User Management: Difference between revisions

From VoIPmonitor.org
(Review: opravy formátování (syntaxhighlight), přečíslování sekcí, zkrácení AI Summary, přidán diagram oprávnění)
Tag: Blanking
(Created User Management page with comprehensive documentation on user creation, permissions, access control, and troubleshooting)
Line 1: Line 1:
{{DISPLAYTITLE:User Management}}
[[Category:GUI manual]]
[[Category:Administration]]


= User Management =
This page covers user account administration in VoIPmonitor GUI, including creating users, assigning permissions, and configuring access controls.
== Accessing User Management ==
Navigate to '''Users & Audit > Users''' in the GUI to manage user accounts.
== User Types ==
=== Local Users ===
*  Default authentication method using VoIPmonitor's internal database.
*  Passwords are stored securely (hashed).
*  Created and managed directly in the GUI.
=== External Authentication (LDAP/Custom Login) ===
*  Integrate with LDAP/Active Directory using the custom login script.
*  See [[WEB_API#Custom_Login|Custom Login (LDAP)]] for configuration details.
*  '''Important:''' The <code>custom_login</code> function must return a unique numeric <code>id</code> for each user.
== Creating a New User ==
# Go to '''Users & Audit > Users'''.
# Click '''Add user'''.
# Fill in required fields:
#* '''Username''' - Login name (must be unique).
#* '''Password''' - Strong password recommended.
#* '''Email''' - For alerts and password recovery.
#* '''Group''' - Assign to a permission group.
# Configure permissions (see below).
# Click '''Save'''.
== User Permissions ==
Permissions control what users can access and modify. Set permissions via:
*  '''User-level:''' Direct assignment on individual user.
*  '''Group-level:''' Inherited from assigned group (recommended for easier management).
=== Permission Flags ===
{| class="wikitable"
|-
! Permission !! Description
|-
| <code>is_admin</code> || Full administrative access
|-
| <code>can_cdr</code> || View CDR records
|-
| <code>can_play_audio</code> || Play call recordings in GUI
|-
| <code>can_download_audio</code> || Download audio files
|-
| <code>can_listen_active_call</code> || Live call monitoring (ChunkPlayer)
|-
| <code>can_pcap</code> || Download PCAP files
|-
| <code>can_messages</code> || View SIP messages
|-
| <code>can_graphs</code> || Access graphs and charts
|-
| <code>can_livesniffer</code> || Live sniffer functionality
|-
| <code>can_capture_rules</code> || Manage capture rules
|-
| <code>can_reports_edit</code> || Create/edit reports
|-
| <code>can_alerts_edit</code> || Create/edit alerts
|-
| <code>can_dashboard</code> || View dashboards
|-
| <code>can_ipacc</code> || IP accounting features
|-
| <code>can_audit</code> || View audit logs
|-
| <code>can_sensors_operations</code> || Sensor management
|}
{{Tip|Set <code>is_admin</code> to <code>false</code> and use group permissions for granular access control.}}
== Sensor Access Restrictions ==
Restrict users to specific sensors:
# Edit user > '''Basic data''' tab.
# In '''Enable sensors''', select allowed sensor IDs.
# Users will only see CDR from permitted sensors.
== IP-Based Access Control ==
Restrict login to specific IP addresses:
