User Management: Difference between revisions
(Add detailed steps for inviting new users to voipmonitor.org portal via Account Management) |
(Add documentation for restricting GUI login access by source IP (Secure users tab with Enable remote addresses field)) |
||
| Line 111: | Line 111: | ||
[[File:Usersensors.png|The Sensors tab allows you to assign specific data sources to a user.]] | [[File:Usersensors.png|The Sensors tab allows you to assign specific data sources to a user.]] | ||
== Restricting GUI Login by Source IP Address == | |||
In addition to restricting what call data a user can see, you can also restrict '''where''' a user can log in from by whitelisting specific source IP addresses. This is a security feature that allows clients to access the GUI only from authorized network locations. | |||
=== Difference: Data Visibility vs. Login Access === | |||
It is important to understand the distinction between the two IP-related restrictions: | |||
*'''IP Addresses field''' (in the main user edit screen): Controls '''which call data''' the user can see. The user can log in from anywhere, but will only see calls involving the specified IP addresses. | |||
*'''Enable remote addresses''' (in the "Secure users" tab): Controls '''where the user can log in from'''. The user can only access the GUI login page from the specified whitelisted IP addresses. | |||
=== How to Configure IP-Based Login Restrictions === | |||
To restrict GUI login access by source IP address: | |||
# Navigate to '''GUI -> Users & Audit -> Users''' | |||
# Edit the user account for which you want to restrict access | |||
# Click the '''Secure users''' tab | |||
# In the '''Enable remote addresses''' field, enter the list of allowed source IP addresses | |||
# Enter one IP address or CIDR per line (e.g., `192.168.1.10` or `10.0.0.0/24`) | |||
# Click '''Save''' to apply the changes | |||
Once configured, users will be able to access the GUI login form only from the IP addresses listed. Attempts to log in from other IP addresses will be blocked. | |||
'''Important Use Cases:''' | |||
* Provide client access to your VoIPmonitor GUI while restricting them to specific office networks | |||
* Allow remote access only from specific VPN ranges or partner networks | |||
* Implement additional security for sensitive accounts by limiting login locations | |||
== Emergency: Recovering a Lost Admin Password == | == Emergency: Recovering a Lost Admin Password == | ||
| Line 132: | Line 159: | ||
== AI Summary for RAG == | == AI Summary for RAG == | ||
'''Summary:''' This guide provides a comprehensive overview of user management in the VoIPmonitor GUI. It begins by clarifying the distinction between local VoIPmonitor GUI users and users in the voipmonitor.org web portal (the voipmonitor.org portal is managed separately at https://www.voipmonitor.org under the dropdown menu's "User management" section). The guide then explains the default `admin/admin` account and the critical rule that it is deleted upon the creation of the first new user. It details the process of creating and editing users via "GUI -> Users & Audit -> Users" (recommended) or "Settings -> Users" (alternate), and explains the key permission fields, distinguishing between an "Is administrator" account and a standard user. It covers permissions for data access (PCAP, audio), feature access (simple CDR which hides MOS/jitter/loss, capture rules, alerts, audit log, and "Hide CDR groups" which controls the CDR bottom panel visibility), and sharing. A major section is dedicated to restricting user access to specific calls, detailing how to filter a user's view by IP address, telephone number prefix, and by specific sensors in a multi-sensor deployment. Finally, it provides two emergency command-line procedures for recovering lost admin access by directly modifying the database: one to delete all users and reset to default, and another to insert a temporary admin account. | '''Summary:''' This guide provides a comprehensive overview of user management in the VoIPmonitor GUI. It begins by clarifying the distinction between local VoIPmonitor GUI users and users in the voipmonitor.org web portal (the voipmonitor.org portal is managed separately at https://www.voipmonitor.org under the dropdown menu's "User management" section). The guide then explains the default `admin/admin` account and the critical rule that it is deleted upon the creation of the first new user. It details the process of creating and editing users via "GUI -> Users & Audit -> Users" (recommended) or "Settings -> Users" (alternate), and explains the key permission fields, distinguishing between an "Is administrator" account and a standard user. It covers permissions for data access (PCAP, audio), feature access (simple CDR which hides MOS/jitter/loss, capture rules, alerts, audit log, and "Hide CDR groups" which controls the CDR bottom panel visibility), and sharing. A major section is dedicated to restricting user access to specific calls, detailing how to filter a user's view by IP address, telephone number prefix, and by specific sensors in a multi-sensor deployment. It also documents the "Secure users" tab with "Enable remote addresses" field for whitelisting GUI login access by source IP address (restricting where users can log in from). Finally, it provides two emergency command-line procedures for recovering lost admin access by directly modifying the database: one to delete all users and reset to default, and another to insert a temporary admin account. | ||
