Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Manage Paragon Insights Users and Groups

 

HealthBot Release 3.0.0 employs role-based access control (RBAC) to control access to the user interface, and tools and objects. RBAC is applied to user groups that are made up of a list of users.

The use of access controls within Paragon Insights (formerly HealthBot) allows you to grant one group of users, like operators, read-only access to certain pages like Configuration > Device Configuration; while granting a different group of users, like administrators, read-write access to that same page.

Starting with Release 4.0.0, Paragon Insights executes user management, authentication, and authorization through Identity and Access Management (IAM) service available in the 4.0.0 installation package.,

There are no changes in the installation process. See Paragon Insights Installation Guide for installation or migration procedure.

In new installations of Paragon Insights Release 4.0.0, a user can be registered through e-mail. This mode of registration requires you to perform additional steps at the time of installation. For existing Paragon Insights installations, you can register new users with username, without including an e-mail address. For more information on first login, see Default User and First Login.

Note

Starting from Paragon Insights Release 4.1.0, username is case insensitive.

In Paragon Insights, there are two administrators: one is the default admin user who first logs into Insights after a new installation. The admin user has complete control over all of Insight’s access controls. The other is sp-admin user who is created in the Paragon Insights interface. To know more about roles in Paragon Insights, see Default User Roles.

Paragon Insights 4.0.0 also supports Lightweight Directory Access Protocol (LDAP) based authentication. The authorization data such as organizational ID, username, and password are stored and managed in IAM. For more information, see LDAP Authentication in Paragon Insights.

Default User and First Login

In standalone Paragon Insights installations, the default username and password are set as admin and Admin123!, respectively. The admin user has complete control over all of Paragon Insights’ access controls. The credentials above are used for the first login at the URL https://<Paragon Insights hostname or IP>:8080.

Upon successful first login and before the admin user is granted access to the GUI, they are required to create a new password. The Set Password window pops up and provides instructions regarding password length, capitalization, special characters, and so on. Once you save this password, a pop-up window notifies you that the password has been changed. From this time forward, the admin user logs in with the new password.

If Paragon Insights is migrated from 3.x.x or earlier versions to 4.0.0 version, the admin user creates other users and assigns them roles and an initial password in the Administration > User Management page. The users created with sp-admin and sp-operator roles can login for the first time with their username by entering the initial password provided by the admin user.

Note

All users must change their password after the first login.

To change password:

  1. Click the circle with the first letter of your username at the top right corner of the interface.
  2. Click change password in the drop-down menu.

    A Change Password window appears.

  3. Enter your current password. Enter your new password and re-enter your new password to confirm.

    Passwords must be at least 8 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters.

  4. Click OK.

    A window notifies that your password is changed successfully.

Starting with standalone Paragon Insights 4.0.0 installations, the admin user can register a user with an e-mail address if Insights is configured for this registration method during installation. The registered user gets a login link in their inbox that expires after 24 hours. When they click on the link, a Set Password window appears where they can set a new password before they log into Paragon Insights.

Default User Roles

In Paragon Insights 4.0.0, the hbadmin group in earlier releases is converted to the sp-admin role whereas the hbmonitor, hbconfig, and hboperator groups are merged into the sp-operator role.

Paragon Insights is shipped with two pre-defined user roles:

  • sp-admin — The user gets read and write access to add resources such as device groups, network groups, rules and playbooks, configure data summarization profiles, create backup of Insights configuration or time series database, and the ability to manage users and groups.

  • sp-operator — Provides login capability and the ability to read-only access to read and observe any configured entity in Insights.

None of the pre-defined user roles can be changed or removed.

User Management

The User Management page is the first page shown when you navigate to Administration > User Management from the left navigation bar. This page is used to:

  • View a list of current Paragon Insights users

    The list shows user details including username, role, status, and provider type. User status can be active (green) or inactive (red).

  • Add new users

    Click the + to bring up the Create User window. Enter the following details.

    Note

    In Paragon Insights Release 4.0.0, an sp-admin can map a user to a role without creating user groups. The sp-admin can also create user groups, associate roles to user groups and then, add users to the user groups.

    Table 1: Create User Fields for Installations without E-mail Registration

    Fields

    Description

    Username

    Enter a username of maximum 32 characters. The username is used to log into the Paragon Insights portal.

    Note: Starting from Paragon Insights Release 4.1.0, username is case insensitive.

