User Management: Difference between revisions
(Created page with "VoIP monitor allows users to define multiple user accounts with different rights. If no user is defined, the user admin with password admin is active. Once there is one user d...") |
(Fix audit logging menu path, add can_transcribe permission, clarify transcription audit logging) |
||
| (32 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
{{DISPLAYTITLE:User Management}} | |||
[[Category:GUI manual]] | |||
[[Category:Administration]] | |||
= User Management = | |||
This page covers user account administration in VoIPmonitor GUI, including creating users, assigning permissions, and configuring access controls. | |||
'''Navigate to:''' '''Users & Audit > Users''' to manage user accounts. | |||
< | == User Authentication Types == | ||
File: | |||
</ | <kroki lang="mermaid"> | ||
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%% | |||
flowchart LR | |||
U[User Login] --> L{Auth Type?} | |||
L -->|Local| DB[(VoIPmonitor DB)] | |||
L -->|External| CS[custom_login.php] | |||
CS --> LDAP[LDAP/AD] | |||
CS --> OTHER[Other Systems] | |||
DB --> GUI[GUI Access] | |||
LDAP --> GUI | |||
OTHER --> GUI | |||
</kroki> | |||
{| class="wikitable" | |||
|- | |||
! Type !! Description !! Configuration | |||
|- | |||
| '''Local''' || Default authentication using VoIPmonitor's internal database. Passwords stored as hashes. || Manage directly in GUI. | |||
|- | |||
| '''External (LDAP/Custom)''' || Integrate with LDAP/Active Directory via custom login script. || See [[WEB_API#Custom_Login|Custom Login (LDAP)]]. | |||
|- | |||
| '''Google SSO''' || OAuth authentication with Google accounts. || See [[Google_Sign_in_usage|Google Sign-In]]. | |||
|- | |||
| '''Microsoft SSO''' || OAuth authentication with Microsoft Entra ID (Azure AD). ''Currently in development.'' || See [[Microsoft_Sign_in_usage|Microsoft Sign-In]]. | |||
|} | |||
{{Note|1=For external authentication, the <code>custom_login</code> function '''must''' return a unique numeric <code>id</code> for each user. Shared IDs cause users to share settings.}} | |||
== Creating a New User == | |||
# Go to '''Users & Audit > Users'''. | |||
# Click '''Add user'''. | |||
# Fill in required fields: | |||
#* '''Username''' - Login name (must be unique). | |||
#* '''Password''' - Strong password recommended. | |||
#* '''Email''' - For alerts and password recovery. | |||
#* '''Group''' - Assign to a permission group. | |||
# Configure permissions (see below). | |||
# Click '''Save'''. | |||
== Permissions == | |||
Permissions control what users can access and modify. Set via: | |||
* '''User-level:''' Direct assignment on individual user. | |||
* '''Group-level:''' Inherited from assigned group (recommended for easier management). | |||
=== Permission Flags === | |||
{| class="wikitable" | |||
|- | |||
! Permission !! Description | |||
|- | |||
| <code>is_admin</code> || Full administrative access (includes upgrade permissions) | |||
|- | |||
| <code>can_cdr</code> || View CDR records and filter form (required for Call-ID search) | |||
|- | |||
| <code>can_play_audio</code> || Play call recordings in GUI | |||
|- | |||
| <code>can_download_audio</code> || Download audio files | |||
|- | |||
| <code>can_listen_active_call</code> || Live call monitoring (ChunkPlayer) | |||
|- | |||
| <code>can_pcap</code> || Download PCAP files | |||
|- | |||
| <code>can_messages</code> || View SIP messages | |||
|- | |||
| <code>can_graphs</code> || Access graphs and charts | |||
|- | |||
| <code>can_livesniffer</code> || Live sniffer functionality | |||
|- | |||
| <code>can_capture_rules</code> || Manage capture rules | |||
|- | |||
| <code>can_reports_edit</code> || Create/edit reports | |||
|- | |||
| <code>can_alerts_edit</code> || Create/edit alerts | |||
|- | |||
| <code>can_dashboard</code> || View dashboards | |||
|- | |||
| <code>can_ipacc</code> || IP accounting features | |||
|- | |||
| <code>can_audit</code> || View audit logs | |||
|- | |||
