4.3. Administrators

Access to the UserGate LogAn web console is controlled by creating additional administrator accounts, assigning them access profiles, defining an administrator password management policy, and configuring web console access with the correct permissions for the service in the network zone properties.

Note

A local superuser named Admin is created during the initial setup of UserGate LogAn.

To create additional device administrator accounts, follow these steps:

Task

Description

Step 1. Create an administrator access profile.

In the Administrators --> Administrator profiles section, click Add and enter the desired settings.

Step 2. Create an administrator account and assign it one of the administrator profiles created earlier.

In the Administrators section, click Add and select the desired option.

  • Add local administrator: create a local user, set a password for the user, and assign them one of the access profiles created earlier.

  • Add LDAP user: add a user from an existing domain. This requires a correctly configured LDAP connector in the Auth servers section. When logging in to the administrative console, the username must be specified in the user@domain format. Assign this user a profile created earlier.

  • Add LDAP group: add a user group from an existing domain. This requires a correctly configured LDAP connector in the Auth servers section. When logging in to the administrative console, the username must be specified in the user@domain format. Assign this user a profile created earlier.

  • Add administrator with auth profile: create a user and assign them an administrator profile created earlier and an auth profile (this requires correctly configured auth servers).

When creating an administrator access profile, specify the following parameters:

Name

Description

Name

Profile name.

Description

Profile description.

Permissions

The list of web console tree objects available for delegation. The following access options are available:

  • No access.

  • Read only.

  • Read and write.

User roles

Defines the user roles for performing actions on incidents and analytics rules assigned to the administrators with this profile. For more details on roles, see the section User Roles and Role Permissions.

Note

Do not confuse roles and role permissions with permissions for objects in the management console. Object permissions allow the user to view or edit certain objects, such as incidents, whereas roles and role permissions allow a user to perform certain actions with object elements --- e.g., create an incident, add an assignee to it, etc. Generally, for a user to work anywhere in a system, object permissions and certain role permissions need to be delegated to the user.

A UserGate LogAn administrator can configure additional administrator account protection settings, such as password complexity and temporary account blocking on exceeding the max failures limit of authentication attempts.

To configure the above settings, follow these steps:

Task

Description

Step 1. Configure the password policy.

In the Administrators --> Administrators section, click Configure.

Step 2. Fill in the relevant fields.

Provide values for these fields:

  • Strong password: enables the additional password complexity settings presented below, such as Minimum length, Minimum uppercase letters, Minimum lowercase letters, Minimum number of digits, Minimum number of special characters, and Maximum character repetition block.

  • Number of invalid auth attempts: the number of failed attempts to authenticate as an administrator after which the account is blocked for Block time.

  • Block time (sec): the time for which the account is blocked.

The Administrators --> Administrator sessions section displays all administrators who are logged in to the UserGate LogAn administrative web console. Any of the administrator sessions can be closed (reset) if necessary.

The administrator can define the zones from which access to the web console service will be allowed (TCP port 8010).

Note

Web console access should not be allowed for zones connected to uncontrolled networks (e.g. the Internet).

To allow the web console service for a specific zone, go to the zone properties and allow access to the Administrative console service in the Access control section. For more details on configuring zone access control, see the section Zone Configuration.