    First Name

    Enter the first name of the user. You cannot exceed 32 characters.

    Last Name

    Enter the last name of the user. You cannot exceed 32 characters.

    Status

    Enable or disable the user. If you disable the user, they cannot log into the Paragon Insights portal.

    Provider Type

    There are two provider types — Local (IAM) and LDAP.

    You can choose Local to configure users in IAM or choose LDAP to map user to LDAP user group.

    (Optional) Mapping Provider Group

    If you choose the provider type as LDAP, you can enter the LDAP user group name in this field.

    Password

    Enter a password for the user.

    Passwords must be at least 8 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters.

    A password must be unique and must not be previously used passwords.

    Role

    Select multiple roles at the left-side panel and click the right arrow button to add the roles to the user.

    The roles are sp-admin, sp-operator, or a custom role with select create, read, update, and delete access permissions.

    If you configured Paragon Insights to register users using e-mail address, you must configure SMTP settings in the portal before adding users.

    To configure SMTP settings:

    1. Select Administration > SMTP Settings.

      The SMTP Settings page appears. Fill in the details described in Table 2.

      Table 2: Fields in SMTP Settings

      Fields

      Description

      Server Address

      Enter the SMTP server address.

      For example, smtp.domain.com

      TLS

      Toggle the switch on to enable TLS, if you want to encrypt the e-mails sent to your users’ account from Paragon Insights.

      Port Number

      Enter the port number.

      The standard port number is set to 25 if TLS is disabled and is set to 587 if you enable TLS in SMTP settings.

      SMTP Authentication

      SMTP Authentitcation (Optional)

      Enable SMTP authentication to allow only verified users to send e-mails to or receive e-mails from the Paragon Insights application.

      Username

      Enter the username to be used for authentication. The username must not exceed 32 characters.

      Note: Starting from Paragon Insights Release 4.1.0, username is case insensitive.

      Password

      Enter a password.

      Confirm Password

      Re-enter the password.

      From Name

      If you did not enable SMTP authentication, then you must enter this field.

      This name appears as sender’s name to the e-mail recipients.

      From Email Address

      Enter the e-mail address from which messages from Paragon Insights must be sent to recipients.

      The syntax is example@domain.com

      Test SMTP Settings

      Email Address

      Enter your e-mail adress to check if SMTP settings configured in previous fields work as intended.

      Click Send Test Email. If you receive an e-mail from Paragon Insights in the inbox of the e-mail address entered in this field, then you have successfully configured SMTP settings.

    2. Click Save.

      The SMTP Settings for Paragon Insights is complete. You can now register users using their e-mail address.

    To register a user using e-mail address:

    1. Select Administration > User Management > User in the left navigation bar.

      The Users page appears.

    2. Click on the + icon to add a new user.

      The Create User page appears. Fill in the following details.

      Table 3: Create User Fields for Installations with E-mail Registration

      Fields

      Descriptions

      First Name

      Enter the first name of the user. You cannot exceed 32 characters.

      Last Name

      Enter the last name of the user. You cannot exceed 32 characters.

      Status

      Enable or disable the user. If you disable the user, they cannot log into the Paragon Insights portal.

      Username (E-mail)

      Enter the e-mail address of the user that will be used to log into the Paragon Insights portal.

      Role

      Select multiple roles at the left-side panel and click the right arrow button to add the roles to the user.

      The roles are sp-admin, sp-operator, or a custom role with select create, read, update, and delete access permissions.

    3. Click OK.

      The user you added is listed in the Users page.

  • Edit existing users

    Select an existing user by clicking anywhere on that user’s line in the list. Then click the Edit User (Pencil) icon to bring up the Edit User window. You can change any parameter except the username and the Provider Type.

  • Delete a user

    Select an existing user by clicking anywhere on that user’s line in the list. Then click the Delete User (Trash Can) icon. Confirm the action and the user is deleted.

Note
  • If you set a user’s status to inactive or delete that user, they are immediately prevented from logging in to Paragon Insights through the login page.

You can also export (backup) user configurations and restore the configurations in Paragon Insights. The backup and restore feature is not applied to pre-canned roles. For more information, see Paragon Insights Configuration – Backup and Restore.

Group Management

A user group is a collection of roles to which a Paragon Insights user can be assigned. The roles within a user group define the access (read-only or read-write) that all members of the group have in common. In other words, user groups are where RBAC controls are applied.