| <code>can_sensors_operations</code> || Sensor management | |||
|- | |||
| <code>can_transcribe</code> || Use on-demand transcription (Whisper) on call recordings | |||
|} | |||
{{Tip|1=Set <code>is_admin</code> to <code>false</code> and use group permissions for granular access control.}} | |||
=== Upgrade Permissions === | |||
Only users with <code>is_admin</code> role can perform: | |||
* '''GUI upgrades''' via Settings > System > Upgrade | |||
* '''Sensor upgrades''' via Settings > Sensors | |||
* '''Auto-upgrade controls''' | |||
{{Warning|There is no option to hide the upgrade menu for admin users. To restrict upgrades, control access to admin accounts or use CLI: <code>php php/run.php upgrade -f</code>.}} | |||
== Access Restrictions == | |||
=== Sensor Restrictions === | |||
Restrict users to specific sensors: | |||
# Edit user > '''Basic data''' tab. | |||
# In '''Enable sensors''', select allowed sensor IDs. | |||
# Users will only see CDR from permitted sensors. | |||
=== IP-Based Login Restrictions === | |||
Restrict login to specific IP addresses: | |||
# Edit user > '''Secure users''' tab. | |||
# Enable '''Enable remote addresses'''. | |||
# Add allowed IP addresses/ranges. | |||
{{Warning|If you lock yourself out, you must access the database directly to remove IP restrictions.}} | |||
=== CDR Data Restrictions === | |||
Restrict which CDR data users can view based on phone numbers, IP addresses, or domains: | |||
# Edit user or group > '''restrictions''' tab. | |||
# Add filter criteria. | |||
# Configure boolean logic (see below). | |||
{{Note|The '''restrictions''' tab filters CDR query results. The '''Secure users''' tab controls login IP addresses. These are different functions.}} | |||
==== AND vs OR Logic ==== | |||
By default, '''AND logic''' is used: CDR must match ALL conditions. | |||
To enable '''OR logic''' (match ANY condition): | |||
# In the '''restrictions''' tab, scroll to bottom. | |||
# Check '''OR condition''' checkbox. | |||
# Save changes. | |||
== User Groups == | |||
Manage groups in '''Users & Audit > Groups''': | |||
* Define permission templates for multiple users. | |||
* Assign users to groups for consistent access control. | |||
* Changes to group permissions apply to all members. | |||
== Audit Logging == | |||
Track user actions for compliance (GDPR, HIPAA). All sensitive GUI actions are logged, including on-demand transcription requests. | |||
{| class="wikitable" | |||
|- | |||
! Method !! Configuration | |||
|- | |||
| '''GUI Audit''' || Enabled by default. View logs in '''Users & Audit > Audit'''. Configure per-user settings in '''Users & Audit > Users/Groups'''. | |||
|- | |||
| '''File-based Audit''' || Set <code>AUDIT_LOG_FILE</code> in <code>configuration.php</code>. | |||
|- | |||
| '''Per-user Audit''' || Set '''Enable audit''' to ''auto'' or ''yes'' on individual users. | |||
|} | |||
== Troubleshooting == | |||
=== User Cannot Log In === | |||
* Check IP restrictions in '''Secure users''' tab. | |||
* Verify username/password (case-sensitive). | |||
* Check if account is disabled. | |||
* For LDAP: Test with <code>php scripts/custom_login.php</code>. | |||
=== Permission Changes Not Taking Effect === | |||
* User must log out and log back in. | |||
* Clear browser cache if issues persist. | |||
* Verify group membership if using group permissions. | |||
=== Empty Dashboard Graphs for Restricted Users === | |||
'''Symptom:''' User sees empty graphs while admin sees data correctly. | |||
'''Cause:''' Group IP restrictions filter out required data sources. | |||
'''Solution:''' | |||
# Navigate to '''Users & Audit > Groups'''. | |||
# Edit the affected group > '''restrictions''' tab. | |||
# Adjust or remove IP restrictions. | |||
# User must refresh browser. | |||
{{Tip|To verify: temporarily clear all group restrictions. If graphs appear, restrictions were blocking data.}} | |||
=== Cannot Search by Call ID === | |||
'''Cause:''' Missing <code>can_cdr</code> permission. | |||
'''Solution:''' Enable '''Allow to view CDR''' checkbox on user profile, then have user re-login. | |||