# Edit user > '''Secure users''' tab.
# Enable '''Enable remote addresses'''.
# Add allowed IP addresses/ranges.
{{Warning|If you lock yourself out, you must access the database directly to remove IP restrictions.}}
== Microsoft Sign-In Integration ==
{{Note|This feature is currently in development and not available in stable releases.}}
For SSO with Microsoft Entra ID (Azure AD):
# Edit user > '''Secure users''' tab.
# Enter '''Microsoft Sign In emails''' to map the user.
# See [[Microsoft_Sign_in_usage]] for full setup instructions.
== Audit Logging ==
Track user actions for compliance (GDPR, HIPAA):
*  '''GUI Audit:''' Enabled by default in '''Users & Audit > Audit'''.
*  '''File-based Audit:''' Configure <code>AUDIT_LOG_FILE</code> in <code>configuration.php</code>.
*  '''Per-user Audit Mode:''' Set '''Enable audit''' to ''auto'' or ''yes'' on individual users.
See [[GUI_Configuration_PHP#Audit_Log_Settings|Audit Log Configuration]] for details.
== User Groups ==
Manage groups in '''Users & Audit > Groups''':
*  Define permission templates for multiple users.
*  Assign users to groups for consistent access control.
*  Changes to group permissions apply to all members.
== Troubleshooting ==
=== User Cannot Log In ===
*  Check IP restrictions in '''Secure users''' tab.
*  Verify username/password (case-sensitive).
*  Check if account is disabled.
*  For LDAP: Test connection with <code>php scripts/custom_login.php</code>.
=== Permission Changes Not Taking Effect ===
*  User must log out and log back in.
*  Clear browser cache if issues persist.
*  Verify group membership if using group permissions.
=== Forgot Admin Password ===
Reset password via database:
<syntaxhighlight lang="sql">
UPDATE users SET password = MD5('newpassword') WHERE username = 'admin';
</syntaxhighlight>
{{Warning|This sets an MD5 hash. For better security, log in immediately and change the password through the GUI.}}
== AI Summary for RAG ==
'''Summary:''' Guide to VoIPmonitor user management. Covers creating local users, LDAP/custom authentication integration (requires unique numeric ID per user), permission flags (can_cdr, can_play_audio, can_download_audio, can_pcap, can_reports_edit, can_alerts_edit, is_admin, etc.), sensor access restrictions (limit users to specific sensor IDs), IP-based access control (Secure users tab), Microsoft Sign-In SSO integration (development feature), audit logging configuration, and user groups for permission templates. Troubleshooting includes IP restrictions, LDAP testing, and admin password reset via database.
'''Keywords:''' user management, users, permissions, access control, LDAP, custom login, authentication, sensor restrictions, IP restrictions, audit log, user groups, password reset, Microsoft Sign-In, SSO, can_cdr, can_pcap, is_admin
'''Key Questions:'''
* How do I create a new user in VoIPmonitor?
* How do I restrict a user to specific sensors?
* How do I configure LDAP authentication for VoIPmonitor?
* What permissions are available for VoIPmonitor users?
* How do I reset the admin password in VoIPmonitor?
* How do I restrict user login by IP address?
* How do I enable audit logging for user actions?
* How do I set up user groups with shared permissions?
* Why can't a user log in to VoIPmonitor?
* How do I configure Microsoft Sign-In for VoIPmonitor users?

