capture: Users with this role are able to start traffic captures.
  • replay-user: Users can only view measurement data from replay slots (replay of ring buffer or pcap files). The user cannot see live data.
  • restart-analysis: Users can restart already running ring buffer analyses, for example with different start and end time parameters. This is useful if the admin user wants to select which and when a ring buffer should be analyzed but still letting replay-users to restart the analysis in case they want use a smaller time interval for faster/more detailed analysis.
  • api-pcap-4-eyes-authorization: This role requires an authorization for performing a PCAP from another user with admin, capture or api-pcap-4-eyes-authorization role. In the PCAP dialog a dropdown field is displayed where the user needs to select the other user who should grant the capture. The other user will get a popup dialog for granting or denying the PCAP download.
  • api-voip-4-eyes-authorization: This role requires an authorization for accessing SIP or RTP statistics pages from another user with admin or api-voip-4-eyes-authorization role. On the page that requires authorization an indicator is displayed where the user needs to select the other user who should grant access to that page. The other user will get a popup dialog for granting or denying the access.

These roles can be combined. For example, a user with the replay-user and capture role can only see replay data and can capture traffic from this data, but they cannot capture live data.

LDAP users

In the LDAP user tab, it is possible to define an LDAP or Active Directory source for user management. LDAP users are only an addition to the locally defined users. Locally defined users take precedence over LDAP users.

The values required depend on the setup of the LDAP server.

The user filter requires a %s as a placeholder for the username.

The group filter requires either %s as a placeholder for the username, or any ${value} attribute of the user. The special value ${DN} references the distinguished name of the user.

In the Allegro MM users group and Allegro MM admins group, a comma-separated list of the common name of the groups is given. If the user is in any of the groups, they are allowed to log in. If the user is in one of the admins group, they are treated as an administrator.

At the moment, only the roles admin and user can be used for LDAP access.

Example for a simple LDAP setup involving only the username:

User filter : (uid=%s)
Group filter : (memberUid=%s)
User group : allegro-mm-users
Admin group :  allegro-mm-admins

Active Directory

For Active Directory, the distinguished name ('${DN}') is used in the group filter:

User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Group filter : (&(member=${DN})(objectClass=group))
User group : allegro-mm-users
Admin group : allegro-mm-admins

A more complex group filter, using pre-filtering groups for performance reasons in large directories with lots of groups:

Group filter : (&(member=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins)))

For recursive group membership resolution, the following group filter can be used (bug might be slower):

Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins)))

Depending on the setup, it is also possible to filter groups by distinguished name:

Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(distinguishedName:=CN=allegro-mm-users,OU=Groups,DC=example,DC=com)(distinguishedName:=CN=allegro-mm-admins,OU=Groups,DC=example,DC=com)))

TACACS+ users