Manage Paragon Insights Users and Groups

Default User and First Login

In standalone Paragon Insights installations, the default username and password are set as admin and Admin123!, respectively. The admin user has complete control over all of Paragon Insights’ access controls. The credentials above are used for the first login at the URL https://<Paragon Insights hostname or IP>:8080.

Upon successful first login and before the admin user is granted access to the GUI, they are required to create a new password. The Set Password window pops up and provides instructions regarding password length, capitalization, special characters, and so on. Once you save this password, a pop-up window notifies you that the password has been changed. From this time forward, the admin user logs in with the new password.

If Paragon Insights is migrated from 3.x.x or earlier versions to 4.0.0 version, the admin user creates other users and assigns them roles and an initial password in the Administration > User Management page. The users created with sp-admin and sp-operator roles can login for the first time with their username by entering the initial password provided by the admin user.

To change password:

1. Click the circle with the first letter of your username at the top right corner of the interface.

2. Click change password in the drop-down menu.

   A Change Password window appears.

3. Enter your current password. Enter your new password and re-enter your new password to confirm.

   Passwords must be at least 8 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters.

4. Click OK.

   A window notifies that your password is changed successfully.

Starting with standalone Paragon Insights 4.0.0 installations, the admin user can register a user with an e-mail address if Insights is configured for this registration method during installation. The registered user gets a login link in their inbox that expires after 24 hours. When they click on the link, a Set Password window appears where they can set a new password before they log into Paragon Insights.

Default User Roles

In Paragon Insights 4.0.0, the hbadmin group in earlier releases is converted to the sp-admin role whereas the hbmonitor, hbconfig, and hboperator groups are merged into the sp-operator role.

Paragon Insights is shipped with two pre-defined user roles:

• sp-admin — The user gets read and write access to add resources such as device groups, network groups, rules and playbooks, configure data summarization profiles, create backup of Paragon Insights configuration or time series database, and the ability to manage users and groups.

• sp-operator — Provides login capability and the ability to read-only access to read and observe any configured entity in Insights.

None of the pre-defined user roles can be changed or removed.

User Management

The User Management page is the first page shown when you navigate to Administration > User Management from the left navigation bar. This page is used to:

• View a list of current Paragon Insights users

  The list shows user details including username, role, status, and provider type. User status can be active (green) or inactive (red).

• Add new users

  Click the + to bring up the Create User window. Enter the following details.

  Note:

  In Paragon Insights Release 4.0.0, an sp-admin can map a user to a role without creating user groups. The sp-admin can also create user groups, associate roles to user groups and then, add users to the user groups.

  Table 1: Create User Fields for Installations without E-mail Registration

  Fields	Description
  Username	Enter a username of maximum 32 characters. The username is used to log into the Paragon Insights portal. Note: Starting from Paragon Insights Release 4.1.0, username is case insensitive.
  First Name	Enter the first name of the user. You cannot exceed 32 characters.
  Last Name	Enter the last name of the user. You cannot exceed 32 characters.
  Status	Enable or disable the user. If you disable the user, they cannot log into the Paragon Insights portal.
  Provider Type	There are two provider types — Local (IAM) and LDAP. You can choose Local to configure users in IAM or choose LDAP to map user to LDAP user group.
  (Optional) Mapping Provider Group	If you choose the provider type as LDAP, you can enter the LDAP user group name in this field.
  Password	Enter a password for the user. Passwords must be at least 8 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters. A password must be unique and must not be previously used passwords.
  Role	Select multiple roles at the left-side panel and click the right arrow button to add the roles to the user. The roles are sp-admin, sp-operator, or a custom role with select create, read, update, and delete access permissions.

  If you configured Paragon Insights to register users using e-mail address, you must configure SMTP settings in the portal before adding users. The SMTP configuration is used to send user account related e-mails, such as when user changes password, user resets password, admin user adds a new user, and so on.

  Note:

  If you want to configure the SMTP settings, you must configure the environment variables export HB_IAM_SKIP_MAIL_VERIFICATION=false and export HB_IAM_DISABLE_SMTP_SETTINGS=false during Paragon Insights installation. See installation guide for more information.

  To configure SMTP settings:

  1. Select Administration > SMTP Settings.

     The SMTP Settings page appears. Fill in the details described in Table 2.

