Manage privileged users

Relevant for: Administrators

This topic describes how to manage FireFlow administrators and other privileged users. These users are managed in the AFA Administration area.

Administrators and other privileged users are managed in AFA.

Note: If ASMS is configured to authenticate users with an authentication server or Single Sign On, user credentials are not managed locally. For more details, see Manage authentication servers and SSO.

Add and edit privileged users

Note: It is possible to import users from a CSV file. For more details, see Import users via CSV.

Do the following:

  1. Switch to AFA.
  2. In the toolbar, click your username.

    A drop-down menu appears.

  3. Select Administration.

    The Administration page appears, displaying the Options tab.

  4. In the Options tab, click the Users/Roles sub-tab.

    The User and Role Management page appears.

  5. Do one of the following:

    • To add a new user, under the list of users, click New.
    • To edit an existing user, click in the desired user's row.

    New fields appear.

  6. Complete the fields as need. For details, see User field reference.

    Note: In order to enable the user to perform configuration and advanced configuration tasks, such as using VisualFlow to edit workflows, you must select the FireFlow Administrator - Allow FireFlow Advanced Configuration option.

  7. In the Roles area, select the AFA roles to assign the user.

    An AFA role represents a set of permissions and access levels in AFA, and when a user is assigned a role, the user is automatically granted the permissions specified for the role.

    Note: You can assign additional permissions to this user, as desired. The user will then have both the permissions inherited from their roles, as well as the permissions assigned specifically to the user.

    For more details, see AFA users and roles.

  8. Specify the devices and groups that the user should be able to view, by doing the following in the Authorized Devices area:

    1. Click Select devices.

      A tree of all the devices and groups appear.

    2. Choose the desired devices and groups.
    3. Click OK.

      The selected devices and groups are listed in the Authorized Devices area. Each device or group is assigned the access level specified in the default permission profile.

    4. To change the access level for a device or group, in the device or group's Permission profile drop-down list, select the desired access level.
    5. To specify that AFA should send e-mail notifications regarding a device or group, select the device or group's Notification check box.
  9. Click OK.

The user is added to ASMS.

Note: If you are adding a network operations or security information user, you must now assign the user the relevant role. If you assigned the user administrative permissions (by selecting the Administrator check box), the system automatically assigns the user both roles, and there is no need for further configuration.

For more details, see Manage user roles.

User field reference

The following fields are used to define FireFlow users.

In this field...

Do this...

User details

 

Username

Type a username for the user.

Usernames can contain any alpha-numeric character and the following special characters: "@", "_", ".", or "-".

Full name

Type the user's full name.

E-Mail

Type the user's e-mail address.

Notes

Type any notes about the user.

Authentication

Select how to authenticate this user:

  • Local. Authenticate the user against the local ASMS user database.
  • RADIUS. Authenticate the user against a RADIUS server.
  • LDAP. Select this option to enable user authentication against an LDAP server.

For more details, see Configure user authentication.

Landing Page

Select one of the three products, or Automatic. For more information, see Customizing the Landing Page.

Password

 

New password

Type a password for the user.

Passwords can contain any alpha-numeric character or any special character, excluding back ticks (`).

Confirm password

Re-type the password you entered in the New password field.

General Permissions

 

Administrator

Select this option to make the user an administrator.

FireFlow Administrator - Allow FireFlow Advanced Configuration

Select this option to make the user a FireFlow configuration administrator. This enables the user to perform advanced configuration tasks in FireFlow.

Enable Analysis from file

Select this option to allow the user to perform analyses from configuration files.

Enable Trusted Traffic -> global

Select this option to allow the user to view trusted traffic.

Roles

 

 

Select the user roles to assign the user. The user will automatically be granted the permissions specified in the assigned roles.

Note: You can assign additional permissions to this user, as desired. The user will then have both the permissions inherited from their roles, as well as the permissions assigned specifically to this user.

E-mail Notifications

Changes in risks

Select this option to specify that the AFA system should send notifications to the user when there are changes in risks.

Changes in policy

Select this option to specify that the AFA system should send notifications to the user when changes are made to policies.

Every group report

Select this option to specify that the AFA system should send notifications to the user when a group report is generated.

