Manage requestors
Relevant for: Administrators
This topic describes how to manage FireFlow requestors.
FireFlow requestors can be managed by FireFlow administrators from the FireFlow Configuration area and the requestors database, and by AFA administrators from the AFA Administration area. Requestors can also be created in LDAP.
Manage Requestor Object Views: Watch to learn how to prevent requestors from seeing the list of suggested firewall objects.
Manage requestors from AFA
Do the following:
-
In the AFA Administration area, click the Users / Roles tab.
The User and Role Management page appears.
-
Click Manage FireFlow requestors.
The Select a user page appears, displaying the Requestors tab.
-
Click + New.
The Create Requestor dialog is displayed.
-
Complete the fields as needed. For details, see Requestor field reference.
-
Click OK.
Perform any of the following additional requestor management procedures, as needed:
Do the following:
-
In the AFA Administration area, click the Users / Roles tab.
The User and Role Management page appears.
-
Click Manage FireFlow requestors.
FireFlow opens displaying the Requestors tab of the Select a user page.
-
To display disabled requestors, click the Show disabled link.
To revert to a list which only displays enabled requestors, click the Hide disabled link.
-
In the Type to filter your results field, type your search.
The requestors which match your search appear in the Requestors area.
-
In the Requestors area, click on the desired requestor's username.
The Edit User dialog is displayed.
Note: If the system is configured to import user information from an LDAP server upon each login, changes to these settings may be overridden the next time the user logs in. In this case, changes to user settings must be made in the LDAP server instead of in FireFlow.
-
Complete the fields as needed. For details, see Requestor field reference.
-
Click Save.
Disabled requestors remain configured in FireFlow.
Note: All requestor usernames and email addresses must be unique, including disabled users.
If you only disable a requestor instead of deleting it, you will not be able to use that email address or username again in FireFlow.
Do the following:
-
In the AFA Administration area, click the Users / Roles tab.
The User and Role Management page appears.
-
Click Manage FireFlow requestors.
FireFlow opens displaying the Requestors tab of the Select a user page.
-
To display disabled requestors, click the Show disabled link.
To revert to a list which only displays enabled requestors, click the Hide disabled link.
-
In the Type to filter your results field, type your search.
The requestors which match your search appear in the Requestors area.
-
In the Requestors area, click on the desired requestor's username.
The Edit User dialog is displayed.
-
Clear the enabled check box.
-
Click Ok.
The requestor is disabled.
Manage requestors from FireFlow
This procedure describes how to manage requestor users from the FireFlow administration area.
Do the following:
- Log in to FireFlow for configuration purposes. For details, see Log in for configuration purposes.
-
In the main menu, click Configuration.
The FireFlow Configuration page appears.
-
Click Users.
The Select a user page appears, displaying the Requestors tab.
-
Click + New.
The Create Requestor dialog is displayed.
-
Complete the fields as needed. For details, see Requestor field reference.
-
Click OK.
Requestor field reference
The following fields are available in either the AFAAdministration area or the FireFlowConfiguration area.
General fields
Username |
Type the requestor's username. Usernames can contain any alpha-numeric character and the following special characters: "@", "_", ".", or "-". This field is required. |
|
Type the requestor's email address. |
Full Name |
Type the requestor's full name. |
Language |
Select the desired FireFlow interface language. All fields will be displayed in the selected language. |
Extra info |
Type additional information about the requestor. |
Enabled |
Select this option to enable the requestor to access the Requestors Web Interface. |
Access Control fields
Authentication |
Select the type of authentication to use for this requestor:
|
New Password |
Type a password for the requestor. Passwords can contain any alpha-numeric character or any special character, excluding back ticks (`). |
Retype Password |
Re-type the same password you entered in the New Password field. |
Location fields
Organization |
Type the name of the requestor's organization. |
Address 1 |
Type the requestor's primary mailing address. |
Address 2 |
Type the requestor's secondary mailing address. |
City |
Type the requestor's city. |
State |
Type the requestor's state. |
Zip |
Type the requestor's zip code. |
Country |
Type the requestor's country. |
Phone number fields
Home |
Type the requestor's home telephone number. |
Work |
Type the requestor's work telephone number. |
Mobile |
Type the requestor's mobile telephone number. |
Pager |
Type the requestor's pager number. |
Comment fields
Enter any additional comments about this requestor user.
Additional fields
If custom user fields are defined, this area displays the fields.
Complete the fields with the required information.