The User Groups page is accessed by navigating to Administration > User Management from the left-nav and selecting User Groups on the left side of the User Management page.

  • View a list of current Paragon Insights user groups

    The list shows user group details including group name and description.

  • Add new user groups

    Click the + to bring up the Add Group window.

    Starting in HealthBot Release 3.1.0, RBAC has been enhanced to include the roles selector helper. The roles selector helper appears when you add or edit a user group. See Figure 1.

    Figure 1: Add User Group
    Add User Group
  • Edit existing user groups

    Select an existing user group by clicking anywhere on that group’s line in the list. Then click the Edit User (Pencil) icon to bring up the Edit <groupname> window.

    Note

    When you add or edit a user group, the window has sections called System Roles and GUI Roles under the Selected Roles pull-down. These sections show the specific read-only (R) or read-write (W) permissions that are assigned to the group as a result of the selections made in the ROLES SELECTOR HELPER.

  • Delete a user group

    Select an existing user group by clicking anywhere on that group’s line in the list. Then click the Delete User (Trash Can) icon. A confirmation window appears. Confirm the action (Save and Deploy) to complete the deletion. The pre-defined user groups hbdefault and hbadmin cannot be deleted.

Warning

Adding and editing user groups in Paragon Insights is an advanced feature that requires a deep understanding of the available roles and how they apply to RBAC. We recommend that you use only the Role Selector check-boxes to add or remove permissions. We do not recommend that you add or remove individual system or GUI roles.

LDAP Authentication in Paragon Insights

LDAP users can access Paragon Insights GUI after an sp-admin configures LDAP settings in Paragon Insights and maps LDAP user group to Paragon Insights user group. In Paragon Insights Release 4.0.0, Active Directory installed on Windows Server 2012 R2 and OpenLDAP version 2.4 as the protocol are validated for LDAP implementation.

A typical workflow of LDAP-based authentication involves the following steps.

  1. An LDAP administrator configures LDAP group in an external server and adds users to the LDAP group.

  2. Sp-admin creates user group for LDAP users in Paragon Insights Release 4.0.0 interface and assigns roles to the created user group.

    Note

    The Paragon Insights user group and LDAP user group must have the same name.

  3. Sp-admin configures LDAP settings in Paragon Insights and maps the Paragon Insights user group to the LDAP user group in the Paragon Insights GUI.

  4. Upon successful authentication, the LDAP server produces a list of LDAP groups associated with the user.

    The IAM service checks for the corresponding group name in Paragon Insights and generates roles associated with the Paragon Insights user group.

  5. The IAM service converts the roles into a JSON Web Token (JWT) that is used for authorizing the LDAP user in Paragon Insights.

    Note

    If a user is configured both in LDAP and IAM (locally), then LDAP takes priority over IAM during authentication. When the user tries to login, Paragon Insights checks the user details first in LDAP and then in IAM.

To configure LDAP settings in Paragon Insights:

  1. Click Administration > Authentication > LDAP Settings option in the left navigation bar.

  2. Enter the necessary fields in the LDAP Settings page.

    The following table describes the attributes in the LDAP Settings page.

    Table 4: Configure LDAP to Integrate with Paragon Insights

    Attributes

    Description

    LDAP Server

    Server Address

    Enter the LDAP server url.

    For example, ldap.example.net.

    SSL

    Enable SSL to encrypt the LDAP channel.

    Port Number

    Enter the port number for the LDAP server.

    The default port number if SSL is enabled is 636 and the default port without SSL is 389.

    LDAP Authentication

    Authentication Method

    The authentication method is set to Simple. The password sent from the client to bind to the LDAP server is plain text.

    Base Domain Name

    Enter the domain name that constitutes the search base for querying the LDAP server.

    For example: dc=mycompany, dc=net/com.

    Bind Domain Name

    Enter the user name configured for LDAP authentication.

    For example: user@mycompany.net.

    Bind Password

    Enter a password for LDAP authentication.

    User Options (Optional)

    User Attribute

    Setting a user attribute is optional. This filter improves the search functionality on the LDAP server using the specified attribute name.

    User Filter

    Specify the objectClass attribute to filter the type of entities that can access Paragon Insights.

    For example, Person as a user filter.

  3. Click Save.

    The configuration settings of LDAP server in Paragon Insights is complete.