=== Forgot Admin Password === | |||
Reset via database: | |||
<syntaxhighlight lang="sql"> | |||
UPDATE users SET password = MD5('newpassword') WHERE username = 'admin'; | |||
</syntaxhighlight> | |||
{{Warning|Log in immediately and change password through GUI for better security.}} | |||
=== Different Search Results Between Users === | |||
Even with identical permissions, users may see different results due to: | |||
# '''Timezone setting:''' Compare timezone selector (top right of CDR view) between users. | |||
# '''User restrictions:''' Check '''restrictions''' tab for IP/number filters. | |||
# '''Sensor restrictions:''' Check '''Basic data''' > '''Enable sensors'''. | |||
# '''Group restrictions:''' Verify group settings in '''Users & Audit > Groups'''. | |||
== Advanced: Database-Level Operations == | |||
User restriction filters are stored in the <code>users</code> table, <code>number</code> column. | |||
<syntaxhighlight lang="sql"> | |||
-- View all user restrictions | |||
SELECT username, number FROM users; | |||
-- Find restrictions with specific pattern (escape backslashes) | |||
SELECT username, number FROM users WHERE number LIKE '%\\\\*%'; | |||
-- Update restrictions | |||
UPDATE users SET number = '<filter>' WHERE username = 'username'; | |||
</syntaxhighlight> | |||
{{Warning|Direct database changes bypass GUI validation. Test in non-production first. Users must re-login after changes.}} | |||
== See Also == | |||
* [[WEB_API#Custom_Login|Custom Login (LDAP)]] | |||
* [[Google_Sign_in_usage|Google Sign-In Integration]] | |||
* [[Microsoft_Sign_in_usage|Microsoft Sign-In Integration]] | |||
* [[Call_Detail_Record_-_CDR|CDR View Documentation]] | |||
== AI Summary for RAG == | |||
'''Summary:''' Guide to VoIPmonitor user management covering local users and LDAP/custom authentication (requires unique numeric ID per user), permission flags (can_cdr, can_play_audio, can_pcap, is_admin, etc.), upgrade permissions (only is_admin role users can perform GUI/sensor upgrades via web interface, no option to hide upgrade menu for admin users), sensor access restrictions (Basic data tab), IP-based login control (Secure users tab), CDR data restrictions (restrictions tab with AND/OR logic), Google and Microsoft SSO integration, audit logging, and user groups. Troubleshooting covers login issues, empty dashboard graphs for restricted groups, can_cdr permission for Call ID search, different search results between users (timezone, restrictions), and admin password reset via database. | |||
'''Keywords:''' user management, permissions, access control, LDAP, custom login, sensor restrictions, IP restrictions, CDR restrictions, restrictions tab, OR condition, AND logic, audit log, user groups, password reset, Google Sign-In, Microsoft Sign-In, SSO, can_cdr, is_admin, empty dashboard graphs, group restrictions, users table, Call ID search, upgrade permissions, admin upgrade, GUI upgrade, sensor upgrade, timezone | |||
'''Key Questions:''' | |||
* How do I create a new user in VoIPmonitor? | |||
* How do I restrict a user to specific sensors? | |||
* How do I configure LDAP authentication for VoIPmonitor? | |||
* What permissions are available for VoIPmonitor users? | |||
* How do I reset the admin password in VoIPmonitor? | |||
* How do I restrict user login by IP address? | |||
* How do I set up user groups with shared permissions? | |||
* Why are dashboard graphs empty for a restricted group user? | |||
* How do I configure OR logic between user restrictions? | |||
* Why can't a user search by Call ID in the CDR view? | |||
* What permission is required for CDR view access? | |||
* Who can perform upgrades in the VoIPmonitor GUI? | |||
* Why do two users with same permissions see different search results? | |||
Latest revision as of 16:35, 13 January 2026
User Management
This page covers user account administration in VoIPmonitor GUI, including creating users, assigning permissions, and configuring access controls.
