User administration via shell script
The configuration center uses role-based access control (RBAC).
Note the following:
- Each administrator should have a personal login account.
- Configuration permissions depend on account role(s).
- The matrix below shows the pre-defined roles and the permissions they have.
- If an administrator needs custom permissions, the administration roles can be customized (see below).
User manager tool
To add a new administrator or edit an existing user, start the airlock-user-manager-tool as root and follow the instructions on the screen: root@Airlock:/ # airlock-user-manager-tool
Do not forget to save the new user settings after the configuration. To save, choose b to return to the initial page, then select s for save.
Backup of customized users
Customized users are not part of the default Airlock Gateway configuration file. Therefore, it is necessary to backup these users separately by saving the following three files:
/opt/airlock/custom-settings/mgt-auth/password.properties/opt/airlock/custom-settings/mgt-auth/roles.properties/opt/airlock/custom-settings/mgt-auth/assertion_key.properties
Default Roles and Permissions
Actions (Execute) | airlock-supervisor | airlock-auditor | airlock-administrator | airlock-app-admin |
|---|---|---|---|---|
Log in to the configuration center | x | x | x | x |
Change own password | x | x | x | x |
Activate configuration | x | x | x | |
Load configuration | x | x | x | |
Import configuration | x | x | x | |
Save configuration | x | x | x | |
Export configuration | x | x (without private key) | x | |
Import mapping | x | x | x | x |
Export mapping | x | x | x | x |
Shutdown/reboot | x | x | ||
Upload and install update | x | x | ||
View and search logs | x | x | x | x |
View system monitoring and reports | x | x | x | x |
Add, remove, or restart add-on modules | x | x |
Configuration management | airlock-supervisor | airlock-auditor | airlock-administrator | airlock-app-admin |
|---|---|---|---|---|
License | RW | R | RW | R |
Routes, hosts | RW | R | RW | R |
Network services (DNS, NTP, SNMP) | RW | R | RW | R |
Alerting | RW | R | RW | R |
ICAP | RW | R | RW | R |
Virtual hosts | RW | R | RW | R |
Back-end hosts | RW | R | RW | R |
Mappings | RW | R | RW | RW |
Revers-proxy connections (lines) | RW | R | RW | RW |
Certificates | RW | R | RW | R |
Session settings | RW | R | RW | R |
Deny rules | RW | R | RW | R |
Error pages (R=download, W=upload) | RW | R | RW | R |
Expert settings | RW | R | RW | R |
View uploaded error pages | RW | R | RW | R |
Configuring custom administration roles with permissions other than those shown in the table above is possible. However, the creation of custom roles is experimental and not part of the public API of Airlock Gateway.
Further information and links
External links: