Manage users and roles in AFA

Relevant for: AFA Administrators

This topic describes how to manage AFA users and roles in the AFA Administration area.

Note: If you have an authentication server or SSO configured, user credentials must be managed on your external server. If your user roles are assigned based on LDAP group membership, roles must be managed on the LDAP server. In these cases, any changes made directly in AFA are overwritten the next time the user logs in. For more details, see Configure user authentication.

Tip: AFA users and roles provide the basis for authentication across both AFA and FireFlow. If you are an AFA administrator, but not a FireFlow administrator, you can also access FireFlow role and user management via the AFA Administration area. For more details, see Manage FireFlow users and roles.

Add or edit users

This procedure describes how to add and edit users in ASMS.

Tip: Alternately, manage users via an authentication server or SSO, or import users via a CSV file. For details, see Configure user authentication or Import users via CSV.

Do the following:

  1. Click your username at the top-right to access the AFA Administration area.

  2. Click the USERS/ROLES tab to display the user and role tables. For example:

  3. To add a new user, click the New button below the user table. To edit an existing user, click the edit button at the right side of the row you want to edit.

    In the user form that appears, select and enter values as needed:

  4. Click OK to save your changes.

Default landing pages per role

ASMS is configured with specific landing pages per user or role. Change this default to display a different page as needed.

  • Landing pages configured for specific users override any configuration for a user's role.

  • Users with multiple roles, with different landing pages for each role, will see the landing page with the highest priority.

    Landing pages are prioritized for FireFlow first, and then AFA.

If no landing page is defined for the user, or any of the user's roles, landing pages are defined as follows:

Permissions Landing page
Administrators

AlgoSec Firewall Analyzer

AFA Users

First FireFlow, if licensed and activated, and then AFA.

Requestors (unprivileged users)

AlgoSec Firewall Analyzer

Unlock locked local accounts

This procedure describes how to manually unlock a local account.

Repeated attempts (by default, 10 attempts) to log into a local account with an incorrect password locks the account. The user can log in again after a login delay (by default, 5 minutes) or the admin can unlock the account manually.

Tip: You can configure the account lockout policy. For more details, see Configure the Account Lockout policy (for local users).

Note: If a user is logged in when a lock is applied to the account, the user can continue working. If the user needs to log in again, the account may be locked.

Do the following:

  1. Log in with an admin role.

  2. Under the Administration menu, select the USERS/ROLES tab.

  3. Click the Edit button of the locked account.

  4. Click the Unlock user button.

    Note: If the admin user is locked out, log in to your ASMS machine via CLI with the username root. From the algosec_conf menu select option 9. Reset AFA admin password.

    This resets the password and unlocks the admin user.

Add and edit user roles

This procedure describes how to add and edit user roles.

Tip: If you have an LDAP server configured, associate AFA user roles with specific LDAP user groups to have each user in the group automatically inherit the AFA role.

Do the following:

  1. Click your username at the top-right to access the AFA Administration area.

  2. Click the USERS/ROLES tab to display the user and role tables. For example:

  3. To add a new role, click the New button under the role table. To edit an existing role, click the edit button in the row for the role you want to edit.

    In the user form that appears, select and enter values as needed:

  4. Click OK to save your changes.

Delete AFA users or roles

This procedure describes how to delete users from the local AFA database, or delete user roles.

Tip: Alternately, manage users via an authentication server or SSO. For details, see Configure user authentication.

Do the following:

  1. Click your username at the top-right to access the AFA Administration area.

  2. Click the USERS/ROLES tab to display the user and role tables. For example:

  3. Select the check box next to the user or role you want to delete, and click Delete.
  4. In the confirmation message that appears, click OK.

The selected user or role is deleted from AFA.

Username requirements

ASMS usernames can contain any alpha-numeric character and the following special characters:

  • @ (at symbol)
  • _ (underscore)
  • . (period)
  • - (hyphen)
  • / (forward-slashes)

Use the following regular expression to confirm that your usernames meet ASMS requirements:

Value Regular Expression

Username or username with LDAP domain

^[a-zA-Z0-9@_.-\/]*$

Note: For local users, the system does not distinguish between matching usernames spelled with different cases (for example User_A and user_a).

Password requirements

This section describes the different password requirements based on the method used to log in.

General password requirements (for LDAP, Radius, SSO)

ASMS passwords can contain any alpha-numeric character or any special character, except for back-ticks (`).

Tip: You can use the following regular expression to confirm that your passwords meet ASMS requirements:

Value Regular Expression

Password

^[a-zA-Z0-9\x20-\x5F\x7B-\x7E]*$

Strong password requirements (for local users)

Local user password policy is configurable and has the following default requirements:

  • Must be at least 8 characters long

  • Must contain at least 1 uppercase letter (A-Z)

  • Must contain at least 1 lowercase letter (a-z)

  • Must contain at least 1 number (0-9)

  • Must contain at least 1 special character

    ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

  • Password cannot be the same as the username

  • Password cannot match any of the 3 most recently used passwords

Note: To customize the local user password policy, see Configure the Password policy (for local users)

Configure the Password policy (for local users)

This procedure describes how to modify the password policy parameters for local users.

Do the following:

  1. In the CLI navigate to /home/afa/.fa/keycloak_config.

  2. Edit password_policy.json and customize the parameter values as required.

    For example:

    {
     "hashIterations": 27500,
     "minimumPassLength": 8,
     "minimumDigitChars": 1,
     "minimumUppercaseChars": 1,
     "minimumLowercaseChars": 1,
     "minimumSpecialChars": 1,
     "passwordExpiryDays": 365,
     "passwordNotUsername": true,
     "notRecentlyUsedPasswords": 3
    }
  3. Run:

    update_security_policies.pl

Important: If you made policy changes using the CLI with the Login page already open in the browser, you need to reload the page for the changes to take effect.

Note: When the admin updates the password policy, existing users are not asked to update their passwords even when they don't adhere to the new policy. (When the user later updates their password, it needs to meet the strong Password policy requirements)

Configure the Account Lockout policy (for local users)

This procedure describes how to modify lockout policy parameters for local user accounts.

Do the following:

  1. In the CLI navigate to /home/afa/.fa/keycloak_config.

  2. Edit brute_force_policy.json and customize the parameter values as required.

    For example:

    {
     "bruteForceProtected": true,
     "permanentLockout": false,
     "failureFactor": 10,
     "quickLoginCheckMilliSeconds": 1000,
     "minimumQuickLoginWaitSeconds": 300,
     "waitIncrementSeconds": 300,
     "maxFailureWaitSeconds": 900,
     "maxDeltaTimeSeconds": 43200
    }
  3. Based on user type:

    For root user, run:

    /usr/share/fa/bin/update_security_policies

    For afa user, run:

    update_security_policies

Important: If you made policy changes using the CLI with the Login page already open in the browser, you need to reload the page for the changes to take effect.