'''Keywords:''' user management, users, permissions, rights, access control, administrator, admin, standard user, restrict, filter, IP address, telephone number, sensor, password reset, lost password, `DELETE FROM users`, voipmonitor.org portal, web portal, simple CDR, MOS, jitter, packet loss, hide CDR groups, CDR panel visibility, chart panel, bottom panel, GUI users & audit | '''Keywords:''' user management, users, permissions, rights, access control, administrator, admin, standard user, restrict, filter, IP address, telephone number, sensor, password reset, lost password, `DELETE FROM users`, voipmonitor.org portal, web portal, simple CDR, MOS, jitter, packet loss, hide CDR groups, CDR panel visibility, chart panel, bottom panel, GUI users & audit, secure users, enable remote addresses, whitelist IP, login restriction, source IP | ||
'''Key Questions:''' | '''Key Questions:''' | ||
* How do I create a new user in VoIPmonitor? | * How do I create a new user in VoIPmonitor? | ||
| Line 150: | Line 177: | ||
* How to troubleshoot missing invitation emails for voipmonitor.org portal users? | * How to troubleshoot missing invitation emails for voipmonitor.org portal users? | ||
* Only the main account holder can invite new users to the voipmonitor.org portal | * Only the main account holder can invite new users to the voipmonitor.org portal | ||
* How do I restrict GUI login access by source IP address? | |||
* What is the Secure users tab used for? | |||
* How do I whitelist IP addresses for GUI login? | |||
* What is the difference between the IP addresses field and Enable remote addresses? | |||
* How can I allow clients to access the GUI only from specific networks? | |||
Revision as of 18:06, 5 January 2026
This guide provides a comprehensive overview of how to create and manage user accounts, permissions, and access restrictions within the VoIPmonitor web GUI.
Important: Local GUI vs. voipmonitor.org Portal
This page covers user management for your local VoIPmonitor GUI installation.
If you are looking for information about managing users for your voipmonitor.org account (the billing and portal website at https://www.voipmonitor.org), that is handled separately from your local VoIPmonitor installation.
To manage users in the voipmonitor.org portal:
How to Invite a New User
To add a new contact or user to your voipmonitor.org portal:
- Log in to https://www.voipmonitor.org using your main account email address
- In the top-right corner, click on the Hello [Name] dropdown menu
- Select Account Management
- From the Account Management section, invite the new user by entering their email address
- The system will send them an email invitation to set their password and log in
Important Note: Only the main account holder has access to the Account Management feature to invite new users. If you are unable to see the Account Management option, you may not have the appropriate permissions.
Troubleshooting Invitation Emails
If a newly invited user does not receive their password setup invitation email:
- Check the user's Spam, Junk, or Promotions folders (most common cause)
- Verify the email address was entered correctly
- Invitation links are typically valid for 24 hours
- If the email cannot be found, contact VoIPmonitor Support with the correct email address to manually resend the invitation
The users you create in the voipmonitor.org portal are separate from the users you create here in your local VoIPmonitor GUI.
Introduction to User Management
VoIPmonitor allows you to create multiple user accounts, each with a specific set of permissions and data access restrictions. This is essential for providing secure, role-based access to your call data.
Important Default Behavior:
- A fresh VoIPmonitor installation starts with a single default user: admin with the password admin.*
- The moment you create your first new user, this default `admin/admin` account is automatically deleted.
- Golden Rule: Your very first action should be to create a new, personal administrator account with a strong password. If you create a non-admin user first and log out, you will lose administrative access to the GUI.
