User Management: Difference between revisions

From VoIPmonitor.org
(Add documentation for SIP domain restrictions and OR/AND logic for combining user restrictions)
(Fix audit logging menu path, add can_transcribe permission, clarify transcription audit logging)
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{DISPLAYTITLE:User Management and Permissions}}
{{DISPLAYTITLE:User Management}}
[[Category:GUI manual]]
[[Category:Administration]]


'''This guide provides a comprehensive overview of how to create and manage user accounts, permissions, and access restrictions within the VoIPmonitor web GUI.'''
= User Management =


== Important: Local GUI vs. voipmonitor.org Portal ==
This page covers user account administration in VoIPmonitor GUI, including creating users, assigning permissions, and configuring access controls.
'''This page covers user management for your local VoIPmonitor GUI installation.'''


If you are looking for information about managing users for your '''voipmonitor.org account''' (the billing and portal website at https://www.voipmonitor.org), that is handled separately from your local VoIPmonitor installation.
'''Navigate to:''' '''Users & Audit > Users''' to manage user accounts.


To manage users in the '''voipmonitor.org portal''':
== User Authentication Types ==


=== How to Invite a New User ===
<kroki lang="mermaid">
%%{init: {'flowchart': {'nodeSpacing': 15, 'rankSpacing': 30}}}%%
flowchart LR
    U[User Login] --> L{Auth Type?}
    L -->|Local| DB[(VoIPmonitor DB)]
    L -->|External| CS[custom_login.php]
    CS --> LDAP[LDAP/AD]
    CS --> OTHER[Other Systems]
    DB --> GUI[GUI Access]
    LDAP --> GUI
    OTHER --> GUI
</kroki>


To add a new contact or user to your voipmonitor.org portal:
{| class="wikitable"
|-
! Type !! Description !! Configuration
|-
| '''Local''' || Default authentication using VoIPmonitor's internal database. Passwords stored as hashes. || Manage directly in GUI.
|-
| '''External (LDAP/Custom)''' || Integrate with LDAP/Active Directory via custom login script. || See [[WEB_API#Custom_Login|Custom Login (LDAP)]].
|-
| '''Google SSO''' || OAuth authentication with Google accounts. || See [[Google_Sign_in_usage|Google Sign-In]].
|-
| '''Microsoft SSO''' || OAuth authentication with Microsoft Entra ID (Azure AD). ''Currently in development.'' || See [[Microsoft_Sign_in_usage|Microsoft Sign-In]].
|}
 
{{Note|1=For external authentication, the <code>custom_login</code> function '''must''' return a unique numeric <code>id</code> for each user. Shared IDs cause users to share settings.}}
 
== Creating a New User ==
 
# Go to '''Users & Audit > Users'''.
# Click '''Add user'''.
# Fill in required fields:
#* '''Username''' - Login name (must be unique).
#* '''Password''' - Strong password recommended.
#* '''Email''' - For alerts and password recovery.
#* '''Group''' - Assign to a permission group.
# Configure permissions (see below).
# Click '''Save'''.
 
== Permissions ==


# Log in to https://www.voipmonitor.org using your main account email address
Permissions control what users can access and modify. Set via:
# In the top-right corner, click on the '''Hello [Name]''' dropdown menu
'''User-level:''' Direct assignment on individual user.
# Select '''User management'''
'''Group-level:''' Inherited from assigned group (recommended for easier management).
# From the User management section, send an invitation by entering the new user's email address
# The system will send them an email invitation to set their password and log in


'''Important Note:''' Only the main account holder has access to the User management feature to invite new users. If you are unable to see the User management option, you may not have the appropriate permissions.
=== Permission Flags ===


=== Troubleshooting Invitation Emails ===
{| class="wikitable"
|-
! Permission !! Description
|-
| <code>is_admin</code> || Full administrative access (includes upgrade permissions)
|-
| <code>can_cdr</code> || View CDR records and filter form (required for Call-ID search)
|-
| <code>can_play_audio</code> || Play call recordings in GUI
|-
| <code>can_download_audio</code> || Download audio files
|-
| <code>can_listen_active_call</code> || Live call monitoring (ChunkPlayer)
|-
| <code>can_pcap</code> || Download PCAP files
|-
| <code>can_messages</code> || View SIP messages
|-
| <code>can_graphs</code> || Access graphs and charts
|-
| <code>can_livesniffer</code> || Live sniffer functionality
|-
| <code>can_capture_rules</code> || Manage capture rules
|-
| <code>can_reports_edit</code> || Create/edit reports
|-
| <code>can_alerts_edit</code> || Create/edit alerts
|-
| <code>can_dashboard</code> || View dashboards
|-
| <code>can_ipacc</code> || IP accounting features
|-
| <code>can_audit</code> || View audit logs
|-
| <code>can_sensors_operations</code> || Sensor management
|-
| <code>can_transcribe</code> || Use on-demand transcription (Whisper) on call recordings
|}