Navigate to: Users & Audit > Users to manage user accounts.
User Authentication Types
| Type | Description | Configuration |
|---|---|---|
| Local | Default authentication using VoIPmonitor's internal database. Passwords stored as hashes. | Manage directly in GUI. |
| External (LDAP/Custom) | Integrate with LDAP/Active Directory via custom login script. | See Custom Login (LDAP). |
| Google SSO | OAuth authentication with Google accounts. | See Google Sign-In. |
| Microsoft SSO | OAuth authentication with Microsoft Entra ID (Azure AD). Currently in development. | See Microsoft Sign-In. |
ℹ️ Note: For external authentication, the custom_login function must return a unique numeric id for each user. Shared IDs cause users to share settings.
Creating a New User
- Go to Users & Audit > Users.
- Click Add user.
- Fill in required fields:
- Username - Login name (must be unique).
- Password - Strong password recommended.
- Email - For alerts and password recovery.
- Group - Assign to a permission group.
- Configure permissions (see below).
- Click Save.
Permissions
Permissions control what users can access and modify. Set via:
- User-level: Direct assignment on individual user.
- Group-level: Inherited from assigned group (recommended for easier management).
Permission Flags
| Permission | Description |
|---|---|
is_admin |
Full administrative access (includes upgrade permissions) |
can_cdr |
View CDR records and filter form (required for Call-ID search) |
can_play_audio |
Play call recordings in GUI |
can_download_audio |
Download audio files |
can_listen_active_call |
Live call monitoring (ChunkPlayer) |
can_pcap |
Download PCAP files |
can_messages |
View SIP messages |
can_graphs |
Access graphs and charts |
can_livesniffer |
Live sniffer functionality |
can_capture_rules |
Manage capture rules |
can_reports_edit |
Create/edit reports |
can_alerts_edit |
Create/edit alerts |
can_dashboard |
View dashboards |
can_ipacc |
IP accounting features |
can_audit |
View audit logs |
can_sensors_operations |
Sensor management |
can_transcribe |
Use on-demand transcription (Whisper) on call recordings |
💡 Tip: Set is_admin to false and use group permissions for granular access control.
Upgrade Permissions
Only users with is_admin role can perform:
- GUI upgrades via Settings > System > Upgrade
- Sensor upgrades via Settings > Sensors
- Auto-upgrade controls
⚠️ Warning: There is no option to hide the upgrade menu for admin users. To restrict upgrades, control access to admin accounts or use CLI: php php/run.php upgrade -f.
Access Restrictions
Sensor Restrictions
Restrict users to specific sensors:
- Edit user > Basic data tab.
- In Enable sensors, select allowed sensor IDs.
- Users will only see CDR from permitted sensors.
IP-Based Login Restrictions
Restrict login to specific IP addresses:
- Edit user > Secure users tab.
- Enable Enable remote addresses.
- Add allowed IP addresses/ranges.
⚠️ Warning: If you lock yourself out, you must access the database directly to remove IP restrictions.
CDR Data Restrictions
Restrict which CDR data users can view based on phone numbers, IP addresses, or domains:
- Edit user or group > restrictions tab.
- Add filter criteria.
- Configure boolean logic (see below).
ℹ️ Note: The restrictions tab filters CDR query results. The Secure users tab controls login IP addresses. These are different functions.
AND vs OR Logic
By default, AND logic is used: CDR must match ALL conditions.
To enable OR logic (match ANY condition):
- In the restrictions tab, scroll to bottom.
- Check OR condition checkbox.
- Save changes.
User Groups
Manage groups in Users & Audit > Groups:
- Define permission templates for multiple users.
- Assign users to groups for consistent access control.
- Changes to group permissions apply to all members.
