Managing users

To manage Kaspersky SD-WAN, users must authenticate in the orchestrator web interface. You can create users whose credentials are stored in the local database of the solution or on a remote LDAP server. To use LDAP authentication, you must first configure the connection of the orchestrator to the LDAP server.

The solution supports importing user groups from external LDAP servers. To do so, you must create a user group corresponding to a group on the remote server; this lets users authenticate using the name of that group.

When creating individual users as well as groups, you can assign access permissions that determine which sections and/or subsections of the web interface they can use.

Creating an LDAP connection

To let your users authenticate in the orchestrator web interface using credentials stored on a remote LDAP server, you must create an LDAP connection. The following LDAP servers are supported:

• OpenLDAP with Simple authentication and Simple SSL authentication.
• Microsoft Active Directory with Kerberos authentication and Kerberos SSL authentication.

The orchestrator cannot make changes on a connected LDAP server.

To configure a connection between the orchestrator and a remote LDAP server:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. In the upper part of the page, click + LDAP.
4. In the displayed settings area, in the Name field, enter the name of the LDAP connection.
5. In the Domain field, enter the FQDN of the domain in which the LDAP server is located.
6. In the Domain alias field, enter the domain alias (usually the NETBIOS name). The alias is used along with the FQDN of the domain when creating and authenticating users. For example, if the FQDN of the domain is 'example.com' and the alias is 'example', users can enter the following values when authenticating:
   • admin@example.com
   • admin@example
   • example.com\admin
   • example\admin
7. In the LDAP host field, enter the host name of the LDAP server. The following host name formats are supported:
   • ldap://<host name>:<port number> for a standard LDAP server. The default port is 389.
   • ldaps://<host name>:<port number> for a LDAP server with SSL authentication. The default port is 636.

   For example, if you enter ldap://example.com:100, the host name of the LDAP server is 'example.com' and the port number is 100.

8. In the Base DN field, enter the base distinguished name to be used by the orchestrator as the starting point for searching user accounts in the LDAP server directory. The following base distinguished name formats are supported:
   • OU=<value>,OU=<value> for authentication in OpenLDAP. A base distinguished name consists of one or more OU attributes that represent the structure of organizational units in the directory of the LDAP server. For example, if you enter OU=OU_example1,OU=OU_example2, the starting point for searching user accounts is organizational unit OU_example2, which is nested in OU_example1.
   • DC=<value>,DC=<value> for authentication in Microsoft Active Directory. The base distinguished name consists of two DC attributes that represent the domain components of the LDAP server. For example, if you enter DC=example,DC=com, the starting point for searching user accounts is the 'example.com' domain.
9. In the Search attribute drop-down list, select the attribute that the orchestrator must use to search for user accounts in the LDAP server directory:
   • uid (OpenLDAP) – the uid (user ID) for searching in OpenLDAP. This is the default setting.
   • sAMAccountName (Active Directory) – pre-Windows 2000 logon name for searching in Microsoft Active Directory.
10. In the Bind DN field, enter the distinguished name for authenticating the orchestrator on the LDAP server. The following distinguished name formats are supported:
    • UID=<value>,OU=<value> for authentication in OpenLDAP. A distinguished name consists of one UID attribute and one or more OU attributes. The UID attribute stands for the user ID, while the OU attributes represent the structure of organizational units in the LDAP server directory that contains the user. For example, if you enter UID=user_example,OU=OU_example, user user_example from organizational unit OU_example is used for authenticating the orchestrator on the LDAP server.
    • CN=<value>,OU=<value>,DC=<value>,DC=<value> for authentication in Microsoft Active Directory. A distinguished name consists of one CN attribute, one or more OU attributes, and two DC attributes. The CN attribute stands for the common name of the user, while the OU attributes represent the structure of organizational units in the LDAP server directory that contains the user. The final two DC attributes represent the components of the domain in which the user is located. For example, if you enter CN=user_example,OU=OU_example,DC=example,DC=com, user user_example in organizational unit OU_example in the example.com domain is used for authenticating the orchestrator on the LDAP server.
11. In the Bind password field, enter the password for authenticating the orchestrator on the LDAP server.
12. To check if the LDAP server is available, click Test authentication.
13. Click Create.

The LDAP connection is created and displayed in the table. The LDAP server can now be used when creating users or user groups.

Editing an LDAP connection

To edit an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click the LDAP connection.
4. In the displayed settings area, edit the settings that you want to change. For a description of the settings, see the instructions for creating a LDAP connection.
5. Click Save.

Changing the password of an LDAP connection

To change the password of an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click the LDAP connection.
4. In the upper part of the displayed settings area, click Management and in the drop-down list, select Change password.
5. This opens a window; type the new password in the New password text box. The password must contain at least one uppercase A–Z character, lowercase characters, numerals, and special characters. Password length: 8 to 50 characters.
6. In the Password confirmation field, enter the new password again.
7. Click Save.

The LDAP connection password is changed.

Deleting an LDAP connection

Deleted LDAP connections cannot be restored.

To delete an LDAP connection:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the LDAP connection tab.

   A table of LDAP connections is displayed.

3. Click the LDAP connection.
4. In the upper part of the displayed settings area, click Management and in the drop-down list, select Delete.
5. In the confirmation window, click Delete.

The LDAP connection is deleted and is no longer displayed in the table.

Creating access permissions

Access permissions determine which sections and subsections of the orchestrator web interface a user can view and/or edit. By default, the Full access permission is created in the solution, which grants users full access to managing the solution.

To create an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   A table of access permissions is displayed.