If a newly invited user does not receive their password setup invitation email:
{{Tip|1=Set <code>is_admin</code> to <code>false</code> and use group permissions for granular access control.}}


* Check the user's Spam, Junk, or Promotions folders (most common cause)
=== Upgrade Permissions ===
* Verify the email address was entered correctly
* Invitation links are typically valid for 24 hours
* If the email cannot be found, contact VoIPmonitor Support with the correct email address to manually resend the invitation


'''Requesting Support for Invitations:'''
Only users with <code>is_admin</code> role can perform:
*  '''GUI upgrades''' via Settings > System > Upgrade
*  '''Sensor upgrades''' via Settings > Sensors
*  '''Auto-upgrade controls'''


If you are unable to use the User management feature (for example, if you are not the main account holder) and need to create new portal users, you can request assistance from VoIPmonitor Support. Support can send invitations to contacts listed under '''Account Details -> Contacts''' to convert them into portal users.
{{Warning|There is no option to hide the upgrade menu for admin users. To restrict upgrades, control access to admin accounts or use CLI: <code>php php/run.php upgrade -f</code>.}}


* Make sure the recipient email addresses are listed in your Account Details > Contacts section
== Access Restrictions ==
* Contact VoIPmonitor Support and request that invitations be sent to the listed contacts
* Support can also resend expired or missing invitations upon request


The users you create in the '''voipmonitor.org portal''' are separate from the users you create here in your local VoIPmonitor GUI.
=== Sensor Restrictions ===


== Introduction to User Management ==
Restrict users to specific sensors:
VoIPmonitor allows you to create multiple user accounts, each with a specific set of permissions and data access restrictions. This is essential for providing secure, role-based access to your call data.
# Edit user > '''Basic data''' tab.
# In '''Enable sensors''', select allowed sensor IDs.
# Users will only see CDR from permitted sensors.


'''Important Default Behavior:'''
=== IP-Based Login Restrictions ===
*A fresh VoIPmonitor installation starts with a single default user: '''admin''' with the password '''admin'''.*
*The moment you create your '''first new user''', this default `admin/admin` account is '''automatically deleted'''.
*'''Golden Rule:''' Your very first action should be to create a new, personal administrator account with a strong password. If you create a non-admin user first and log out, you will lose administrative access to the GUI.


== How to Create or Edit a User ==
Restrict login to specific IP addresses:
All user management is done by navigating to the user management section of the GUI. Depending on your GUI version, this can be accessed via:
# Edit user > '''Secure users''' tab.
* '''GUI -> Users & Audit -> Users''' (recommended approach for current versions)
# Enable '''Enable remote addresses'''.
* '''Settings -> Users''' (alternate navigation in some versions)
# Add allowed IP addresses/ranges.


*To create a new user, click the '''New user''' button.
{{Warning|If you lock yourself out, you must access the database directly to remove IP restrictions.}}
*To edit an existing user, click the pencil icon next to their username in the list.


Changes made to a user's permissions will only take effect after that user logs out and logs back in.
=== CDR Data Restrictions ===


[[File:userform.png|The New/Edit User form where all permissions and restrictions are configured.]]
Restrict which CDR data users can view based on phone numbers, IP addresses, or domains:


== Understanding User Permissions ==
# Edit user or group > '''restrictions''' tab.
User permissions are divided into two main levels, controlled by a single checkbox.
# Add filter criteria.
# Configure boolean logic (see below).


=== Administrator vs. Standard User ===
{{Note|The '''restrictions''' tab filters CDR query results. The '''Secure users''' tab controls login IP addresses. These are different functions.}}
;<code>Is administrator</code>
:This is the most important permission.
:*'''Checked (Admin):''' The user has full, unrestricted access to all GUI features, including creating other users, configuring sensors, and viewing all call data.
:*'''Unchecked (Standard User):''' The user has limited access. They cannot see the "Settings" menu, and their view of call data can be restricted based on the settings below.