     Table 2: Fields in SMTP Settings

     Fields	Description
     Server Address	Enter the SMTP server address. For example, smtp.domain.com
     TLS	Toggle the switch on to enable TLS, if you want to encrypt the e-mails sent to your users’ account from Paragon Insights.
     Port Number	Enter the port number. The standard port number is set to 25 if TLS is disabled and is set to 587 if you enable TLS in SMTP settings.
     SMTP Authentication
     SMTP Authentitcation (Optional)	Enable SMTP authentication to allow only verified users to send e-mails to or receive e-mails from the Paragon Insights application.
     Username	Enter the username to be used for authentication. The username must not exceed 32 characters. Note: Starting from Paragon Insights Release 4.1.0, username is case insensitive.
     Password	Enter a password.
     Confirm Password	Re-enter the password.
     From Name	If you did not enable SMTP authentication, then you must enter this field. This name appears as sender’s name to the e-mail recipients.
     From Email Address	Enter the e-mail address from which messages from Paragon Insights must be sent to recipients. The syntax is example@domain.com
     Test SMTP Settings
     Email Address	Enter your e-mail adress to check if SMTP settings configured in previous fields work as intended. Click Send Test Email. If you receive an e-mail from Paragon Insights in the inbox of the e-mail address entered in this field, then you have successfully configured SMTP settings.

  2. Click Save.

     The SMTP Settings for Paragon Insights is complete. You can now register users using their e-mail address.

  To register a user using e-mail address:

  1. Select Administration > User Management > User in the left navigation bar.

     The Users page appears.

  2. Click on the + icon to add a new user.

     The Create User page appears. Fill in the following details.

     Table 3: Create User Fields for Installations with E-mail Registration

     Fields	Descriptions
     First Name	Enter the first name of the user. You cannot exceed 32 characters.
     Last Name	Enter the last name of the user. You cannot exceed 32 characters.
     Status	Enable or disable the user. If you disable the user, they cannot log into the Paragon Insights portal.
     Username (E-mail)	Enter the e-mail address of the user that will be used to log into the Paragon Insights portal.
     Role	Select multiple roles at the left-side panel and click the right arrow button to add the roles to the user. The roles are sp-admin, sp-operator, or a custom role with select create, read, update, and delete access permissions.

  3. Click OK.

     The user you added is listed in the Users page.

• Edit existing users

  Select an existing user by clicking anywhere on that user’s line in the list. Then click the Edit User (Pencil) icon to bring up the Edit User window. You can change any parameter except the username and the Provider Type.

• Delete a user

  Select an existing user by clicking anywhere on that user’s line in the list. Then click the Delete User (Trash Can) icon. Confirm the action and the user is deleted.

You can also export (backup) user configurations and restore the configurations in Paragon Insights. The backup and restore feature is not applied to pre-canned roles. For more information, see Paragon Insights Configuration – Backup and Restore.

Group Management

A user group is a collection of roles to which a Paragon Insights user can be assigned. The roles within a user group define the access (read-only or read-write) that all members of the group have in common. In other words, user groups are where RBAC controls are applied.

The User Groups page is accessed by navigating to Administration > User Management from the left-nav and selecting User Groups on the left side of the User Management page.

• View a list of current Paragon Insights user groups

  The list shows user group details including group name and description.

• Add new user groups

  Click the + to bring up the Add Group window.

  Starting in HealthBot Release 3.1.0, RBAC has been enhanced to include the roles selector helper. The roles selector helper appears when you add or edit a user group. See Figure 1.

  Figure 1: Add User Group

• Edit existing user groups

  Select an existing user group by clicking anywhere on that group’s line in the list. Then click the Edit User (Pencil) icon to bring up the Edit <groupname> window.

  Note:

  When you add or edit a user group, the window has sections called System Roles and GUI Roles under the Selected Roles pull-down. These sections show the specific read-only (R) or read-write (W) permissions that are assigned to the group as a result of the selections made in the ROLES SELECTOR HELPER.

• Delete a user group

  Select an existing user group by clicking anywhere on that group’s line in the list. Then click the Delete User (Trash Can) icon. A confirmation window appears. Confirm the action (Save and Deploy) to complete the deletion. The pre-defined user groups hbdefault and hbadmin cannot be deleted.

LDAP Authentication in Paragon Insights

LDAP users can log into Paragon Insights GUI using LDAP credentials after an sp-admin configures LDAP settings in Paragon Insights. The sp-admin must also map the LDAP user group to the Paragon Insights user group. In Paragon Insights Release 4.0.0 and later releases, Active Directory service installed on Windows Server 2012 R2 and OpenLDAP version 2.4 as the protocol are validated for LDAP implementation.

A typical workflow of LDAP-based authentication involves the following steps:

1. An LDAP administrator configures LDAP group in an external server and adds users to the LDAP group.

2. The sp-admin configures LDAP settings in Paragon Insights.

3. The sp-admin creates a user group for LDAP users in Paragon Insights Release 4.0.0 interface, maps this user group to the existing LDAP user group, and then assigns roles to that user group.

   Note:

   The Paragon Insights user group and LDAP user group must have the same name.

During authentication, the LDAP server produces a list of LDAP groups associated with the user. The Paragon Insights IAM service checks for the corresponding user group name in Paragon Insights and generates roles associated with that Paragon Insights user group. The IAM service then converts the roles into a JSON Web Token (JWT) that is used for authorizing the LDAP user in Paragon Insights.

