-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Trento user management include --------- Co-authored-by: Dmitri Popov <[email protected]>
- Loading branch information
Showing
2 changed files
with
182 additions
and
125 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,181 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <?xml-model href="file:/usr/share/xml/geekodoc/rng/geekodoc5-flat.rnc" | ||
| type="application/relax-ng-compact-syntax"?> | ||
| <!DOCTYPE article | ||
| [ | ||
| <!ENTITY % entities SYSTEM "generic-entities.ent"> | ||
| %entities; | ||
| ]> | ||
| <section xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xi="http://www.w3.org/2001/XInclude" xml:id="sec-trento-user-management"> | ||
| <title>User management</title> | ||
| <para> | ||
| &trento; provides a local permission-based user management feature with | ||
| optional multi-factor authentication. This feature enables segregation of | ||
| duties in the &trento; interface and ensures that only authorized users with | ||
| the right permissions can access it. | ||
| </para> | ||
| <para> | ||
| User management actions are performed in the <guimenu>Users</guimenu> view | ||
| in the left-hand side panel of the &t.web;. | ||
| </para> | ||
| <para> | ||
| By default, a newly created user is granted display access rights except for | ||
| the <guimenu>Users</guimenu> view. Where available, a user with default | ||
| access can configure filters and pagination settings matching their | ||
| preferences. | ||
| </para> | ||
| <para> | ||
| To perform protected actions, the user must have additional permissions added | ||
| to their user profile. Below is the list of currently available permissions: | ||
| </para> | ||
| <itemizedlist> | ||
| <listitem> | ||
| <para> | ||
| <constant>all:users</constant>: grants full access to user management actions under the | ||
| <guimenu>Users</guimenu> view | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| <constant>all:checks_selection</constant>: grants check selection | ||
| capabilities for any target in the registered environment for which | ||
| checks are available | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| <constant>all:checks_execution</constant>: grants check execution | ||
| capabilities for any target in the registered environment for which | ||
| checks are available and have been previously selected | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| <constant>all:tags</constant>: allows creation and deletion of the available tags | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| <constant>cleanup:all</constant>: allows triggering housekeeping actions | ||
| on hosts where agents heartbeat is lost and SAP or HANA instances that | ||
| are no longer found | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| <constant>all:settings</constant>: grants changing capabilities on any | ||
| system settings under the <guimenu>Settings</guimenu> view | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| <constant>all:all</constant>: grants all the permissions above | ||
| </para> | ||
| </listitem> | ||
| </itemizedlist> | ||
| <para> | ||
| Using the described permissions, it is possible to create the following types of users: | ||
| </para> | ||
| <itemizedlist> | ||
| <listitem> | ||
| <formalpara> | ||
| <title>User managers:</title> | ||
| <para> | ||
| users with <constant>all:users</constant> permissions | ||
| </para> | ||
| </formalpara> | ||
| </listitem> | ||
| <listitem> | ||
| <formalpara> | ||
| <title>SAP Basis administrator with &trento; display-only access:</title> | ||
| <para> | ||
| users with default permissions | ||
| </para> | ||
| </formalpara> | ||
| </listitem> | ||
| <listitem> | ||
| <formalpara> | ||
| <title>SAP Basis administrator with &trento; configuration access:</title> | ||
| <para> | ||
| users with <constant>all:checks_selection</constant>, <constant>all:tags</constant> and | ||
| <constant>all:settings</constant> permissions | ||
| </para> | ||
| </formalpara> | ||
| </listitem> | ||
| <listitem> | ||
| <formalpara> | ||
| <title>SAP Basis administrator with &trento; operation access:</title> | ||
| <para> | ||
| users with <constant>all:check_execution</constant> and <constant>cleanup:all</constant> permissions. | ||
| </para> | ||
| </formalpara> | ||
| </listitem> | ||
| </itemizedlist> | ||
| <para> | ||
| The default admin user created during the installation process is granted | ||
| <constant>all:all</constant> permissions and cannot be modified or deleted. | ||
| Use it only to create the first user manager (a user with | ||
| <constant>all:users</constant> permissions who creates all the other | ||
| required users). Once a user with <constant>all:users</constant> permissions | ||
| is created, the default admin user must be treated as a fallback user in | ||
| case all other access to the console is lost. If the password of the default | ||
| admin user is lost, it can be reset by updating the Helm chart or the web | ||
| component configuration, depending on which deployment method was used to | ||
| install &t.server;. | ||
| </para> | ||
| <para> | ||
| User passwords, including the default admin user password, must follow the rules below: | ||
| </para> | ||
| <itemizedlist> | ||
| <listitem> | ||
| <para> | ||
| Password must contain at least 8 characters | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| The same number or letter must not be repeated three or more times in a | ||
| row (for example: 111 or aaa) | ||
| </para> | ||
| </listitem> | ||
| <listitem> | ||
| <para> | ||
| Password must not contain four consecutive numbers or letters (for | ||
| example: 1234, abcd or ABCD) | ||
| </para> | ||
| </listitem> | ||
| </itemizedlist> | ||
| <para> | ||
| The <guimenu>Create User</guimenu> and <guimenu>Edit User</guimenu> views | ||
| provide a built-in password generation button that allows user | ||
| managers to easily generate secure and compliant passwords. The user manager | ||
| must provide the user with their password through an authorized secure | ||
| channel. | ||
| </para> | ||
| <para> | ||
| A user can reset their password in the <guimenu>Profile</guimenu> view. In | ||
| this view, they can also update their name and email address as well as | ||
| activate multi-factor authentication using an authenticator app. | ||
| Multi-factor authentication increases the security of a user account by | ||
| requesting a temporary second password or code when logging in the console. | ||
| User managers can disable multi-factor authentication for any given user | ||
| that has it enabled. However, user managers cannot enable multi-factor | ||
| authentication on their behalf. The default admin user cannot enable its own | ||
| multi-factor authentication. | ||
| </para> | ||
| <note> | ||
| <title>Security Tip for Multi-Factor Authentication</title> | ||
| <para> | ||
| Since multi-factor authentication cannot be enabled for the default admin | ||
| user, keeping its password safe is imperative. If the default admin user's | ||
| password is compromised, reset it immediately by updating the Helm chart | ||
| or the web component configuration, depending on which deployment method | ||
| was used to install &t.server;. | ||
| </para> | ||
| </note> | ||
| <para> | ||
| User managers can enable and disable users. When a user logged in the | ||
| console is disabled by a user admin, their session is terminated | ||
| immediately. | ||
| </para> | ||
| </section> |