Managing Users

The user management system in RealOpInsight Ultimate is designed to help administrators and operations managers meeting delegating management requirements.

About Users and Roles

A user is defined by a user name and a password. Each user has a role that determines the functionalities he may access within the system. In complement to user roles, RealOpInsight enables a flexible permission system that allows to control the access to any monitoring data in accordance with delegating management.

  • Administrator users have full privileges in managing settings, users and views. When signed in as a user having administration privileges, you have access to all resources and operations, including, settings, users, views, assignment and revocation of view access permissions, etc.
  • Operator users or regular users have limited privileges. When logged in as a regular user, you have have a limited view according to the views assigned to users. Regular users don’t have any privilege regarding neither settings, users nor views.

Add User

RealOpInsight Ultimate comes with an initial admin user, but you can add other users in the system as follows:

  • Select the menu Add user from the User Management menu section.
  • Fill in the user form with the corresponding data (login/username, initial password, first name, last name, email, user type).
  • Verify the entries and click on Submit to validate the creation. Input fields require validation, so you may be invited to fix invalid input.
  • A confirmation message will inform you about the completion status after successful submission.
  • Display the user list to verify the creation (menu All Users).
../_images/realopinsight-ultimate-add-user.png

Update User

As administrator user, you can update user information and even reset his password. Here are steps to do that:

  • List all users via the menu All Users.
  • By default each user is listed in a collapsed panel, so find the considered user panel and expand it.
  • User information are readonly by default, you can enable update by clicking on Update. If you’d rather want to reset the user password, click on the button Change password.
  • Make the changes and click again on Update to apply them, a confirmation message will inform you about the completion status.
../_images/realopinsight-ultimate-user-management.png

Delete User

Here are steps to delete a user:

  • List all users via the menu All Users.
  • Find the related user panel and expand it.
  • Click on Delete to request the deletion.
  • Confirm the deletion if requested, a confirmation message will inform you about the completion status.
  • Check the user list to verify the deletion.

Authentication Against LDAP Directory

As of version 2014b3, RealOpInsight Ultimate can authenticate users against an LDAP directory.

Designed in the same spirit as the overall RealOpInsight system, the support to LDAP has been designed to be flexible to make its use as straightforward as possible. The only important think to consider is that the LDAP support is mutually exclusive with the default built-in authentication system. Hence the both authentication systems can not be used in conjunction. However, when using LDAP, the built-in admin account (see default credentials) is still active and works as unique administrator account for the overall system. All LDAP-based users are therefore considered as operators.

Warning

When LDAP authentication is enabled, users created via the built-in system are always available in RealOpInsight but cannot authenticate successfully. You can still get access and modify their user information via the menu All users, which also lists LDAP-based users. Conversely, LDAP user information cannot be updated or deleted via RealOpInsight. Further, when LDAP authentication is disabled, all related users are removed from the RealOpInsight authentication system.

Integration With LDAP Directory

LDAP integration assumes that you already have a working LDAP-compatible directory within your organization. The functionality has been tested with versions 2 and 3 of the protocol.

Additionally, you need to enable read access to the user base of your directory to RealOpInsight Authentication System. To ease this integration, the Authentication Manager provides a setting form for this purpose (see screenshot).

../_images/realopinsight-ultimate-auth-settings.png

Setting up the LDAP integration involves the following steps:

  • Sign in to RealOpInsight as admin user.

  • Select the menu Auth Settings to display the LDAP settings form.

  • In the setting form, select LDAP as authentication mode.

  • Set the URI to the LDAP server. This must be in the form of ldap://server:port or ldaps://server:port (LDAP over SSL), the latter be preferred for security reasons.

  • Set the LDAP Search Base to where LDAP users will be found from the LDAP directory tree. E.g. ou=devops,dc=company,dc=com.

  • Set the Distinguish Name (dn) and the password of the LDAP bind user, i.e. the account that should be used to authenticate against the LDAP server to retrieve user information. Those parameters are notably required for LDAP servers that do not accept anonymous access.

  • Set the LDAP attribute to use as identifier for users. If empty, the attribute uid will be considered. You may use mail for email-based authentication.

    CAUTION: If you set an attribute that does not identify uniquely users, RealOpInsight will deny the access if there are two or more users having a same value for that attribute.

Enable LDAP users

Once the access to your directory user search is enabled for RealOpInsight Authentication System, you finally need to enable users that authenticate against RealOpInsight. The RealOpInsight User Management System provides a checkbox-based selection list (see the screenshot below) to deal with that. You can enable and disable an LDAP user on-the-fly. allow you to enable and disable users in one click.

../_images/realopinsight-ultimate-enable-ldap-users.png

Below are steps to deal with that:

  • Sign into RealOpInsight Ultimate as admin.
  • Select the menu LDAP users to display the LDAP user handling form.
  • This should display the list of all users (entries belonging to the person class in the directory) from the directory search base set previously.
  • The last column of each entry of the list is a check field that tells if the user is enabled to authenticate into RealOpInsight or not. When checked, the related user is enabled to authenticate and, reciprocally, unchecked user can not authenticate.