To configure LDAP settings in Paragon Insights:

1. Click Administration > Authentication > LDAP Settings option in the left navigation bar.

2. Enter the necessary fields in the LDAP Settings page.

   The following table describes the attributes in the LDAP Settings page.

   Table 4: Configure LDAP to Integrate with Paragon Insights

   Attributes	Description
   LDAP Server
   Server Address	Enter the LDAP server url. For example, ldap.example.net.
   SSL	Enable SSL to encrypt the LDAP channel.
   Port Number	Enter the port number for the LDAP server. The default port number if SSL is enabled is 636 and the default port without SSL is 389.
   LDAP Authentication
   Authentication Method	The authentication method is set to Simple. The password sent from the client to bind to the LDAP server is plain text.
   Base Domain Name	Enter the domain name that constitutes the search base for querying the LDAP server. For example: dc=mycompany, dc=net/com.
   Bind Domain Name	Enter the user name configured for LDAP authentication. For example: user@mycompany.net.
   Bind Password	Enter a password for LDAP authentication.
   User Options (Optional)
   User Attribute	Setting a user attribute is optional. This filter improves the search functionality on the LDAP server using the specified attribute name.
   User Filter	Specify the objectClass attribute to filter the type of entities that can access Paragon Insights. For example, Person as a user filter.

3. Click Save.

   The configuration settings of LDAP server in Paragon Insights is complete.

After configuring LDAP settings, the sp-admin must create an LDAP user group in Paragon Insights to map the users created in LDAP server to Paragon Insights. The LDAP group created in Paragon Insights allows sp-admins to map roles for LDAP users.

To map an LDAP group to Paragon Insights user group:

1. Click Administration > User Management > User Groups option in the left navigation bar.

   The User Group page appears.

2. Click the plus icon to create a new user group.

   The Create User Group page appears.

3. Enter a group name and select Provider Type as LDAP from the drop down menu.

   The Mapping Provider Group section appears.

4. In the Mapping Provider Group field, enter the LDAP group name.

5. Select the roles to be associated with the LDAP group in Paragon Insights and click OK.

The users configured in LDAP server can log into Paragon Insights by entering their LDAP credentials. The resources and pages accessible to the LDAP user depends on the permissions granted in the role mapped through Paragon Insights.

Password Recovery

The default admin user does not require an e-mail address to access the interface in standalone deployment. If the initial password set by an admin user is lost, it can be recovered by a system administrator who has access to the physical server or virtual machine that hosts the Paragon Insights application. The system administrator has to run the following curl command in any shell in one of the nodes in the Kubernetes cluster.

Curl command to reset Paragon Insights admin user credential using IAM service token.

The IAM service validates the token and resets the password for the admin user.

There is currently no self-service type of lost password mechanism for users registered without an e-mail address. Password reset must be done manually by an administrator with read-write access to the User Management page. The administrator must edit the user, change the password, and then notify the user by appropriate means. The default password expiry for users with sp-admin and sp-operator roles is 180 days.

To recover password of user accounts registered with e-mail address:

1. Enter your username (e-mail address) in the Paragon Insights login page.

2. Place the cursor in the password field.

   The Forgot Password? link appears beneath the Log in button.

3. Click on the Forgot Password? link.

   A Forgot Password window appears displaying the message that an e-mail with link to reset password is sent to your account.

4. Click on the Reset your password button in your account recovery e-mail.

   The reset password link expires after 24 hours.

5. In the Set Password window, enter a new password and enter the same password in the Confirm Password field.

   Passwords must be at least 8 characters long and must contain uppercase letters, lowercase letters, numbers, and special characters.

   A password must be unique and must not be previously used passphrases.

6. Click OK.

   You will receive a second e-mail notifying you that your password is changed. Log into Paragon Insights using your latest password.

Limitations

In HealthBot Release 3.1.0, the RBAC implementation is limited in some ways:

• The available roles, such as R-Devices, W-Devices, R-Datastore, etc. are all pre-defined. There is no way to add new roles or delete existing roles.

• All roles are endpoint driven, not specific to any resource. This means that if you have read permission for devices, you can read all devices in the system. There is no means to restrict the read access to a subset of devices.

• Roles are permissive in nature. You cannot create a role that blocks access to any given endpoint such as rules. If a user is created but not given any group membership, they will not be able to access the Paragon Insights GUI.

• RBAC is currently limited to API service. This means that if you have read-only access to a page such as Configuration > Devices, you can see the entire page and interact with all of its controls. You could even go through the motions of creating a device in the GUI. However, when you click SAVE or SAVE & DEPLOY an API is called and it will recognize that you do not have the required permission to create a device. Errors are displayed at that time.

• If you migrate data from your existing 2.1.X installation to your 3.0.0 or later installation, user data is not migrated. Any existing users must be recreated manually, by the admin user, after migration.