4.1. User Management

FlowTraq provides a powerful ability to create and manage users and their access to flow data. Individual users can be minutely restricted in their access to flow data, enabling FlowTraq to be used in multi tenant systems where more than one organization uses the same backend FlowTraq deployment. Flow data will be neatly separated based on boundaries that you configure.

Each user has access to their own customizable dashboard, and settings are aplied on a per-user basis. FlowTraq separates user accounts into two distinct groups:

Administrators

Aministrative users can create and detele user accounts, manage traffic groups, modify the configuration of the FlowTraq server, and limit which traffic each regular user has access to.

Users

Regular users can analyze traffic, create NBI behaviora threat detectors, and customize their dashboard.

In addition to local user management, FlowTraq can also authenticate users through one or more LDAP servers. FlowTraq always attempts to authenticate users in the local user database first, before attempting authentication with an external LDAP server. You may map LDAP user groups to both the regular FlowTraq users group, and the FlowTraq administrative account group.

This section describes the different kinds of FlowTraq user accounts, and includes information on how to change user passwords, add and remove users, and grant and revoke privileges.

FlowTraq has two kinds of user accounts: Administrative Users or "Administrators" and Unprivileged Users .

Administrators (such as the default admin account) have access to the Administration/User page:

Figure 4.1. User Settings Control Panel

User Settings Control Panel

  • A checkmark in the Active column indicates if a user is currently logged in. It is not possible to delete users that are currently logged in.

  • The Role column indicates if a user is an administrator or a regular user.

  • The User Filter column indicates if a flow record access control filter is active.

  • A password reset link is provided in the Password colum. It is not possible to change the password for externally authenticated users (LDAP) through FlowTraq.

From this page, an Administrator may add and remove user accounts, make other users into Administrative Users (or remove that status), and change user passwords.

Administrators can also set up access controls for each unprivileged user to restrict what sessions they can see when doing analytics. For more information on how to set up user access control, please see Section 4.1.1.3, “User Filter Control”.

[Important]Important

Upon first login, you should immediately change the password for admin and create a new user for day-to-day use.

You can grant and revoke administrative privileges by taking the following steps:

  1. Log in as an Administrator.

  2. Open the Administration/User page.

  3. Select the user whose privileges you wish to change by clicking the checkbox left of the username.

    • Select Change role to Administrator from the top dropdown menu to grant administrative privileges.

    • Select Change role to User from the top dropdown menu to revoke administrative privileges.

Figure 4.2. Changing user privileges

Changing user privileges

[Important]Important

You cannot revoke your own administrative privileges. (This is to prevent the system from getting into a state where there are no administrators.)

[Important]Important

You cannot grant or revoke administrative privileges of users that are externally authenticated (LDAP). You must change their group membership on your LDAP server instead.

You can add and remove users by taking the following steps:

  1. Log in as an Administrator.

  2. Open the Administration/User page.

To remove a user:

[Important]Important

You may not delete a user that is currently logged in.

[Important]Important

Deleting an externally authenticated user will only delete their settings. To prevent an LDAP authenticated user from accessing FlowTraq you must disable their access on your LDAP server.

To add a user:

You will be asked to enter your administrative password, and a username and password for the new user. Select Create User to create the new FlowTraq user account.

Figure 4.3. Changing user privileges

Changing user privileges

[Important]User Name Rules

User names must conform to the following rules:

  • Usernames must be between 3 and 32 characters.

  • Usernames may contain spaces (but leading and trailing spaces are not counted).

  • Usernames must NOT contain non UTF-8 characters.

  • Usernames must NOT contain '@' or '|'.

  • Usernames must NOT start with an underscore.

FlowTraq provides a fine-grained user access control mechanism which permits an administrator to decide which flows an unprivileged user may see. This is accomplished by setting a User Filter for each unprivileged user. When the unprivileged user logs in, he will only see sessions which match the User Filter. This is especially useful in multi-tenant/managed-services environments.

To set a user's User Filter, take the following steps:

  1. Log in as an Administrator.

  2. Open the Administration/User page.

  3. Click the link in the User Filter column for the appropriate user. (Note that setting a User Filter on an Administrator is not permitted.)

  4. The User Filter Control dialog appears when you click the filter line. In the Filter Control dialog you can create a session filter in the same way it is used in FlowTraq workspaces.

    Figure 4.4. User Filter Control

    User Filter Control

  5. Set the user's filter and click "Save".

For more information on how to configure filters, please see Section 3.1.1.1, “Filtering”.

To manage users, use the ftum command. Administrative credentials are required to create, or modify user accounts.

You must specify a FlowTraq Server to connect to and supply login details.