=== Feature and Data Access Permissions ===
==== AND vs OR Logic ====
These checkboxes control a user's access to specific features and data types.


==== Core Data Access ====
By default, '''AND logic''' is used: CDR must match ALL conditions.
;<code>Can download PCAP</code>
:Allows the user to download the full network packet capture for a call.
;<code>Can listen</code>
:Allows the user to play or download the audio recording (WAV/OGG) of a call.
;<code>Remove RTP from PCAP</code>
:A security feature. If a user with this permission downloads a PCAP, the audio portion (RTP stream) will be automatically stripped from the file, leaving only the signaling data (SIP).


==== GUI Feature Access ====
To enable '''OR logic''' (match ANY condition):
;<code>Simple CDR</code>
# In the '''restrictions''' tab, scroll to bottom.
:Hides advanced QoS and network metrics (MOS, jitter, packet loss) from the CDR view. This is ideal for users (e.g., in a call center) who only need to see basic call information and listen to recordings.
# Check '''OR condition''' checkbox.
;<code>Enable capture rules</code>
# Save changes.
:Allows the user to view and manage call recording rules.
;<code>Enable alerts</code>
:Allows the user to create, edit, and view alerts in the reporting section.
;<code>Enable audit</code>
:Grants access to the Audit Log, which tracks actions taken by other users.
:'''Options:'''
:*'''Yes/checked:''' User can view audit logs and needs to manually fill out audit forms when performing actions
:*'''Auto:''' Enables automatic audit log generation without requiring the user to fill out a form. The system automatically generates audit entries for user actions using a predefined message template. See [[GUI_Configuration_PHP#Audit_Log_Settings|GUI Configuration]] for customization options.
:*'''No/unchecked:''' User cannot view audit logs (access denied)
;<code>Hide CDR groups</code>
:When checked, this permission hides the bottom panel in the CDR view that contains the CDR/messages groups dashboard. If users are not seeing charts or panel information at the bottom of the CDR view, ensure this checkbox is not enabled (or uncheck it to show the panel).
;''And others:'' Permissions like `Enable active calls`, `Enable register`, and `Enable live sniffer` grant access to their respective sections in the GUI.


==== Sharing Permissions ====
== User Groups ==
;<code>Enable local share CDR</code>
:Allows the user to generate a shareable link for a specific call that can be viewed by others within your organization.
;<code>Enable share.voipmonitor.org</code>
:Allows the user to share a call publicly via the voipmonitor.org sharing service.


== Restricting User Access to Call Data ==
Manage groups in '''Users & Audit > Groups''':
For standard (non-admin) users, it is crucial to restrict which calls they are allowed to see. This is done using three primary methods on the user's edit page.
*  Define permission templates for multiple users.
*  Assign users to groups for consistent access control.
*  Changes to group permissions apply to all members.


=== 1. Restriction by IP Address ===
== Audit Logging ==
The '''IP addresses''' text box allows you to limit a user to seeing only calls that involve specific IP addresses or subnets.
*Enter one IP address or CIDR network per line (e.g., `192.168.1.10` or `10.0.0.0/8`).
*The user will only see calls where either the source or destination IP address matches an entry in this list.


==== Important: What IPs Are Matched ====
Track user actions for compliance (GDPR, HIPAA). All sensitive GUI actions are logged, including on-demand transcription requests.
The <code>filter_ip</code> feature matches SIP call '''endpoint IP addresses''' only - specifically the source and destination IP addresses extracted from SIP signaling packets (INVITE, etc.).


{| class="wikitable" style="background:#fff8dc; border:1px solid #cc9000;"
{| class="wikitable"
|-
! Method !! Configuration
|-
| '''GUI Audit''' || Enabled by default. View logs in '''Users & Audit > Audit'''. Configure per-user settings in '''Users & Audit > Users/Groups'''.
|-
|-
| '''Limitation: Proxy IPs Are NOT Matched'''
| '''File-based Audit''' || Set <code>AUDIT_LOG_FILE</code> in <code>configuration.php</code>.
|-
|-
| IP-based user restrictions do NOT filter by intermediate proxy, SBC, or B2BUA IP addresses in the call path. Only the two endpoints involved in the SIP dialog are considered.
| '''Per-user Audit''' || Set '''Enable audit''' to ''auto'' or ''yes'' on individual users.
|}
|}


For example, if a call flows through a proxy (Phone A -> Proxy -> Carrier):
== Troubleshooting ==
*Adding the proxy IP to a user's restrictions will NOT work (<code>SBC_IP/10.1.1.1</code> is ignored)
 
*Only endpoint IPs (Phone A and Carrier) can be used for filtering
=== User Cannot Log In ===
 
*  Check IP restrictions in '''Secure users''' tab.
*  Verify username/password (case-sensitive).
*  Check if account is disabled.
*   For LDAP: Test with <code>php scripts/custom_login.php</code>.
 
