Managing users and their access permissions

To restrict access to the administrator portal and self-service portal, as well as to sections, subsections and functions, the solution implements a role-based access control model (Role Based Access Control; RBAC). User accounts can have the following roles:

• An administrator has access to the administrator portal and self-service portal.
• A tenant has access only to the self-service portal.

Deploying the solution creates the Administrator user with the administrator role and the User user with the tenant role.

You can create local users, LDAP users, and LDAP user groups. The solution does not support creating local user groups. Credentials of local users are stored in the orchestrator database. Credentials of LDAP users and LDAP user groups are stored on a remote server. Supported servers include the remote OpenLDAP server with Simple SSL authentication, as well as Microsoft Active Directory with Kerberos authentication and Kerberos SSL authentication.

You must first create an LDAP connection that the orchestrator uses to connect to the remote server, and then create LDAP users and/or LDAP user groups. Created LDAP users and LDAP user groups can log in to the orchestrator web interface using their credentials.

Two-factor authentication

To improve the overall security level of the solution, you can require two-factor authentication of users using the Time-based one-time password (TOTP) algorithm. You can enable or disable two-factor authentication for all users. You can also enable or disable two-factor authentication when creating or editing local users, LDAP users, and LDAP groups.

If two-factor authentication is enabled for a user, a unique QR code is generated the next time that user logs in to the orchestrator web interface. The user must scan a QR code using a software or hardware RFC 6238 compliant authenticator, such as Kaspersky Password Manager, Google Authenticator, Yandex Key, and Microsoft Authenticator. The authenticator generates a unique code that the user must enter to complete two-factor authentication and log in to the orchestrator web interface. If the user enters the unique code incorrectly more than five times, that user is blocked for 30 minutes.

After completing two-factor authentication, the user must enter a user name, password, and a unique code to log into the orchestrator web interface. If necessary, you can make the user complete two-factor authentication again.

If the time discrepancy between the orchestrator and the authenticator is greater than 30 seconds, two-factor authentication may fail. We recommend synchronizing the time on the orchestrator and the authenticator using an NTP server.

Access permissions

If necessary, you can create access permissions that determine which sections and subsections of the orchestrator web interface, and which actions are available to which users, and assign these access rights when creating or editing LDAP users and/or LDAP user groups. For example, you can create an access permission that prohibits gaining access to the Catalog section and creating network service templates.

By default, LDAP users and groups have the Full Access permission, which grants full access to all functionality of the solution.

Confirmation requests

When creating or editing a user, you must specify if you want to have a confirmation request automatically created whenever this user performs an action. Confirmation requests can be confirmed, denied, or deleted. When a request is confirmed, the associated action is performed. Denied confirmation requests are saved in the orchestrator web interface.

User sessions

The following functions are used to manage user sessions:

• Limiting the duration of user sessions. If a user remains idle for 3600 seconds (one hour) after logging into the orchestrator web interface, the user session is automatically ended. You can manually specify the period of inactivity that triggers automatic logout.
• Termination of user sessions. If multiple employees use the same user account credentials to log in to the orchestrator web interface, any of these employees can end the sessions of other users.

Managing access permissions

The list of access permissions is displayed in the Users section of the Permissions tab. By default, the Full access permission is created, which grants full access to the orchestrator web interface and is automatically assigned to users and LDAP user groups if you do not assign them a different access permission.

The actions you can perform with the list are described in the Managing solution component tables instructions.

Creating access permissions

To create an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   The list of access permissions is displayed.

3. In the upper part of the list, click + Permission.
4. In the displayed settings area, in the Name field, enter the name of the access permission. Maximum length: 250 characters.
5. In the Access rights section next to the sections and subsections of the orchestrator web interface, select one of the following values:
   • Editing to allow the users to view the section or subsection and perform all available tasks in it.
   • Viewing to allow users only to view the section or subsection.
   • No access to prevent users from viewing the section or subsection.

   If you want the subsections to inherit the value selected for the section, select the Apply to subsections check box. This check box is cleared by default.

6. Click Create.

The access permission is created and displayed in the list.

You can assign an access permission when creating or editing a user, or when creating or editing an LDAP user group.

