Manage HealthBot Users and Groups
Starting with Release 3.0.0, HealthBot employs role-based access control (RBAC) to control access to the user interface and HealthBot tools and objects. RBAC is applied to user groups that are made up of a list of users.
The use of access controls within HealthBot allows you to grant one group of users, like operators, read-only access to certain pages like Configuration > Device Configuration; while granting a different group of users, like administrators, read-write access to that same page.
Default User and First Login
When HealthBot is first installed, the default username and password are set as admin and healthbot respectively. The admin user has complete control over all of HealthBot’s access controls. The credentials above are used for the first login at the URL https://<HealthBot hostname or IP>:8080.
Upon successful first login and before the admin user is granted access to the GUI, they are required to create a new password. The Temporary Password Reset window pops up and provides instructions regarding password length, capitalization, special characters, and so on. Once you save this password, a pop-up window notifies you that the password has been changed. From this time forward, the admin user logs in with the new password.
Once the admin user is logged in, all user and group management is carried out on the Administration > User Management page.
The User Management page is the first page shown when you navigate to Administration > User Management from the left-nav bar. This page is used to:
View a list of current HealthBot users
The list shows user details including first name, last name and status. User status can be active (green) or inactive (red).
Add new users
Click the + to bring up the Add User(s) window.
Edit existing users
Select an existing user by clicking anywhere on that user’s line in the list. Then click the Edit User (Pencil) icon to bring up the Edit <username> window. You can change any parameter except the username.
Export the user list
With no user selected, click the Export (Page with arrow) icon to bring up the export dialog.
Delete a user
Select an existing user by clicking anywhere on that user’s line in the list. Then click the Delete User (Trash Can) icon. Confirm the action and the user is deleted.
There is currently no self-service type of lost password mechanism. Password reset must be done manually by an administrator with read-write access to the User Management page. The administrator must edit the user, change the password, and then notify the user by appropriate means.
If you set a user’s status to inactive or delete that user, they are immediately prevented from logging in to HealthBot through the login page.
A user group is a collection of roles to which a HealthBot user can be assigned. The roles within a user group define the access (read-only or read-write) that all members of the group have in common. In other words, user groups are where RBAC controls are applied.
The User Groups page is accessed by navigating to Administration > User Management from the left-nav and selecting User Groups on the left side of the User Management page.
View a list of current HealthBot user groups
The list shows user group details including group name and description.
Add new user groups
Click the + to bring up the Add Group window.
Starting in HealthBot Release 3.1.0, RBAC has been enhanced to include the roles selector helper. The roles selector helper appears when you add or edit a user group. See Figure 1.
Edit existing user groups
Select an existing user group by clicking anywhere on that group’s line in the list. Then click the Edit User (Pencil) icon to bring up the Edit <groupname> window.
When you add or edit a user group, the window has sections called System Roles and GUI Roles under the Selected Roles pull-down. These sections show the specific read-only (R) or read-write (W) permissions that are assigned to the group as a result of the selections made in the ROLES SELECTOR HELPER.
Export the user group list
With no user group selected, click the Export (Page with arrow) icon to bring up the export dialog.
Delete a user group
Select an existing user group by clicking anywhere on that group’s line in the list. Then click the Delete User (Trash Can) icon. A confirmation window appears. Confirm the action (Save and Deploy) to complete the deletion. The pre-defined user groups hbdefault and hbadmin cannot be deleted.
Adding and editing user groups in HealthBot is an advanced feature that requires a deep understanding of the available roles and how they apply to RBAC. We recommend that you use only the Role Selector check-boxes to add or remove permissions. We do not recommend that you add or remove individual system or GUI roles.
Pre-Defined User Groups
HealthBot is shipped with four pre-defined user groups:
hboperator–Provides login capability and and the ability to manage your own profile. Each user belongs to this group.
hbmonitor–Provides read-only access to read and observe any configured entity in Healthbot.
hbconfig: Provide all the capabilities of the hbmonitor group plus the ability to modify any configuration in HealthBot.
hbadmin–Provide all the capabilities of the hbconfig group plus the ability to manage users and groups.
None of the pre-defined user groups can be changed or removed. The default admin user is automatically a member of the hbadmin group. The default admin user is the first member of this group and cannot be removed from it. Additional administrator users can be added to this group by the admin user or another member of the hbadmin group.
In HealthBot Release 3.1.0, the RBAC implementation is limited in some ways:
The available roles, such as R-Devices, W-Devices, R-Datastore, etc. are all pre-defined. There is no way to add new roles or delete existing roles.
All roles are endpoint driven, not specific to any resource. This means that if you have read permission for devices, you can read all devices in the system. There is no means to restrict the read access to a subset of devices.
Roles are permissive in nature. You cannot create a role that blocks access to any given endpoint such as rules. If a user is created but not given any group membership, they will not be able to access the HealthBot GUI.
RBAC is currently limited to API service. This means that if you have read-only access to a page such as Configuration > Devices, you can see the entire page and interact with all of its controls. You could even go through the motions of creating a device in the GUI. However, when you click SAVE or SAVE & DEPLOY an API is called and it will recognize that you do not have the required permission to create a device. Errors are displayed at that time.
If you migrate data from your existing 2.1.X installation to your 3.0.0 or later installation, user data is not migrated. Any existing users must be recreated manually, by the admin user, after migration.