=== Permission Changes Not Taking Effect ===
 
*   User must log out and log back in.
*  Clear browser cache if issues persist.
*  Verify group membership if using group permissions.
 
=== Empty Dashboard Graphs for Restricted Users ===


This is a limitation of the current implementation. If you need to control access based on proxy IP addresses, this feature request ([VG-2923]) is tracked for future development. Custom development may be available as a paid service - contact VoIPmonitor Support for details.
'''Symptom:''' User sees empty graphs while admin sees data correctly.


=== 2. Restriction by Telephone Number ===
'''Cause:''' Group IP restrictions filter out required data sources.
The '''Tel. Numbers''' text box limits a user based on the caller or called number.
*Enter one number or prefix per line.
*You can use the `%` character as a wildcard. For example, `4420%` will allow the user to see all calls to or from numbers starting with `4420`.


=== 2.5. Restriction by SIP Domain ===
'''Solution:'''
The '''Domain''' text box allows you to restrict a user to seeing only calls involving specific SIP domains.
# Navigate to '''Users & Audit > Groups'''.
*Enter one SIP domain per line (e.g., `customerA.example.com`, `sip.customerB.com`).
# Edit the affected group > '''restrictions''' tab.
*The user will only see calls where any domain in the SIP signaling (From, To, Request-URI, etc.) matches an entry in this list.
# Adjust or remove IP restrictions.
*This is useful when customers are using SIP domains as identifiers rather than IP addresses or phone numbers.
# User must refresh browser.


=== Combining Multiple Restriction Types ===
{{Tip|To verify: temporarily clear all group restrictions. If graphs appear, restrictions were blocking data.}}


When you configure multiple restriction types (IP addresses, telephone numbers, domains), the system uses a logic operator to determine which calls the user is allowed to see.
=== Cannot Search by Call ID ===


;OR logic
'''Cause:''' Missing <code>can_cdr</code> permission.
:The user can see calls that match '''any''' of the configured restrictions. For example, if you have IP restrictions and telephone number restrictions set, the user sees calls that match the IP restrictions OR calls that match the telephone number restrictions.


;AND logic
'''Solution:''' Enable '''Allow to view CDR''' checkbox on user profile, then have user re-login.
:The user can only see calls that match '''all''' of the configured restrictions at the same time. This is more restrictive - the user must have calls that satisfy IP restrictions AND telephone number restrictions simultaneously.


To configure the logic operator, use the checkbox at the bottom of the restrictions area. The exact text and location may vary depending on your GUI version.
=== Forgot Admin Password ===


=== 3. Restriction by Sensor ===
Reset via database:
By default, all users can see calls from all sensors. In a multi-sensor deployment, you can restrict a user to data from specific sensors.
*Click the '''Sensors''' tab on the user's edit page.
*Check the boxes next to the only sensors this user should be able to see data from.


[[File:Usersensors.png|The Sensors tab allows you to assign specific data sources to a user.]]
<syntaxhighlight lang="sql">
UPDATE users SET password = MD5('newpassword') WHERE username = 'admin';
</syntaxhighlight>


== Restricting GUI Login by Source IP Address ==
{{Warning|Log in immediately and change password through GUI for better security.}}
In addition to restricting what call data a user can see, you can also restrict '''where''' a user can log in from by whitelisting specific source IP addresses. This is a security feature that allows clients to access the GUI only from authorized network locations.


=== Difference: Data Visibility vs. Login Access ===
=== Different Search Results Between Users ===
It is important to understand the distinction between the two IP-related restrictions:


*'''IP Addresses field''' (in the main user edit screen): Controls '''which call data''' the user can see. The user can log in from anywhere, but will only see calls involving the specified IP addresses.
Even with identical permissions, users may see different results due to:
*'''Enable remote addresses''' (in the "Secure users" tab): Controls '''where the user can log in from'''. The user can only access the GUI login page from the specified whitelisted IP addresses.