Editing access permissions

To edit an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   The list of access permissions is displayed.

3. Click the access permission that you want to edit.
4. In the displayed settings area, edit the following settings, if necessary:
   • Name of the access permission
   • Sections and subsections of the orchestrator web interface and actions available to users
5. Click Save.

The access permission is modified and updated in the list.

Cloning access permissions

You can clone an access permission to create an identical access permission with a different name.

To clone an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   The list of access permissions is displayed.

3. Click the access permission that you want to clone.
4. In the upper part of the displayed settings area, click Management → Clone.
5. This opens a window; in that window, enter the name of the new access permission.
6. Click Clone.

A copy of the access right with the new name is added to the list.

Removing an access permission

Deleted access permissions cannot be restored.

To remove an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   The list of access permissions is displayed.

3. Click the access permission that you want to delete.
4. In the upper part of the displayed settings area, click Management→ Delete.
5. In the confirmation window, click Delete.

The access permission is deleted and is no longer displayed in the list.

Managing LDAP connections

The LDAP connection table is displayed in the Users on the LDAP connection tab. Information about LDAP connections is displayed in the following table columns:

• Name is the name of the LDAP connection.
• Type is the type of the connection. This column always displays LDAP.
• Host is the host name of the remote server.

The actions you can perform with the table are described in the Managing solution component tables instructions.

Creating an LDAP connection

If you want LDAP users or LDAP user groups to be able to log in to the orchestrator web interface using their credentials, you must first create an LDAP connection that the orchestrator uses to connect to the remote server, and then create your LDAP users or LDAP user groups.

To create an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click + LDAP.
4. In the displayed settings area, in the Name field, enter the name of the LDAP connection.
5. In the Domain field, enter the FQDN of the domain of the remote server.
6. In the Domain alias field, enter the alias or NETBIOS name of the domain. Users enter the alias, NETBIOS name, or FQDN of the domain when logging into the orchestrator web interface.
7. In the LDAP host field, enter the host name of the remote server. The following host name formats are supported:
   • ldap://<host name>:<port number> for a standard LDAP server. The default port is 389.
   • ldaps://<host name>:<port number> for an LDAP server with SSL authentication. The default port is 636.

   For example, if you enter ldap://example.com:100, the host name of the remote server is 'example.com' and the port number is 100.

8. In the Base DN field, enter the base distinguished name that the orchestrator uses as the starting point for searching user accounts in the remote server directory. The following base distinguished name formats are supported:
   • To search in OpenLDAP, enter the base distinguished name in the OU=<value>,OU=<value> format, where OU is the structure of organizational units in the remote server directory. For example, if you enter OU=OU_example1,OU=OU_example2, the starting point for searching user accounts is organizational unit OU_example2, which is nested in OU_example1.
   • To search in Microsoft Active Directory, enter the base distinguished name in the DC=<value>,DC=<value>, where DCs are the domain components of the remote server. For example, if you enter DC=example,DC=com, the starting point for searching user accounts is the 'example.com' domain.
9. In the Search attribute drop-down list, select the attribute that the orchestrator uses to search for user accounts in the remote server directory:
10. In the Bind DN field, enter the distinguished name for authenticating the orchestrator on the remote server. The following distinguished name formats are supported:
    • For authentication in openLDAP, enter a value in the UID=<value>,OU=<value> format, where UID is the user ID and OU is the organizational unit structure in the remote server directory where the user is located. For example, if you enter UID=user_example,OU=OU_example, user user_example from organizational unit OU_example is used for authenticating the orchestrator on the remote server.
    • For authentication in Microsoft Active Directory, enter a value in the CN=<value>,OU=<value>,DC=<value>,DC=<value>, where CN is the common name of the user, OU is the organizational unit structure in the directory of the remote server where the user is located, and the DCs are the user's domain components. For example, if you enter CN=user_example,OU=OU_example,DC=example,DC=com, user user_example in organizational unit OU_example in the example.com domain is used for authenticating the orchestrator on the remote server.
11. In the Bind password field, enter the remote server password for authenticating the orchestrator on the remote server. To see the entered password, you can click the show icon .
12. To check if the remote server is available, click Test authentication.
13. Click Create.