Manage FireFlow requestors from the requestor database
FireFlow provides a requestor management tool that enables you to add new requestors and edit existing requestors directly in the Requestor Database. The tool uses a REST API to access the Requestor Database. This same tool can be used to export a list of requestors.
Tip: FireFlow administrators can also export the current data into a CSV file. For details, see Exporting the Requestors Database.
Do the following:
-
Create a CSV file with which to update the Requestor Database.
For each requestor, the file should include the fields specified in CSV File Fields (see CSV File Fields).
Note: The fields are case-sensitive.
Note: You can save the file anywhere on the server.
-
Open a terminal, and log in using the username "root" and the related password.
-
Enter the following command:
/usr/share/fireflow/local/extras/update_requestors.pl {-fCSVFile -uUsername-pPassword [-t Timeout] [-sServerURL] | -iParametersFile}
For information on the command's flags, see Requestor Database Script Flags (see Requestor Database Script Flags).
In this field... |
Specify this... |
---|---|
UserName |
The user's username. Usernames can contain any alpha-numeric character and the following special characters: "@", "_", ".", or "-". This field is required. |
NewUserName |
A new username for the user. This field is only relevant when updating the Requestors Database. |
|
The user's email address. |
Password |
A password for the user. Passwords can contain any alpha-numeric character or any special character, excluding back ticks (`). |
FullName |
The user's full name. |
HomePhone |
The user's home telephone number. |
Comments |
Comments about this user. If the comments include a comma, line break, or quotation marks, you must enclose the comments in quotation marks. |
Signature |
A signature that should appear at the end of this user's messages. |
Organization |
The name of the user's organization. |
Language |
The desired FireFlow interface language. All fields will be displayed in the selected language. |
ExtraInfo |
Additional information about the user. |
WorkPhone |
The user's work telephone number. |
PagerPhone |
The user's pager number. |
Address1 |
The user's primary mailing address. |
Address2 |
The user's secondary mailing address. |
City |
The user's city. |
State |
The user's state. |
Zip |
The user's zip code. |
Country |
The user's country. |
Authentication |
The type of authentication to use for this user. This can have the following values:
|
MobilePhone |
The user's mobile telephone number. |
Disabled |
Whether to enable the user to access the Requestors Web Interface. This can have the following values:
The default value is 0. |
Flag |
Description |
---|---|
-fCSVFile |
The full path and name of the CSV input file. This flag is relevant only when updating the Requestors Database. |
-lCSVFile |
The full path and name of the CSV output file. This flag is relevant only when exporting the Requestors Database. |
-uUsername |
The user name of an AlgoSec administrator with permissions to manage requestors. |
-pPassword |
The password of an AlgoSec administrator with permissions to manage requestors. |
-a |
Display all users, including disabled ones, in the CSV output file. This flag is relevant only when exporting the Requestors Database. |
-t Timeout |
The timeout in seconds for each HTTP request that the tool issues against the FireFlow server. The default value is 90. |
-s ServerURL |
The FireFlow server URL. The default value is https://localhost. |
-iParametersFile |
The parameters input file. When this flag is used, the requestors management tool will refer to a parameters input file for all flags. This is useful if you want to avoid typing a password in the command line. The parameters input file must be a text file, with each flag appearing on a different line. |
You can use the requestor management tool to export a list of requestors from the Requestor Database into a CSV file.
Do the following:
- Open a terminal, and log in using the username "root" and the related password.
-
Enter the following command:
/usr/share/fireflow/local/extras/update_requestors.pl {-lCSVFile -uUsername-pPassword [-a] [-t Timeout] [-sServerURL] | -iParametersFile}
For information on the command's flags, see Requestor Database Script Flags (see Requestor Database Script Flags).
The CSV file is exported. For each requestor, the file includes the fields specified in CSV File Fields (see CSV File Fields).
Manage FireFlow requestors from LDAP
This procedure describes how to manage FireFlow requestor users from LDAP. Only users who are not defined in AlgoSec Firewall Analyzer can be considered requestors by FireFlow.
Do the following:
- In AlgoSec Firewall Analyzer, go to the Administration page.
- Click the Options tab, then click the Authentication tab.
- Select LDAP as the Authentication Server.
- In the Permitted Users area, add the DN of the users in the Users Under Base DN field.
The LDAP field MemberOf associates the user with an AlgoSec Firewall Analyzer role. Any user for which the LDAP field MemberOf is empty is automatically considered a requestor by FireFlow.