=== How to Configure IP-Based Login Restrictions ===
# '''Timezone setting:''' Compare timezone selector (top right of CDR view) between users.
# '''User restrictions:''' Check '''restrictions''' tab for IP/number filters.
# '''Sensor restrictions:''' Check '''Basic data''' > '''Enable sensors'''.
# '''Group restrictions:''' Verify group settings in '''Users & Audit > Groups'''.


To restrict GUI login access by source IP address:
== Advanced: Database-Level Operations ==


# Navigate to '''GUI -> Users & Audit -> Users'''
User restriction filters are stored in the <code>users</code> table, <code>number</code> column.
# Edit the user account for which you want to restrict access
# Click the '''Secure users''' tab
# In the '''Enable remote addresses''' field, enter the list of allowed source IP addresses
# Enter one IP address or CIDR per line (e.g., `192.168.1.10` or `10.0.0.0/24`)
# Click '''Save''' to apply the changes


Once configured, users will be able to access the GUI login form only from the IP addresses listed. Attempts to log in from other IP addresses will be blocked.
<syntaxhighlight lang="sql">
-- View all user restrictions
SELECT username, number FROM users;


'''Important Use Cases:'''
-- Find restrictions with specific pattern (escape backslashes)
* Provide client access to your VoIPmonitor GUI while restricting them to specific office networks
SELECT username, number FROM users WHERE number LIKE '%\\\\*%';
* Allow remote access only from specific VPN ranges or partner networks
* Implement additional security for sensitive accounts by limiting login locations


== Emergency: Recovering a Lost Admin Password ==
-- Update restrictions
If you have lost access to all administrator accounts, you cannot reset passwords through the GUI. You must perform an emergency reset directly in the database.
UPDATE users SET number = '<filter>' WHERE username = 'username';
</syntaxhighlight>


'''Warning:''' These commands directly modify your database. Proceed with caution.
{{Warning|Direct database changes bypass GUI validation. Test in non-production first. Users must re-login after changes.}}


=== Option A: Delete All Users (Clean Slate) ===
== See Also ==
This command will delete '''all''' user accounts, resetting the GUI to its initial state where the `admin/admin` user is active.
 
<pre>
* [[WEB_API#Custom_Login|Custom Login (LDAP)]]
echo "DELETE FROM users;" | mysql voipmonitor
* [[Google_Sign_in_usage|Google Sign-In Integration]]
</pre>
* [[Microsoft_Sign_in_usage|Microsoft Sign-In Integration]]
You can then log in with `admin/admin` and recreate your user accounts.
* [[Call_Detail_Record_-_CDR|CDR View Documentation]]


=== Option B: Add a Temporary Admin User ===
This command inserts a new, temporary user named '''test''' with the password '''testtest''' and full administrator rights.
<pre>
echo "INSERT INTO users SET username='test', name='test', password=MD5('testtest'), is_admin=1;" | mysql voipmonitor
</pre>
After running this, log in as `test/testtest`, reset the password of your original admin account, and then '''immediately delete the temporary `test` user''' from within the GUI.


== AI Summary for RAG ==
== AI Summary for RAG ==
'''Summary:''' This guide provides a comprehensive overview of user management in the VoIPmonitor GUI. It begins by clarifying the distinction between local VoIPmonitor GUI users and users in the voipmonitor.org web portal (the voipmonitor.org portal is managed separately at https://www.voipmonitor.org under the dropdown menu's "User management" section where you can send invitations). It explains that only the main account holder can invite new users to the portal. Portal invitation troubleshooting steps include checking spam/junk folders (most common cause), verifying email addresses, noting 24-hour invitation validity, and contacting support for manual resend. For users without User management access, support can send invitations to contacts listed under "Account Details > Contacts" to convert them into portal users. The guide then explains the default `admin/admin` account and the critical rule that it is deleted upon the creation of the first new user. It details the process of creating and editing users via "GUI -> Users & Audit -> Users" (recommended) or "Settings -> Users" (alternate), and explains the key permission fields, distinguishing between an "Is administrator" account and a standard user. It covers permissions for data access (PCAP, audio), feature access (simple CDR which hides MOS/jitter/loss, capture rules, alerts, audit log, and "Hide CDR groups" which controls the CDR bottom panel visibility), and sharing. A major section is dedicated to restricting user access to specific calls, detailing how to filter a user's view by IP address, telephone number prefix, and by specific sensors in a multi-sensor deployment. '''CRITICAL LIMITATION:''' The IP-based filtering (filter_ip) feature matches ONLY SIP call endpoint IP addresses extracted from INVITE signaling packets. Intermediate proxy, SBC, or B2BUA IP addresses in the call path are NOT matched and cannot be used for user restrictions. This is a documented limitation (feature request VG-2923) requiring custom development for proxy-based filtering. It also documents the "Secure users" tab with "Enable remote addresses" field for whitelisting GUI login access by source IP address (restricting where users can log in from). Finally, it provides two emergency command-line procedures for recovering lost admin access by directly modifying the database: one to delete all users and reset to default, and another to insert a temporary admin account.
 