The LDAP connection is created and displayed in the table.

Editing an LDAP connection

To edit an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click the LDAP connection that you want to edit.
4. In the displayed settings area, edit the following LDAP connection settings, if necessary: For a description of the settings, see the instructions for creating a LDAP connection.
5. Click Save.

The LDAP connection is modified and updated in the table.

Changing the password of an LDAP connection

You can change the remote server password that was specified when the LDAP connection was created and make the orchestrator use the new password to authenticate with the remote server.

To change the password of an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click the LDAP connection for which you want to change the password.
4. In the upper part of the displayed settings area, click the Management button → Change password.
5. This opens a window; type the new password in the New password and Password confirmation text boxes.
6. Click Save.

The LDAP connection password is changed.

Deleting an LDAP connection

Deleted LDAP connections cannot be restored.

To delete an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click the LDAP connection that you want to delete.
4. In the upper part of the displayed settings area, click Management→ Delete.
5. In the confirmation window, click Delete.

The LDAP connection is deleted and is no longer displayed in the table.

Managing users

The table of users is displayed in the Users section. Information about users is displayed in the following columns of the table:

• Name is the user name.
• Tenant is the tenant to which the user is assigned.
• Role is the role of the user:
  • Administrator
  • Tenant
• Source is the type of the user:
  • Local is a local user.
  • LDAP is an LDAP user.
• Groups is the group of the user.
• State is the status of the user:
  • Online
  • Offline
  • Blocked
• Two-factor authentication is the two-factor authentication status of the user:
  • Enabled means two-factor authentication is enabled for the user.
  • Disabled means two-factor authentication is disabled for the user.
  • Reinitialization means repeated two-factor authentication is performed for the user.

The actions that you can perform with the table are described in the Managing solution component tables instructions.

Creating a user

You can create local and LDAP users. Credentials of local users are stored in the orchestrator database. LDAP user credentials are stored on the remote server. If you want LDAP users to be able to log in to the orchestrator web interface using their credentials, you must first create an LDAP connection that the orchestrator uses to connect to the remote server, and then create your LDAP users or LDAP user groups.

To create a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click + User.
3. In the displayed settings area, in the Source drop-down list, select the user type:
   • Local. Default value. If this value is selected in the Password and Password confirmation fields, enter the password of the user. The password must contain at least one uppercase Latin letter (A–Z), one lowercase letter (a–z), one numeral, and one special character. Password length: 8 to 50 characters. To see the entered password, you can click the show icon .
   • LDAP
4. In the Username field, enter the user name of the user. The remote server user name is specified in the user@domain or domain\user format.
5. In the Role drop-down list, select the role of the user:
   • Administrator
   • Tenant
6. If you want to enable two-factor authentication for the user, select the Two-step authentication check box. This check box is cleared by default. The user must complete two-factor authentication the next time the user logs in to the orchestrator web interface.

   You cannot enable two-factor authentication for an individual user if two-factor authentication is disabled for all users.

7. If you want to assign an access permission to a user, in the Permissions drop-down list, select the created access permission. By default, the user gets the Full access permission, which grants full access to the orchestrator web interface.
8. If you want to create a confirmation request every time the user performs an action, select the Request confirmation is required check box. By default, the check box is cleared and the user can perform actions without confirmation.
9. In the First name field, enter the first name of the employee.
10. In the Last name field, enter the last name of the employee.
11. If necessary, enter additional information about the user:
    1. In the Email field, enter the email address.
    2. In the Description field, enter a brief description of the user.
12. Click Create.

The user is created and displayed in the table. By default, the user is blocked.

You must unblock the user to grant that user access to the orchestrator web interface.

Activating or blocking a user

By default, created users are blocked. You must unblock the user to grant that user access to the orchestrator web interface.

To block or unblock a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user that you want to unblock or block.
3. In the upper part of the displayed settings area, click Management → Unblock or Block.

The user is unblocked or blocked.

Editing a user

You cannot change the type and user name of the user. Separate instructions are given for changing the password of a local user.