Every report

Select this option to specify that the AFA system should send notifications to the user when a report is generated.

Every configuration change

Select this option to specify that the AFA system should send notifications to the user when configuration changes are made.

Rules and VPN Users about to expire

Select this option to specify that the AFA system should send notifications to the user when device rules and/or VPN users are about to expire.

To configure the number of days before rule or VPN user expiration that AFA should send a notification, complete the Days before expiration alerts field in the General sub-tab of the Options tab in the Administration area. See Setting AlgoSec Firewall Analyzer Preferences.

Error messages

Select this option to specify that the AFA system should send error messages to the user. These include low disk space and license expiration warnings.

This field is only relevant for administrators.

Changes in customization

Select this option to specify that the AFA system should send notifications to the user when customization changes are made. These include notifications about topology, trusted traffic, and risk profile customizations.

This field is only relevant for administrators.

Hide change details

Select this option to omit change details from emails about new reports and from change alerts, and include only the device name and a link to the AFA Web interface.

Note: It is possible to hide change details globally, for all users. The global setting overrides individual users' Hide change details setting. See Globally Hiding/Displaying Change Details.

Authorized Views and Actions

 

Report

Select the report pages/information that the user can view. Select Full Report to indicate that the user can view all report information.

Pages that are not selected will be inaccessible to the user.

Note: A user can only be given access to Configuration and Logs information if they have access to the Explore Policy page.

Home Views

Select the Home page elements that the user can view. Select All Home Views To indicate that the user can view all Home page elements.

Pages that are not selected will be inaccessible to the user.

Reporting Tool

Select this option to allow the user to access the AlgoSec Reporting Tool (ART).

Note: Non-administration users that open the Reporting Tool will only see data relevant to the user's allowed firewalls.

Actions

Select the actions that the user can perform in AFA. Select All Actions to indicate that the user can perform all actions.

Controls used to perform actions that are not selected will be disabled.

Authorized Devices

 

Default permission profile

Select the user's default access level to devices.

Delete FireFlow privileged users

If desired, you can delete an Administrator or other privileged user. Deleted privileged users are demoted to requestors and can then be disabled in FireFlow.

Note: Deleted users are not removed from the FireFlow system history. They remain the owners of their change requests, and they still appear in change request histories.

Note: Deleted users' usernames and email addresses remain in the system. Since all usernames and email addresses must be unique, new users will be unable to use deleted users' usernames or email addresses. It is therefore recommended to change a user's email address before deletion, so as to enable adding the user again in the future with their original email address.

Do the following:

  1. Switch to AFA.
  2. In the toolbar, click your username.

    A drop-down menu appears.

  3. Select Administration.

    The Administration page appears, displaying the Options tab.

  4. In the Options tab, click the Users/Roles sub-tab.

    The User and Role Management page appears.

  5. Select the check box next to the desired user.
  6. Under the list of users, click Delete.

    A confirmation message appears.

  7. Click OK.

    The user is deleted from AFA.

    The user is demoted to a requestor in FireFlow.

  8. Disable the user in FireFlow. For details, see Manage requestors.

Disable and enable privileged users

If desired, you can disable a privileged user, so that they no longer appear in the FireFlow interface. Additionally, you can re-enable a disabled user.

Note: Values that were entered for a user before they were disabled are retained in the FireFlow database.

Note: Users that are deleted from AFA and FireFlow are demoted to requestors and disabled. For more details, see AFA users and roles.

Do the following:

  1. Log in to FireFlow for configuration purposes. For details, see Log in for configuration purposes.
  2. In the main menu, click Configuration.

    The FireFlow Configuration page appears.

  3. Click Users.

    The Select a user page appears.

  4. Click the Users tab.

    The Users tab appears.

  5. (Optional) To display disabled users, click the Show disabled link.

    To revert to a list which only displays enabled users, click the Hide disabled link.

  6. (Optional) To search for the desired user, type your search in the Type to filter your results field.

    The users which match your search appear in the Users area.

  7. Click the desired user's name.

    The Edit User window appears.

  8. Do one of the following:

    • To disable the user, clear the Enabled check box.
    • To enable the user, check the Enabled check box.
  9. Click Save.

    The user is enabled or disabled.