How to Create or Edit a User
All user management is done by navigating to the user management section of the GUI. Depending on your GUI version, this can be accessed via:
- GUI -> Users & Audit -> Users (recommended approach for current versions)
- Settings -> Users (alternate navigation in some versions)
- To create a new user, click the New user button.
- To edit an existing user, click the pencil icon next to their username in the list.
Changes made to a user's permissions will only take effect after that user logs out and logs back in.
Understanding User Permissions
User permissions are divided into two main levels, controlled by a single checkbox.
Administrator vs. Standard User
Is administrator- This is the most important permission.
- Checked (Admin): The user has full, unrestricted access to all GUI features, including creating other users, configuring sensors, and viewing all call data.
- Unchecked (Standard User): The user has limited access. They cannot see the "Settings" menu, and their view of call data can be restricted based on the settings below.
Feature and Data Access Permissions
These checkboxes control a user's access to specific features and data types.
Core Data Access
Can download PCAP- Allows the user to download the full network packet capture for a call.
Can listen- Allows the user to play or download the audio recording (WAV/OGG) of a call.
Remove RTP from PCAP- A security feature. If a user with this permission downloads a PCAP, the audio portion (RTP stream) will be automatically stripped from the file, leaving only the signaling data (SIP).
GUI Feature Access
Simple CDR- Hides advanced QoS and network metrics (MOS, jitter, packet loss) from the CDR view. This is ideal for users (e.g., in a call center) who only need to see basic call information and listen to recordings.
Enable capture rules- Allows the user to view and manage call recording rules.
Enable alerts- Allows the user to create, edit, and view alerts in the reporting section.
Enable audit- Grants access to the Audit Log, which tracks actions taken by other users.
Hide CDR groups- When checked, this permission hides the bottom panel in the CDR view that contains the CDR/messages groups dashboard. If users are not seeing charts or panel information at the bottom of the CDR view, ensure this checkbox is not enabled (or uncheck it to show the panel).
- And others: Permissions like `Enable active calls`, `Enable register`, and `Enable live sniffer` grant access to their respective sections in the GUI.
Sharing Permissions
Enable local share CDR- Allows the user to generate a shareable link for a specific call that can be viewed by others within your organization.
Enable share.voipmonitor.org- Allows the user to share a call publicly via the voipmonitor.org sharing service.
Restricting User Access to Call Data
For standard (non-admin) users, it is crucial to restrict which calls they are allowed to see. This is done using three primary methods on the user's edit page.
1. Restriction by IP Address
The IP addresses text box allows you to limit a user to seeing only calls that involve specific IP addresses or subnets.
- Enter one IP address or CIDR network per line (e.g., `192.168.1.10` or `10.0.0.0/8`).
- The user will only see calls where either the source or destination IP address matches an entry in this list.
2. Restriction by Telephone Number
The Tel. Numbers text box limits a user based on the caller or called number.
- Enter one number or prefix per line.
- You can use the `%` character as a wildcard. For example, `4420%` will allow the user to see all calls to or from numbers starting with `4420`.
3. Restriction by Sensor
By default, all users can see calls from all sensors. In a multi-sensor deployment, you can restrict a user to data from specific sensors.
- Click the Sensors tab on the user's edit page.
- Check the boxes next to the only sensors this user should be able to see data from.
Restricting GUI Login by Source IP Address
In addition to restricting what call data a user can see, you can also restrict where a user can log in from by whitelisting specific source IP addresses. This is a security feature that allows clients to access the GUI only from authorized network locations.
Difference: Data Visibility vs. Login Access
It is important to understand the distinction between the two IP-related restrictions:
- IP Addresses field (in the main user edit screen): Controls which call data the user can see. The user can log in from anywhere, but will only see calls involving the specified IP addresses.
- Enable remote addresses (in the "Secure users" tab): Controls where the user can log in from. The user can only access the GUI login page from the specified whitelisted IP addresses.
How to Configure IP-Based Login Restrictions
To restrict GUI login access by source IP address:
- Navigate to GUI -> Users & Audit -> Users
- Edit the user account for which you want to restrict access
- Click the Secure users tab
- In the Enable remote addresses field, enter the list of allowed source IP addresses
- Enter one IP address or CIDR per line (e.g., `192.168.1.10` or `10.0.0.0/24`)
- Click Save to apply the changes
Once configured, users will be able to access the GUI login form only from the IP addresses listed. Attempts to log in from other IP addresses will be blocked.