To edit a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user that you want to edit.
3. In the displayed settings area, edit the following user settings, if necessary: For a description of the settings, see the instructions for creating a user.
4. Click Save.

The user is modified and updated in the table.

Changing the password of a local user

LDAP user passwords are stored on remote servers and cannot be changed in the orchestrator web interface.

To change the password of a local user:

1. Proceed to change the local user password:
   • If you have the platform administrator role and want to change the password of the created local user, go to the Users menu section, click the local user, and click Management → Change password.
   • If you have the tenant role and want to change your own password, in the lower part of the menu click the settings icon → Change password.
2. This opens a window; type the new password in the New password and Password confirmation text boxes. The password must contain at least one uppercase Latin letter (A–Z), one lowercase letter (a–z), one numeral, and one special character. Password length: 8 to 50 characters. To see the entered password, you can click the show icon .
3. Click Save.

The password of the local user is changed.

Repeated two-factor authentication of a user

You can have the user repeat the authentication if that user has lost access to the unique code for logging in to the orchestrator web interface that was generated as a result of the previous two-factor authentication.

To repeat user authentication:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user that you want to re-authenticate with two-factor authentication.
3. In the upper part of the displayed settings area, click Management → Reinitialize two-step authentication.

The user must complete two-factor authentication the next time the user logs in to the orchestrator web interface.

Deleting a user

Deleted users cannot be restored.

To delete a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user that you want to delete.
3. In the upper part of the displayed settings area, click Management → Delete.
4. In the confirmation window, click Delete.

The user is deleted and is no longer displayed in the table.

Managing LDAP user groups

The table of LDAP users is displayed in the Users section. Information about LDAP user groups is displayed in the following table columns:

• Name is the name of the LDAP user group.
• Tenant is the tenant to which the LDAP user group is assigned.

  You can assign an LDAP user group to a tenant to allow this LDAP user group to log in to the tenant's self-service portal and manage the SD-WAN instance that is deployed for the tenant. To assign an LDAP user group to a tenant, you must assign the LDAP user group the tenant role when you create or edit the LDAP user group.

  To assign an LDAP user group to a tenant:

  1. In the menu, go to the Tenants section.

     The tenant management page is displayed.

  2. Under Tenants, select the tenant to which you want to assign a user group.
  3. Under User groups, click + Edit.
  4. This opens a window; in that window, under Groups, select an LDAP user group which you want to assign to the tenant.
  5. Click Save.

  The LDAP user group is assigned to the tenant and displayed under User groups.

• Role is the role of LDAP users.

The actions you can perform with the table are described in the Managing solution component tables instructions.

Creating an LDAP user group

LDAP user group credentials are stored on the remote server. If you want users in the LDAP user group to be able to log in to the orchestrator web interface using their credentials, you must first create an LDAP connection that the orchestrator uses to connect to the remote server, and then create your LDAP users or LDAP user groups.

If the user is a member of multiple LDAP user groups on the remote server, we recommend creating only one of those LDAP user groups in the orchestrator web interface. If multiple LDAP user groups have been created in the orchestrator web interface, a user that is a member of all of these LDAP user groups logs in to the orchestrator web interface as a member of that LDAP user group which was created first.

To create an LDAP user group:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Groups tab.

   A table of LDAP user groups is displayed.

3. Click + User group.
4. In the displayed settings area, in the Name field, enter the name of the LDAP user group on the remote server in the user@domain or domain\user format.
5. In the Role drop-down list, select the role of LDAP users in the group:
   • Administrator
   • Tenant
6. If you want to assign an access permission to an LDAP user group, in the Permissions drop-down list, select the created access permission. By default, the LDAP user group gets the Full access permission, which grants full access to the orchestrator web interface.

   If you want to enable two-factor authentication for the LDAP user group, select the Two-step authentication check box. This check box is cleared by default. Users in the LDAP user group must complete two-factor authentication the next time they log in to the orchestrator web interface.

   When two-factor authentication is enabled for a group of LDAP users, authenticated LDAP users are displayed in the table of users. You can disable two-factor authentication for an LDAP user by editing the user.

   You cannot enable two-factor authentication for an LDAP user group if two-factor authentication is disabled for all users.