'''Keywords:''' user management, users, permissions, rights, access control, administrator, admin, standard user, restrict, filter, IP address, telephone number, domain, SIP domain, sensor, password reset, lost password, `DELETE FROM users`, voipmonitor.org portal, web portal, invitation, invite new user, User management menu, simple CDR, MOS, jitter, packet loss, hide CDR groups, CDR panel visibility, chart panel, bottom panel, GUI users & audit, secure users, enable remote addresses, whitelist IP, login restriction, source IP, Account Details, Contacts, support invitation, invitation troubleshooting, spam folder, invitation expired, proxy IP, SBC IP, intermediate IP, filter_ip limitation, VG-2923, endpoint IP, SIP dialog IP, proxy filtering limitation, custom development, OR logic, AND logic, combining restrictions
'''Summary:''' Guide to VoIPmonitor user management covering local users and LDAP/custom authentication (requires unique numeric ID per user), permission flags (can_cdr, can_play_audio, can_pcap, is_admin, etc.), upgrade permissions (only is_admin role users can perform GUI/sensor upgrades via web interface, no option to hide upgrade menu for admin users), sensor access restrictions (Basic data tab), IP-based login control (Secure users tab), CDR data restrictions (restrictions tab with AND/OR logic), Google and Microsoft SSO integration, audit logging, and user groups. Troubleshooting covers login issues, empty dashboard graphs for restricted groups, can_cdr permission for Call ID search, different search results between users (timezone, restrictions), and admin password reset via database.
 
'''Keywords:''' user management, permissions, access control, LDAP, custom login, sensor restrictions, IP restrictions, CDR restrictions, restrictions tab, OR condition, AND logic, audit log, user groups, password reset, Google Sign-In, Microsoft Sign-In, SSO, can_cdr, is_admin, empty dashboard graphs, group restrictions, users table, Call ID search, upgrade permissions, admin upgrade, GUI upgrade, sensor upgrade, timezone
 
'''Key Questions:'''
'''Key Questions:'''
* How do I create a new user in VoIPmonitor?
* How do I create a new user in VoIPmonitor?
* What is the difference between an admin and a standard user?
* How do I restrict a user to specific sensors?
* Why does IP-based filtering not work for proxy IP addresses?
* How do I configure LDAP authentication for VoIPmonitor?
* Can I filter users by proxy, SBC, or B2BUA IP addresses?
* What permissions are available for VoIPmonitor users?
* The filter_ip feature only matches SIP call endpoint IPs, not intermediate proxy IPs (limitation: VG-2923)
* How do I reset the admin password in VoIPmonitor?
* How can I restrict a user to only see calls from a specific customer or IP range?
* How do I restrict user login by IP address?
* How can I restrict a user by SIP domain?
* How do I set up user groups with shared permissions?
* What is the difference between OR and AND logic when combining user restrictions?
* Why are dashboard graphs empty for a restricted group user?
* How can I limit a user's access to only certain sensors?
* How do I configure OR logic between user restrictions?
* What do the permissions like "Simple CDR" or "Can download PCAP" do?
* Why can't a user search by Call ID in the CDR view?
* Why is the chart panel or MOS information not visible for a specific user in the CDR view?
* What permission is required for CDR view access?
* How do I enable or disable the CDR groups panel for a user?
* Who can perform upgrades in the VoIPmonitor GUI?
* I lost my admin password, how can I get back into the GUI?
* Why do two users with same permissions see different search results?
* What is the default username and password for VoIPmonitor?
* How do I invite a new user to my voipmonitor.org account?
* What is the difference between local VoIPmonitor GUI users and voipmonitor.org portal users?
* How do I send an invitation to a new user on voipmonitor.org?
* Where is the User management option in the voipmonitor.org portal?
* How to troubleshoot missing invitation emails for voipmonitor.org portal users?
* Only the main account holder can invite new users to the voipmonitor.org portal
* How do I restrict GUI login access by source IP address?
* What is the Secure users tab used for?
* How do I whitelist IP addresses for GUI login?
* What is the difference between the IP addresses field and Enable remote addresses?
* How can I allow clients to access the GUI only from specific networks?
* How do I request support to send portal invitations if I cannot access User management?
* Where should contact emails be listed for support to create portal users?
* Can support send invitations to contacts listed under Account Details -> Contacts?