Revision as of 18:00, 6 January 2026


User Management

This page covers user account administration in VoIPmonitor GUI, including creating users, assigning permissions, and configuring access controls.

Accessing User Management

Navigate to Users & Audit > Users in the GUI to manage user accounts.

User Types

Local Users

  • Default authentication method using VoIPmonitor's internal database.
  • Passwords are stored securely (hashed).
  • Created and managed directly in the GUI.

External Authentication (LDAP/Custom Login)

  • Integrate with LDAP/Active Directory using the custom login script.
  • See Custom Login (LDAP) for configuration details.
  • Important: The custom_login function must return a unique numeric id for each user.

Creating a New User

  1. Go to Users & Audit > Users.
  2. Click Add user.
  3. Fill in required fields:
    • Username - Login name (must be unique).
    • Password - Strong password recommended.
    • Email - For alerts and password recovery.
    • Group - Assign to a permission group.
  4. Configure permissions (see below).
  5. Click Save.

User Permissions

Permissions control what users can access and modify. Set permissions via:

  • User-level: Direct assignment on individual user.
  • Group-level: Inherited from assigned group (recommended for easier management).

Permission Flags

Permission Description
is_admin Full administrative access
can_cdr View CDR records
can_play_audio Play call recordings in GUI
can_download_audio Download audio files
can_listen_active_call Live call monitoring (ChunkPlayer)
can_pcap Download PCAP files
can_messages View SIP messages
can_graphs Access graphs and charts
can_livesniffer Live sniffer functionality
can_capture_rules Manage capture rules
can_reports_edit Create/edit reports
can_alerts_edit Create/edit alerts
can_dashboard View dashboards
can_ipacc IP accounting features
can_audit View audit logs
can_sensors_operations Sensor management

💡 Tip: Set is_admin to false and use group permissions for granular access control.

Sensor Access Restrictions

Restrict users to specific sensors:

  1. Edit user > Basic data tab.
  2. In Enable sensors, select allowed sensor IDs.
  3. Users will only see CDR from permitted sensors.

IP-Based Access Control

Restrict login to specific IP addresses:

  1. Edit user > Secure users tab.
  2. Enable Enable remote addresses.
  3. Add allowed IP addresses/ranges.

⚠️ Warning: If you lock yourself out, you must access the database directly to remove IP restrictions.

Microsoft Sign-In Integration

ℹ️ Note: This feature is currently in development and not available in stable releases.

For SSO with Microsoft Entra ID (Azure AD):

  1. Edit user > Secure users tab.
  2. Enter Microsoft Sign In emails to map the user.
  3. See Microsoft_Sign_in_usage for full setup instructions.

Audit Logging

Track user actions for compliance (GDPR, HIPAA):

  • GUI Audit: Enabled by default in Users & Audit > Audit.
  • File-based Audit: Configure AUDIT_LOG_FILE in configuration.php.
  • Per-user Audit Mode: Set Enable audit to auto or yes on individual users.

See Audit Log Configuration for details.

User Groups

Manage groups in Users & Audit > Groups:

  • Define permission templates for multiple users.
  • Assign users to groups for consistent access control.
  • Changes to group permissions apply to all members.

Troubleshooting

User Cannot Log In

  • Check IP restrictions in Secure users tab.
  • Verify username/password (case-sensitive).
  • Check if account is disabled.
  • For LDAP: Test connection with php scripts/custom_login.php.

Permission Changes Not Taking Effect

  • User must log out and log back in.
  • Clear browser cache if issues persist.
  • Verify group membership if using group permissions.

Forgot Admin Password

Reset password via database: 

UPDATE users SET password = MD5('newpassword') WHERE username = 'admin';

⚠️ Warning: This sets an MD5 hash. For better security, log in immediately and change the password through the GUI.

AI Summary for RAG

Summary: Guide to VoIPmonitor user management. Covers creating local users, LDAP/custom authentication integration (requires unique numeric ID per user), permission flags (can_cdr, can_play_audio, can_download_audio, can_pcap, can_reports_edit, can_alerts_edit, is_admin, etc.), sensor access restrictions (limit users to specific sensor IDs), IP-based access control (Secure users tab), Microsoft Sign-In SSO integration (development feature), audit logging configuration, and user groups for permission templates. Troubleshooting includes IP restrictions, LDAP testing, and admin password reset via database.

Keywords: user management, users, permissions, access control, LDAP, custom login, authentication, sensor restrictions, IP restrictions, audit log, user groups, password reset, Microsoft Sign-In, SSO, can_cdr, can_pcap, is_admin

Key Questions:

  • How do I create a new user in VoIPmonitor?
  • How do I restrict a user to specific sensors?
  • How do I configure LDAP authentication for VoIPmonitor?
  • What permissions are available for VoIPmonitor users?
  • How do I reset the admin password in VoIPmonitor?
  • How do I restrict user login by IP address?
  • How do I enable audit logging for user actions?
  • How do I set up user groups with shared permissions?
  • Why can't a user log in to VoIPmonitor?
  • How do I configure Microsoft Sign-In for VoIPmonitor users?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=User_Management&oldid=9091"