Managing users and their access permissions
To restrict access to the administrator portal and self-service portal, as well as to sections, subsections and functions, the solution implements a role-based access control model (Role Based Access Control; RBAC). User accounts can have the following roles:
- An administrator has access to the administrator portal and self-service portal.
- A tenant has access only to the self-service portal.
Deploying the solution creates the Administrator user with the administrator role and the User user with the tenant role.
You can create local users, LDAP users, and LDAP user groups. The solution does not support creating local user groups. Credentials of local users are stored in the orchestrator database. Credentials of LDAP users and LDAP user groups are stored on a remote server. Supported servers include the remote OpenLDAP server with Simple SSL authentication, as well as Microsoft Active Directory with Kerberos authentication and Kerberos SSL authentication.
You must first create an LDAP connection that the orchestrator uses to connect to the remote server, and then create LDAP users or LDAP user groups. Created LDAP users and LDAP user groups can log in to the orchestrator web interface using their credentials.
Two-factor authentication
To improve the overall security level of the solution, you can require two-factor authentication of users using the Time-based one-time password (TOTP) algorithm. You can enable or disable two-factor authentication for all users. You can also enable or disable two-factor authentication when creating or editing individual local users, LDAP users, and LDAP groups.
If two-factor authentication is enabled for a user, a unique QR code is generated the next time that user logs in to the orchestrator web interface. The user must scan a QR code using a software or hardware RFC 6238 compliant authenticator, such as Kaspersky Password Manager, Google Authenticator, Yandex Key, and Microsoft Authenticator. The authenticator generates a unique code that the user must enter to complete two-factor authentication and log in to the orchestrator web interface. If the user enters the unique code incorrectly more than five times, that user is blocked for 30 minutes.
After completing two-factor authentication, the user must enter a user name, password, and a unique code to log into the orchestrator web interface. If necessary, you can make the user complete two-factor authentication again.
If the time discrepancy between the orchestrator and the authenticator is greater than 30 seconds, two-factor authentication may fail. We recommend synchronizing the time on the orchestrator and the authenticator using an NTP server.
Access permissions
If necessary, you can create access permissions that determine which sections, subsections, and actions are available to which users, and assign these access rights when creating or editing a user or LDAP user group. For example, you can create an access permission that prohibits gaining access to the Catalog section and creating network service templates. By default, LDAP users and groups have the Full Access permission, which grants full access to all functionality of the solution.
Confirmation requests
When creating a user, you must specify if you want to have a confirmation request automatically created whenever this user performs an action. Confirmation requests can be confirmed, denied, or deleted. When a confirmation request is confirmed, the relevant action is applied; denied confirmation requests are saved in the orchestrator web interface.
User sessions
The following functions are used to manage user sessions:
- Limiting the duration of user sessions. If a user remains idle for 3600 seconds (one hour) after logging into the orchestrator web interface, the user session is automatically ended. You can manually specify the period of inactivity that triggers automatic logout.
- Termination of user sessions. If multiple employees use the same user account credentials to log in to the orchestrator web interface, any of these employees can end the sessions of the others.