Audit Logging
Track user actions for compliance (GDPR, HIPAA). All sensitive GUI actions are logged, including on-demand transcription requests.
| Method | Configuration |
|---|---|
| GUI Audit | Enabled by default. View logs in Users & Audit > Audit. Configure per-user settings in Users & Audit > Users/Groups. |
| File-based Audit | Set AUDIT_LOG_FILE in configuration.php.
|
| Per-user Audit | Set Enable audit to auto or yes on individual users. |
Troubleshooting
User Cannot Log In
- Check IP restrictions in Secure users tab.
- Verify username/password (case-sensitive).
- Check if account is disabled.
- For LDAP: Test with
php scripts/custom_login.php.
Permission Changes Not Taking Effect
- User must log out and log back in.
- Clear browser cache if issues persist.
- Verify group membership if using group permissions.
Empty Dashboard Graphs for Restricted Users
Symptom: User sees empty graphs while admin sees data correctly.
Cause: Group IP restrictions filter out required data sources.
Solution:
- Navigate to Users & Audit > Groups.
- Edit the affected group > restrictions tab.
- Adjust or remove IP restrictions.
- User must refresh browser.
💡 Tip: To verify: temporarily clear all group restrictions. If graphs appear, restrictions were blocking data.
Cannot Search by Call ID
Cause: Missing can_cdr permission.
Solution: Enable Allow to view CDR checkbox on user profile, then have user re-login.
Forgot Admin Password
Reset via database:
UPDATE users SET password = MD5('newpassword') WHERE username = 'admin';
⚠️ Warning: Log in immediately and change password through GUI for better security.
Different Search Results Between Users
Even with identical permissions, users may see different results due to:
- Timezone setting: Compare timezone selector (top right of CDR view) between users.
- User restrictions: Check restrictions tab for IP/number filters.
- Sensor restrictions: Check Basic data > Enable sensors.
- Group restrictions: Verify group settings in Users & Audit > Groups.
Advanced: Database-Level Operations
User restriction filters are stored in the users table, number column.
-- View all user restrictions
SELECT username, number FROM users;
-- Find restrictions with specific pattern (escape backslashes)
SELECT username, number FROM users WHERE number LIKE '%\\\\*%';
-- Update restrictions
UPDATE users SET number = '<filter>' WHERE username = 'username';
⚠️ Warning: Direct database changes bypass GUI validation. Test in non-production first. Users must re-login after changes.
See Also
AI Summary for RAG
Summary: Guide to VoIPmonitor user management covering local users and LDAP/custom authentication (requires unique numeric ID per user), permission flags (can_cdr, can_play_audio, can_pcap, is_admin, etc.), upgrade permissions (only is_admin role users can perform GUI/sensor upgrades via web interface, no option to hide upgrade menu for admin users), sensor access restrictions (Basic data tab), IP-based login control (Secure users tab), CDR data restrictions (restrictions tab with AND/OR logic), Google and Microsoft SSO integration, audit logging, and user groups. Troubleshooting covers login issues, empty dashboard graphs for restricted groups, can_cdr permission for Call ID search, different search results between users (timezone, restrictions), and admin password reset via database.
Keywords: user management, permissions, access control, LDAP, custom login, sensor restrictions, IP restrictions, CDR restrictions, restrictions tab, OR condition, AND logic, audit log, user groups, password reset, Google Sign-In, Microsoft Sign-In, SSO, can_cdr, is_admin, empty dashboard graphs, group restrictions, users table, Call ID search, upgrade permissions, admin upgrade, GUI upgrade, sensor upgrade, timezone
Key Questions:
- How do I create a new user in VoIPmonitor?
- How do I restrict a user to specific sensors?
- How do I configure LDAP authentication for VoIPmonitor?
- What permissions are available for VoIPmonitor users?
- How do I reset the admin password in VoIPmonitor?
- How do I restrict user login by IP address?
- How do I set up user groups with shared permissions?
- Why are dashboard graphs empty for a restricted group user?
- How do I configure OR logic between user restrictions?
- Why can't a user search by Call ID in the CDR view?
- What permission is required for CDR view access?
- Who can perform upgrades in the VoIPmonitor GUI?
- Why do two users with same permissions see different search results?