Manage users and groups

The User Access Control page enables you to create new Web Administration Interface users with access to only some WAI modules, and to restrict exactly what users can do in each module.

The administrator user can use every feature of every module. However, there are many situations in which you might wish to give some people access to a subset of WAI features. For example, there might be a person in your organization whose job it is to create and edit DNS zones and records. On a normal UNIX system, this person must be given root access to edit the zone files and restart the DNS server when necessary. However, when users can log in as administrator users they have full control of the system, and can do whatever they wish.

The WAI solves problem by enabling you to create additional users who can log in, but only access a few modules. You can further restrict what users can do in each module, so that they cannot perform actions that they are not supposed to. Because the WAI still runs with full root privileges even when used by a restricted user, it still has access to all the configuration files and commands that it needs.

You can use the User Access Control page to create, edit, or grant permissions to a WAI user or group. This page displays all users and groups on your system, and the WAI modules that they have access to. If a user is a member of a group, its membership and only those modules that do not come from the group are shown. On a default WAI system, only the administrator user is displayed, which has access to all modules that are supported on your operating system.

Create a new WAI user

To create a new user who can log in to the WAI, possibly with limited privileges, perform the following steps:

  1. Click the Create a new Administration Interface user link next to the list of existing users.
  2. Enter a login name in the Username field. The name cannot be already used by any other user or group.
  3. To assign the user to a group, select the group from the Member of group field. Any modules belonging to the group are granted to the user in addition to modules selected on this page, and any access control restrictions that apply to the group in those modules also apply to the user. For details on how to add new groups to the list, see Create and edit WAI groups.
  4. To give the user a normal password, select Set to from the Password drop-down list, and enter the password in the text box. If the new user has the same name as a UNIX user, you can select Unix authentication instead to enable the WAI to use Pluggable Authentication Modules (PAM), or read the /etc/shadow file to validate the user. To prevent the user from logging in, select No password accepted. For example, this might apply when creating users who have limited privileges, so they cannot log in until you have finished restricting their access.
  5. Enter the user's full name in the Real Name field.
  6. If the user has an associated SSL certificate, enter its name in the SSL certificate name field.
  7. Module icons on the WAI main page can be displayed under categories. If the new user is granted access to only a few modules, this is not necessary, so you can change the Categorize modules field to No.
  8. To limit the addresses from which the new user can log in to the WAI, set the IP access control field to Only allow listed addresses. Then enter host names, IP addresses, network/netmask pairs or wildcard host names (for example, *.foo.com) in the text box. These restrictions are checked only after any global IP access controls set in the IP Access Control page are passed.
  9. Select all the modules that the user is to have access to in the Available Administration Interface Modules section.
  10. When finished, click Save to create the new user. You are returned to the User Access Control page, and the new user can log in immediately.

Clone a WAI user

You can use cloning to speed up the process of creating a new user who has the same attributes and access permissions as an existing user. To clone a user, perform the following steps:

  1. Click the user name of the existing user to clone on the User Access Control page.
  2. Click the Clone button at the bottom of the editing form. This displays the creation form with most fields already set to the attributes of the original user.
  3. Complete the Username and Password fields, which are not copied from the cloned user. You can also change the values in any of the other fields.
  4. When finished, click Create. The new user gets a copy of all module access control settings from the original user, but these are not updated if the original user is updated later.

To create many users with access to the same modules and the same access control settings, it is better to create a group, and assign the users to it. This enables you to change the settings for all members at once just by editing the group.

Edit a WAI user

You can change the user name, password, or any other attribute of a WAI user (including the user you are logged in as) using this module. To edit a user, perform the following steps:

  1. Click a user name on the User Access Control page. This displays an editing form, similar to the one used to create the user.
  2. By default, the password is left unchanged. To edit it, select Set to from the Password drop-down list, and enter a new password in the text box.
  3. Edit any of the other fields on the form, as explained in the previous section. You can also move the user to another group, which causes the user to lose access to all modules in the original group, and gain access to those in the new group. If you are editing the user you are logged in as, the WAI does not allow you to remove access to this module. This is to protect you from locking yourself out of the module, and not being able to grant yourself access again.
  4. When you are finished, click Save to apply the changes immediately. If the user name or password is changed and the user is currently logged in, and WAI is not in session authentication mode, the user must log in again.

You can delete a user by clicking the Delete button at the bottom of the editing form, which also takes effect immediately. However, the WAI does not allow you to delete the currently logged in user.

Create and edit WAI groups

To create a large number of users who all have access to the same modules with the same access control options, the best solution is to create a WAI group. Like users, groups have access to a subset of the available modules, and have access control permissions in those modules. If you change the available modules or permissions for a group, those of all member users also change.

A group can be a member of another group, from which it inherits all allowed modules and access control settings. If the parent group is changed in any way, those changes flow through to all member groups and their member users. There is no limit to the number of levels of group nesting that you can create.

To create a new group, perform the following steps:

  1. Click the Create a new Administration Interface group link.
  2. Enter a unique name that is not used by any other existing user or group in the Group name field.
  3. To make this new group a member of an existing group, select the existing group from the Member of group menu.
  4. Select all the modules that you want members of this group to have access to from the Available Administration Interface Modules list. Those from any parent group are automatically included.
  5. Click Save to create the new group and return to the User Access Control page.
  6. You can now create new WAI users or edit existing users to become members of the new group.

When a group has been created, you can edit it by clicking its name in the table on the User Access Control page. This displays the group editing form on which you can change any of its attributes, before applying with the Save button. You can delete the group using the Delete button, as long as it does not have any member users or groups.

Additional options

The User Access Control page also includes links to the following options:

Option Description
Convert Unix to Administration Interface Users Enables you to convert existing UNIX users to WAI users. You can select a subset of users based on different criteria (for example, user name, group, or UUID). The permissions of each new WAI user are determined by the selected group. You can also select to reuse the UNIX user password in the WAI.
Configure Unix User Synchronization Enables you to configure the automatic synchronization of UNIX users created in the WAI and users in this module. For example, you can select to create a WAI user when a UNIX user is created, delete the matching WAI user when a UNIX user is deleted, or assign new UNIX users to a specified WAI group.
Configure Unix user Authentication Enables you to validate WAI login attempts against the system user list and PAM. This can be useful if you have a large number of existing UNIX users who you want to give access to the WAI. For example, you can select to only allow the specified WAI or UNIX users to log in, allow users who can run all commands using sudo to log in as administrator users, or deny UNIX users whose shells are not in the specified file.
View Login Sessions Displays the current WAI login sessions, and enables you to cancel an existing session and force the user to log in again.
Password Restrictions Enables you to specify WAI password enforcement options. For example, these include minimum password length, regular expressions that passwords must match, and the number of days before the password must be changed.