After configuring LDAP settings, the sp-admin must create an LDAP user group in Paragon Insights to map the users created in LDAP server to Paragon Insights. The LDAP group created in Paragon Insights allows administrators to map roles for LDAP users.

To map an LDAP group to Paragon Insights user group:

  1. Click Administration > User Management > User Groups option in the left navigation bar.

    The User Group page appears.

  2. Click the plus icon to create a new user group.

    The Create User Group page appears.

  3. Enter a group name and select Provider Type as LDAP from the drop down menu.

    The Mapping Provider Group section appears.

  4. In the Mapping Provider Group field, enter the LDAP group name.

  5. Select the roles to be associated with the LDAP group in Paragon Insights and click OK.

The users configured in LDAP server can log into Paragon Insights by entering their LDAP credentials. The resources and pages accessible to the LDAP user depends on the permissions granted in the role mapped through Paragon Insights.

Password Recovery

The default admin user does not require an e-mail address to access the interface in standalone deployment. If the initial password set by an admin user is lost, it can be recovered by a system administrator who has access to the physical server or virtual machine that hosts the Paragon Insights application. The system administrator has to run the following curl command in any shell in one of the nodes in the Kubernetes cluster.

Curl command to reset Paragon Insights admin user credential using IAM service token.

curl -k --request POST 'https://{{server-ip}}:{{port}}/iam/reset-password' --header 'x-service-token: '$(kubectl get secret -n {{namespace}} $(kubectl get sa -n {{namespace}} iam -o jsonpath='{.secrets[0].name}') -o jsonpath='{.data.token}' | base64 --decode)'' --header 'x-service-scope: {}' --header 'Content-Type: application/json' --data '{

"user_name" : "{{username}}",

"new_password" : "{{password}}"

}'

The IAM service validates the token and resets the password for the admin user.

Note

The port number for standalone Paragon Insights deployment is 8080 and the namespace is healthbot.

There is currently no self-service type of lost password mechanism for users registered without an e-mail address. Password reset must be done manually by an administrator with read-write access to the User Management page. The administrator must edit the user, change the password, and then notify the user by appropriate means.

To recover password of user accounts registered with e-mail address:

  1. Enter your username (e-mail address) in the Paragon Insights login page.
  2. Place the cursor in the password field.

    The Forgot Password? link appears beneath the Log in button.

  3. Click on the Forgot Password? link.

    A Forgot Password window appears displaying the message that an e-mail with link to reset password is sent to your account.

  4. Click on the Reset your password button in your account recovery e-mail.

    The reset password link expires after 24 hours.

  5. In the Set Password window, enter a new password and enter the same password in the Confirm Password field.

    Passwords must be at least 8 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters.

    A password must be unique and must not be previously used passphrases.

  6. Click OK.

    You will receive a second e-mail notifying you that your password is changed. Log into Paragon Insights using your latest password.

Limitations

In HealthBot Release 3.1.0, the RBAC implementation is limited in some ways:

  • The available roles, such as R-Devices, W-Devices, R-Datastore, etc. are all pre-defined. There is no way to add new roles or delete existing roles.

  • All roles are endpoint driven, not specific to any resource. This means that if you have read permission for devices, you can read all devices in the system. There is no means to restrict the read access to a subset of devices.

  • Roles are permissive in nature. You cannot create a role that blocks access to any given endpoint such as rules. If a user is created but not given any group membership, they will not be able to access the Paragon Insights GUI.

  • RBAC is currently limited to API service. This means that if you have read-only access to a page such as Configuration > Devices, you can see the entire page and interact with all of its controls. You could even go through the motions of creating a device in the GUI. However, when you click SAVE or SAVE & DEPLOY an API is called and it will recognize that you do not have the required permission to create a device. Errors are displayed at that time.

  • If you migrate data from your existing 2.1.X installation to your 3.0.0 or later installation, user data is not migrated. Any existing users must be recreated manually, by the admin user, after migration.

Related Documentation

Release History Table
Release
Description
Starting with Release 4.0.0, Paragon Insights executes user management, authentication, and authorization through Identity and Access Management (IAM) service available in the 4.0.0 installation package.
Starting in HealthBot Release 3.1.0, RBAC has been enhanced to include the roles selector helper
HealthBot Release 3.0.0 employs role-based access control (RBAC) to control access to the user interface, and tools and objects.