Latest revision as of 16:35, 13 January 2026


User Management

This page covers user account administration in VoIPmonitor GUI, including creating users, assigning permissions, and configuring access controls.

Navigate to: Users & Audit > Users to manage user accounts.

User Authentication Types

Type Description Configuration
Local Default authentication using VoIPmonitor's internal database. Passwords stored as hashes. Manage directly in GUI.
External (LDAP/Custom) Integrate with LDAP/Active Directory via custom login script. See Custom Login (LDAP).
Google SSO OAuth authentication with Google accounts. See Google Sign-In.
Microsoft SSO OAuth authentication with Microsoft Entra ID (Azure AD). Currently in development. See Microsoft Sign-In.

ℹ️ Note: For external authentication, the custom_login function must return a unique numeric id for each user. Shared IDs cause users to share settings.

Creating a New User

  1. Go to Users & Audit > Users.
  2. Click Add user.
  3. Fill in required fields:
    • Username - Login name (must be unique).
    • Password - Strong password recommended.
    • Email - For alerts and password recovery.
    • Group - Assign to a permission group.
  4. Configure permissions (see below).
  5. Click Save.

Permissions

Permissions control what users can access and modify. Set via:

  • User-level: Direct assignment on individual user.
  • Group-level: Inherited from assigned group (recommended for easier management).

Permission Flags

Permission Description
is_admin Full administrative access (includes upgrade permissions)
can_cdr View CDR records and filter form (required for Call-ID search)
can_play_audio Play call recordings in GUI
can_download_audio Download audio files
can_listen_active_call Live call monitoring (ChunkPlayer)
can_pcap Download PCAP files
can_messages View SIP messages
can_graphs Access graphs and charts
can_livesniffer Live sniffer functionality
can_capture_rules Manage capture rules
can_reports_edit Create/edit reports
can_alerts_edit Create/edit alerts
can_dashboard View dashboards
can_ipacc IP accounting features
can_audit View audit logs
can_sensors_operations Sensor management
can_transcribe Use on-demand transcription (Whisper) on call recordings

💡 Tip: Set is_admin to false and use group permissions for granular access control.

Upgrade Permissions

Only users with is_admin role can perform:

  • GUI upgrades via Settings > System > Upgrade
  • Sensor upgrades via Settings > Sensors
  • Auto-upgrade controls

⚠️ Warning: There is no option to hide the upgrade menu for admin users. To restrict upgrades, control access to admin accounts or use CLI: php php/run.php upgrade -f.

Access Restrictions

Sensor Restrictions

Restrict users to specific sensors:

  1. Edit user > Basic data tab.
  2. In Enable sensors, select allowed sensor IDs.
  3. Users will only see CDR from permitted sensors.

IP-Based Login Restrictions

Restrict login to specific IP addresses:

  1. Edit user > Secure users tab.
  2. Enable Enable remote addresses.
  3. Add allowed IP addresses/ranges.

⚠️ Warning: If you lock yourself out, you must access the database directly to remove IP restrictions.

CDR Data Restrictions

Restrict which CDR data users can view based on phone numbers, IP addresses, or domains:

  1. Edit user or group > restrictions tab.
  2. Add filter criteria.
  3. Configure boolean logic (see below).

ℹ️ Note: The restrictions tab filters CDR query results. The Secure users tab controls login IP addresses. These are different functions.

AND vs OR Logic

By default, AND logic is used: CDR must match ALL conditions.

To enable OR logic (match ANY condition):

  1. In the restrictions tab, scroll to bottom.
  2. Check OR condition checkbox.
  3. Save changes.

User Groups

Manage groups in Users & Audit > Groups:

  • Define permission templates for multiple users.
  • Assign users to groups for consistent access control.
  • Changes to group permissions apply to all members.