In addition to the connection and login parameters, ftum accepts the following parameters:

Table 4.1. User Management Parameters

ParameterDescription
-chpw USERNAME PASSWORD Change password for user USERNAME to PASSWORD . You must log in as USERNAME to perform this action for yourself, or as an adminstrator to perform this action for an arbitrary user.
-addu USERNAME PASSWORD Add a new user, USERNAME , with initial password PASSWORD . You must log in as an adminstrator to perform this action.
-delu USERNAME Delete user USERNAME . You must log in as an adminstrator to perform this action. It is not possible to remove a user that is currently logged in.
-admin USERNAME Grant administrative privileges to user USERNAME . You must log in as an adminstrator to perform this action.
-noadmin Revoke administrative privileges from user USERNAME . You must log in as an adminstrator to perform this action.
-ulist Print the list of users. You must log in as an adminstrator to perform this action.
-getpref USERNAME KEY Request a user-specific parameter KEY for user USERNAME.
-setpref USERNAME KEY Set a user-specific parameter KEY for user USERNAME. Some parameters cannot be set by the user themselves, such as userfilter which controls what traffic a regular user may analyze. Other parameters, such as colorscheme can be modified by the user themselves.

For example, to add a new user (with the -addu option) and set the initial password (with the -chpw option), take the following steps:

FlowTraq supports external user authentication through the Lightweight Directory Access Protocol. This means that you can quickly grant user or administrative access to your FlowTraq server or cluster by mapping LDAP groups to FlowTraq roles. When users attempt to authenticate with a FlowTraq server, their credentials are first checked against the local FlowTraq user account database. If authentication fails, up to 4 LDAP servers can be queried to authenticate the user.

Using LDAP for authentication allows for a convenient way to manage access for many users at the same time from directory servers such as Active Directory. FlowTraq will treat these user accounts as external, although some local controls may still be applied. User settings such as dashboard layout and colorscheme will be stored on the FlowTraq server. It is also possible to apply user access controls to regular users, see Section 4.1.1.3, “User Filter Control”.

[Important]Important Limitations of LDAP users

Externally authenticating users comes with a couple of important limitations:

  • FlowTraq has no control over account creation, and deletion. Deleting an externally authenticated account only deletes the users preferences.

  • Passwords are managed by the LDAP server, FlowTraq cannot reset them.

  • Group membership is managed by the LDAP server, administrative privileges must be granted or revoked by the LDAP server.

  • Not all usernames on an LDAP server are valid in FlowTraq.

An LDAP server is configured in the flowtraq.conf FlowTraq server daemon configuration file. After adding or removing a configuration, the FlowTraq daemon process must be sent a HUP signal to trigger a reconfiguration. Below is an example of an LDAP configuration:

You may configure up to four LDAP server blocks srv0, srv1, srv2, and srv3, which will be searched in numerical order.

server

The IP address or hostname of the LDAP server that FlowTraq should connect to.

port

The TCP port of the LDAP service (389).

binddn

The distinguished name of the LDAP account that is used to browse the directory service. This account must have sufficient priviliges to query the LDAP server for users and groups. It is used to validate that users are valid members of the directory, and belong to groups that are mapped to FlowTraq users or administrators.

binddnpass

The password for the LDAP account that is used to browse the directory service.

userbaseobject

This is the base object that holds all the relevant user accounts in the directory. This object is searched for the credentials provided by the users to FlowTraq when they log in. Usually: OU=Users,DC=FlowTraq,DC=com, or simply DC=FlowTraq,DC=com.

useraccountattrib

The attribute of user objects that users will use to identify themselves to FlowTraq. You may pick any attribute that identifies a user in your directory. This is usually sAMAccountName.

usernameattrib

This is the attribute of user objects that FlowTraq will search for and use to offer the credentials to the LDAP server for authentication. This is usually an attribute that uniquely identifies the user in the domain. A good value is distinguishedName.

groupuserattrib

This is the attribute of user objects that is used in to identify membership in groups on your directory server. Often the distinguishedName of the user is used to identify them as members of a specific group.

groupbaseobject

This is the base object that holds all the relevant group accounts in the directory. This object is searched for the groups provided by the user and admin mappings given by the admin and users parameters, to establish if the user who is attempting to login is a member of an appropriate LDAP group. Usually: OU=Groups,DC=FlowTraq,DC=com, or simply DC=FlowTraq,DC=com.

groupmemberattrib

This is the attribute of group objects that is used to list all the groups member users. Usually: member.

groupnameattrib

This is the attribute of group objects that is used to identify them in the admin and users mappings. Usually: cn.

admin

List all the LDAP groups that should have administrative access to the FlowTraq daemon. You may list up to 8 groups.

users

List all the LDAP groups that should have regular user access to the FlowTraq daemon. You may list up to 8 groups.

[Important]Important

Note that it is possible to configure the same LDAP server multiple times, but with a different group mapping in each configuration.

Prev Up 
 Home