7. Click Create.

The LDAP user group is created and displayed in the table.

Editing an LDAP user group

You cannot change the type and name of the LDAP user group.

To edit a user group:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Groups tab.

   A table of LDAP user groups is displayed.

3. Click the LDAP user group that you want to edit.
4. In the displayed settings area, edit the following LDAP user group settings, if necessary: For a description of the settings, see the instructions for creating a LDAP user group.
5. Click Save.

The LDAP user group is modified and updated in the table.

Deleting an LDAP user group

Deleted LDAP user groups cannot be restored.

To delete an LDAP user group:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Groups tab.

   A table of LDAP user groups is displayed.

3. Click the LDAP user group that you want to delete.
4. In the upper part of the displayed settings area, click Management→ Delete.
5. In the confirmation window, click Delete.

The LDAP user group is deleted and is no longer displayed in the table.

Enabling or disabling two-factor authentication for all users

You can enable or disable two-factor authentication for all users. If two-factor authentication is disabled for all users, you cannot enable two-factor authentication for local and LDAP users or LDAP groups. Two-factor authentication is disabled by default.

To enable or disable two-factor authentication for all users:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Authentication security tab.
3. Do one of the following:
   • If you want to enable two-factor authentication for all users, select the Two-step authentication for all users check box. All users must complete two-factor authentication the next time a user logs in to the orchestrator web interface.
   • If you want to disable two-factor authentication for all users, clear the Two-step authentication for all users check box.

   This check box is selected by default.

Two-factor authentication is enabled or disabled for all users.

Managing confirmation requests

If when creating or editing a user, you selected the Request confirmation is required check box, a confirmation request is automatically created for each user action. You can confirm, deny, or delete the confirmation request. When a request is confirm, the corresponding action is applied; denied confirmation requests are saved in the orchestrator web interface.

To confirm, deny, or delete a confirmation request:

1. In the menu, go to the Confirmation section.

   A table of confirmation requests is displayed. Information about confirmation requests is displayed in the following table columns:

   • Method is the API method that was used to create the confirmation request.
   • URL is the URL of the API.
   • Note is a brief description of the confirmation request.
   • User is the name of the user whose action resulted in the creation of a confirmation request.
   • Headers are API headers.
   • Created is the date and time when the confirmation request was created.
   • Status is the status of the confirmation request:
     • Confirmed
     • Denied
     • Error
     • Waiting confirmation

   The actions that you can perform with the table are described in the Managing solution component tables instructions.

2. Do one of the following:
   • To confirm the request, click Permit next to it.
   • To deny the request, click Denynext to it.
   • To delete the request, click Delete next to it.

   If you want to confirm, deny, or delete multiple confirmation requests at the same time, select check boxes next to the requests and select an action by clicking the Action button in the upper part of the table.

Confirmation requests are confirmed, denied, or deleted.

Limiting the duration of a user session

By default, if a user remains idle for 3600 seconds (one hour) after logging into the orchestrator web interface, the user session is ended. You can manually specify the maximum inactivity time.

To limit the duration of a user session:

1. In the lower part of the menu, click the settings icon → Session expiration time.
2. This opens a window; in that window, enter the time in seconds after which the user session is terminated in case of inactivity. Range of values: 60 to 86,400. Default value: 3600.
3. Click Save.

Users are automatically logged out of the orchestrator web interface after remaining idle for the specified amount of time.

Viewing and ending active user sessions

You can view the list of user sessions established using your user account, and you can end such user sessions.

To view or end active user sessions:

1. In the lower part of the menu, click the settings icon → Active sessions.

   A table of active user sessions is displayed. Information about user sessions is displayed in the following columns of the table:

   • IP address is the IP address of the user.
   • User agent is information about the browser and operating system of the user.
   • Date is the start date of the user session.

   The actions that you can perform with the table are described in the Managing solution component tables instructions.

2. You can end user sessions in one of the following ways:
   • If you want to end a specific user session, click End session next to it.
   • If you want to end multiple user sessions, select the check boxes next to them and in the upper part of the table, click Actions → End session.

The user sessions are ended.