3. In the upper part of the page, click + Permission.
4. In the displayed settings area, in the Name field, enter the name of the access permission. Maximum length: 250 characters.
5. Under Access rights, specify the level of user access to sections and subsections of the orchestrator web interface:
   • Editing lets users view the section/subsection and edit its settings.
   • Viewing only lets users view the section/subsection.
   • No access does not let users view the section/subsection.

   You can grant the selected level of access to all subsections within a section by selecting the Apply to subsections check box next to that section. This check box is cleared by default.

6. Click Create.

The access permission is created and displayed in the table. It can now be used when creating users or user groups.

Editing access permissions

To edit an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   A table of access permissions is displayed.

3. Click the access permission.
4. In the displayed settings area, edit the settings that you want to change. For a description of the settings, see the instructions for creating an access permission.
5. Click Save.

Cloning access permissions

To clone an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   A table of access permissions is displayed.

3. Click the access permission.
4. In the upper part of the displayed settings area, click Management and in the drop-down list, select Clone.
5. This opens a window; in that window, enter the name of the new access permission.
6. Click Clone.

A copy of the access right with the new name is added to the table.

Removing an access permission

Deleted access permissions cannot be restored.

To remove an access permission:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Permissions tab.

   A table of access permissions is displayed.

3. Click the access permission.
4. In the upper part of the displayed settings area, click Management and in the drop-down list, select Delete.
5. In the confirmation window, click Delete.

The access permission is deleted and is no longer displayed in the table.

Creating a user

You can create users so to let them authenticate in the orchestrator web interface and manage the solution. To create a user that authenticates through a remote LDAP server, you must create an LDAP connection before following these instructions.

To create a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. In the upper part of the page, click + User.
3. In the displayed settings area, in the Source drop-down list, select the user authentication type:
   • Local to authenticate the user using credentials stored locally in the Kaspersky SD-WAN database. This is the default setting.
   • LDAP to authenticate the user using credentials stored on a remote LDAP server.
4. In the Username field, enter the local user name or the user name on the LDAP server. The LDAP server user name is specified in the user@domain or domain\user format.
5. If necessary, enter the local user password in the Password and Password confirmation fields. The password must contain at least one uppercase A–Z character, lowercase characters, numerals, and special characters. Password length: 8 to 50 characters. To see the entered password, you can click the show button .
6. In the Role drop-down list, select the role of the user:
   • The Administrator role grants the user access to the entire solution.
   • The Tenant role grants the user access only to the tenant that is assigned to the user.
7. If necessary, select an access permission for the user in the Permissions drop-down list.
8. If you need to create a confirmation request for every action that the user undertakes, select the Request confirmation is required check box. By default, this check box is cleared, and the user can freely edit the settings of the solution components.
9. In the First name field, enter the first name of the user.
10. In the Last name field, enter the last name of the user.
11. If necessary, enter the user's email address in the Email field.
12. If necessary, enter a brief description of the user in the Description field.
13. Click Create.

The user is created and displayed in the table.

Editing a user

To edit a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user.
3. In the displayed settings area, edit the settings that you want to change. For a description of the settings, see the instructions for creating a user.
4. Click Save.

Changing user password

To change the password of a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user.
3. In the upper part of the displayed settings area, click Management and in the drop-down list, select Change password.
4. This opens a window; type the new password in the New password text box. The password must contain at least one uppercase A–Z character, lowercase characters, numerals, and special characters. Password length: 8 to 50 characters. To see the entered password, you can click the show button .
5. In the Password confirmation field, enter the new password again.
6. Click Save.

The password of the user is changed.

Activating or blocking a user

By default, users are created in the blocked state. You must unblock a user to let that user authenticate in the orchestrator web interface.

To block or unblock a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user.
3. In the upper part of the displayed settings area, click Management and in the drop-down list, select Unblock or Block.

The user is unblocked or blocked.

Deleting a user

Deleted users cannot be restored.

To delete a user:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Click the user.
3. In the upper part of the displayed settings area, click Management and in the drop-down list, select Delete.
4. In the confirmation window, click Delete.

The user is deleted and is no longer displayed in the table.

Creating a user group

You can create a user group corresponding to a group on the LDAP server. Users in this group can authenticate in the orchestrator web interface. Note that users are added to the group on the LDAP server and the orchestrator plays no part in this process.

Before creating a user group, you must do the following:

• Create a user group on the LDAP server.
• Configure a connection between the orchestrator and the LDAP server.

To create a user group:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Groups tab.

   A table of user groups is displayed.

3. In the upper part of the page, click + User group.
4. In the displayed settings area, in the Name field, enter the name of the user group on the LDAP server in the user@domain or domain\user format.
5. In the Role drop-down list, select the role of users in the group:
   • The Administrator role grants users in the group access to the entire solution.
   • The Tenant role grants users in the group access only to the tenant to which the group is assigned.
6. If necessary, select an access permission for the user group in the Permissions drop-down list.
7. Click Create.

The user group is created and displayed in the table.

Editing a user group

To edit a user group:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Groups tab.

   A table of user groups is displayed.

3. Click the user group.
4. In the displayed settings area, edit the settings that you want to change. For a description of the settings, see the instructions for creating a user group.
5. Click Save.

Deleting a user group

Deleted user groups cannot be restored.

To delete a user group:

1. In the menu, go to the Users section.

   The user management page is displayed. The Users tab, which is selected by default, displays the table of users.

2. Select the Groups tab.

   A table of user groups is displayed.

3. Click the user group.
4. In the upper part of the displayed settings area, click Management and in the drop-down list, select Delete.
5. In the confirmation window, click Delete.

The user group is deleted and is no longer displayed in the table.