User Management: Difference between revisions

From Allegro Network Multimeter Manual
Jump to navigation Jump to search
Access restrictions were established for this page. If you see this message, you have no access to this page.
No edit summary
Line 1: Line 1:
The user management page allows managing users which can use the Allegro Network Multimeter.
The user management page allows managing users which can use the Allegro Network Multimeter. It is possible to:
It is possible to:


* Create new users
* Create new users
Line 26: Line 25:
* use WebDAV
* use WebDAV


Users with '''user''' access can see all measurement data, but they are
Users with '''user''' access can see all measurement data, but they are not able to change settings.
not able to change settings.


Users with '''capture''' access are also able to start traffic captures.
Users with '''capture''' access are also able to start traffic captures.


Users with '''replay-user''' access can only view measurement data from replay
Users with '''replay-user''' access can only view measurement data from replay slots (replay of ring buffer or pcap files). The user cannot see live data.
slots (replay of ring buffer or pcap files). The user cannot see live
data.


These roles can be combined. For example, a user with the  
Users with '''restart-analysis''' access can also restart already running ring buffer analyses, for example with different start and end time parameters. This is useful if the '''admin''' user wants to select which and when a ring buffer should be analyzed but still letting '''replay-user'''s to restart the analysis in case they want use a smaller time interval for faster/more detailed analysis.
'''replay-user''' and '''capture''' access can only see replay data and can capture
 
traffic from this data, but they cannot capture live data.
These roles can be combined. For example, a user with the '''replay-user''' and '''capture''' access can only see replay data and can capture traffic from this data, but they cannot capture live data.


=== LDAP users ===
=== LDAP users ===

Revision as of 15:23, 17 February 2021

The user management page allows managing users which can use the Allegro Network Multimeter. It is possible to:

  • Create new users
  • Edit users
Change the password and modify the roles of the user.
  • Disable users
Disabled users are not able to login, but their settings are kept.
  • Delete users.
Notes:
  • It is not possible to delete or disable the admin account.
  • It is not possible to delete or disable the currently logged in user.

Roles

Multiple roles can be defined per user to allow different permissions.

Only users with the admin role can:

  • start captures
  • change system settings
  • manage users
  • use WebDAV

Users with user access can see all measurement data, but they are not able to change settings.

Users with capture access are also able to start traffic captures.

Users with replay-user access can only view measurement data from replay slots (replay of ring buffer or pcap files). The user cannot see live data.

Users with restart-analysis access can also restart already running ring buffer analyses, for example with different start and end time parameters. This is useful if the admin user wants to select which and when a ring buffer should be analyzed but still letting replay-users to restart the analysis in case they want use a smaller time interval for faster/more detailed analysis.

These roles can be combined. For example, a user with the replay-user and capture access can only see replay data and can capture traffic from this data, but they cannot capture live data.

LDAP users

In the LDAP user tab, it is possible to define an LDAP or Active Directory source for user management. LDAP users are only an addition to the locally defined users. Locally defined users take precedence over LDAP users.

The values required depend on the setup of the LDAP server.

The user filter requires a %s as a placeholder for the username.

The group filter requires either %s as a placeholder for the username, or any ${value} attribute of the user. The special value ${DN} references the distinguished name of the user.

In the Allegro MM users group and Allegro MM admins group, a comma-separated list of the common name of the groups is given. If the user is in any of the groups, they are allowed to log in. If the user is in one of the admins group, they are treated as an administrator.

At the moment, only the roles admin and user can be used for LDAP access.

Example for a simple LDAP setup involving only the username:

User filter : (uid=%s)
Group filter : (memberUid=%s)
User group : allegro-mm-users
Admin group :  allegro-mm-admins

Example; for a more complex setup using the distinguished name of the user for filtering the groups and Active Directory-style user-filtering:

User filter : (&(sAMAccountName=%s)(objectCategory=person)(objectClass=user)(!sAMAccountType=805306370)(!userAccountControl:1.2.840.113556.1.4.803:=2))
Group filter : (&(member=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins)))
User group : allegro-mm-users
Admin group : allegro-mm-admins

For recursive group membership resolution, the following group filter can be used for the Active Directory:

Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(cn=allegro-mm-users)(cn=allegro-mm-admins)))

This recursive group filter might be slower depending on the size of the directory. Depending on the setup, it is also possible to filter groups by distinguished name:

Group filter : (&(member:1.2.840.113556.1.4.1941:=${DN})(objectClass=group)(|(distinguishedName:=CN=allegro-mm-users,OU=Groups,DC=example,DC=com)(distinguishedName:=CN=allegro-mm-admins,OU=Groups,DC=example,DC=com)))