Important Use Cases:
- Provide client access to your VoIPmonitor GUI while restricting them to specific office networks
- Allow remote access only from specific VPN ranges or partner networks
- Implement additional security for sensitive accounts by limiting login locations
Emergency: Recovering a Lost Admin Password
If you have lost access to all administrator accounts, you cannot reset passwords through the GUI. You must perform an emergency reset directly in the database.
Warning: These commands directly modify your database. Proceed with caution.
Option A: Delete All Users (Clean Slate)
This command will delete all user accounts, resetting the GUI to its initial state where the `admin/admin` user is active.
echo "DELETE FROM users;" | mysql voipmonitor
You can then log in with `admin/admin` and recreate your user accounts.
Option B: Add a Temporary Admin User
This command inserts a new, temporary user named test with the password testtest and full administrator rights.
echo "INSERT INTO users SET username='test', name='test', password=MD5('testtest'), is_admin=1;" | mysql voipmonitor
After running this, log in as `test/testtest`, reset the password of your original admin account, and then immediately delete the temporary `test` user from within the GUI.
AI Summary for RAG
Summary: This guide provides a comprehensive overview of user management in the VoIPmonitor GUI. It begins by clarifying the distinction between local VoIPmonitor GUI users and users in the voipmonitor.org web portal (the voipmonitor.org portal is managed separately at https://www.voipmonitor.org under the dropdown menu's "User management" section). The guide then explains the default `admin/admin` account and the critical rule that it is deleted upon the creation of the first new user. It details the process of creating and editing users via "GUI -> Users & Audit -> Users" (recommended) or "Settings -> Users" (alternate), and explains the key permission fields, distinguishing between an "Is administrator" account and a standard user. It covers permissions for data access (PCAP, audio), feature access (simple CDR which hides MOS/jitter/loss, capture rules, alerts, audit log, and "Hide CDR groups" which controls the CDR bottom panel visibility), and sharing. A major section is dedicated to restricting user access to specific calls, detailing how to filter a user's view by IP address, telephone number prefix, and by specific sensors in a multi-sensor deployment. It also documents the "Secure users" tab with "Enable remote addresses" field for whitelisting GUI login access by source IP address (restricting where users can log in from). Finally, it provides two emergency command-line procedures for recovering lost admin access by directly modifying the database: one to delete all users and reset to default, and another to insert a temporary admin account. Keywords: user management, users, permissions, rights, access control, administrator, admin, standard user, restrict, filter, IP address, telephone number, sensor, password reset, lost password, `DELETE FROM users`, voipmonitor.org portal, web portal, simple CDR, MOS, jitter, packet loss, hide CDR groups, CDR panel visibility, chart panel, bottom panel, GUI users & audit, secure users, enable remote addresses, whitelist IP, login restriction, source IP Key Questions:
- How do I create a new user in VoIPmonitor?
- What is the difference between an admin and a standard user?
- How can I restrict a user to only see calls from a specific customer or IP range?
- How can I limit a user's access to only certain sensors?
- What do the permissions like "Simple CDR" or "Can download PCAP" do?
- Why is the chart panel or MOS information not visible for a specific user in the CDR view?
- How do I enable or disable the CDR groups panel for a user?
- I lost my admin password, how can I get back into the GUI?
- What is the default username and password for VoIPmonitor?
- How do I manage users in the voipmonitor.org web portal?
- What is the difference between local VoIPmonitor GUI users and voipmonitor.org portal users?
- How do I invite a new contact to the voipmonitor.org portal?
- Where is the Account Management option in the voipmonitor.org portal?
- How to troubleshoot missing invitation emails for voipmonitor.org portal users?
- Only the main account holder can invite new users to the voipmonitor.org portal
- How do I restrict GUI login access by source IP address?
- What is the Secure users tab used for?
- How do I whitelist IP addresses for GUI login?
- What is the difference between the IP addresses field and Enable remote addresses?
- How can I allow clients to access the GUI only from specific networks?