Audit Logging

Track user actions for compliance (GDPR, HIPAA). All sensitive GUI actions are logged, including on-demand transcription requests.

Method Configuration
GUI Audit Enabled by default. View logs in Users & Audit > Audit. Configure per-user settings in Users & Audit > Users/Groups.
File-based Audit Set AUDIT_LOG_FILE in configuration.php.
Per-user Audit Set Enable audit to auto or yes on individual users.

Troubleshooting

User Cannot Log In

  • Check IP restrictions in Secure users tab.
  • Verify username/password (case-sensitive).
  • Check if account is disabled.
  • For LDAP: Test with php scripts/custom_login.php.

Permission Changes Not Taking Effect

  • User must log out and log back in.
  • Clear browser cache if issues persist.
  • Verify group membership if using group permissions.

Empty Dashboard Graphs for Restricted Users

Symptom: User sees empty graphs while admin sees data correctly.

Cause: Group IP restrictions filter out required data sources.

Solution:

  1. Navigate to Users & Audit > Groups.
  2. Edit the affected group > restrictions tab.
  3. Adjust or remove IP restrictions.
  4. User must refresh browser.

💡 Tip: To verify: temporarily clear all group restrictions. If graphs appear, restrictions were blocking data.

Cannot Search by Call ID

Cause: Missing can_cdr permission.

Solution: Enable Allow to view CDR checkbox on user profile, then have user re-login.

Forgot Admin Password

Reset via database: 

UPDATE users SET password = MD5('newpassword') WHERE username = 'admin';

⚠️ Warning: Log in immediately and change password through GUI for better security.

Different Search Results Between Users

Even with identical permissions, users may see different results due to:

  1. Timezone setting: Compare timezone selector (top right of CDR view) between users.
  2. User restrictions: Check restrictions tab for IP/number filters.
  3. Sensor restrictions: Check Basic data > Enable sensors.
  4. Group restrictions: Verify group settings in Users & Audit > Groups.

Advanced: Database-Level Operations

User restriction filters are stored in the users table, number column. 

-- View all user restrictions
SELECT username, number FROM users;

-- Find restrictions with specific pattern (escape backslashes)
SELECT username, number FROM users WHERE number LIKE '%\\\\*%';

-- Update restrictions
UPDATE users SET number = '<filter>' WHERE username = 'username';

⚠️ Warning: Direct database changes bypass GUI validation. Test in non-production first. Users must re-login after changes.

See Also


AI Summary for RAG

Summary: Guide to VoIPmonitor user management covering local users and LDAP/custom authentication (requires unique numeric ID per user), permission flags (can_cdr, can_play_audio, can_pcap, is_admin, etc.), upgrade permissions (only is_admin role users can perform GUI/sensor upgrades via web interface, no option to hide upgrade menu for admin users), sensor access restrictions (Basic data tab), IP-based login control (Secure users tab), CDR data restrictions (restrictions tab with AND/OR logic), Google and Microsoft SSO integration, audit logging, and user groups. Troubleshooting covers login issues, empty dashboard graphs for restricted groups, can_cdr permission for Call ID search, different search results between users (timezone, restrictions), and admin password reset via database.

Keywords: user management, permissions, access control, LDAP, custom login, sensor restrictions, IP restrictions, CDR restrictions, restrictions tab, OR condition, AND logic, audit log, user groups, password reset, Google Sign-In, Microsoft Sign-In, SSO, can_cdr, is_admin, empty dashboard graphs, group restrictions, users table, Call ID search, upgrade permissions, admin upgrade, GUI upgrade, sensor upgrade, timezone

Key Questions:

  • How do I create a new user in VoIPmonitor?
  • How do I restrict a user to specific sensors?
  • How do I configure LDAP authentication for VoIPmonitor?
  • What permissions are available for VoIPmonitor users?
  • How do I reset the admin password in VoIPmonitor?
  • How do I restrict user login by IP address?
  • How do I set up user groups with shared permissions?
  • Why are dashboard graphs empty for a restricted group user?
  • How do I configure OR logic between user restrictions?
  • Why can't a user search by Call ID in the CDR view?
  • What permission is required for CDR view access?
  • Who can perform upgrades in the VoIPmonitor GUI?
  • Why do two users with same permissions see different search results?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=User_Management&oldid=10687"