User Management

From VoIPmonitor.org
Revision as of 10:39, 6 January 2026 by Admin (talk | contribs) (Add documentation for SIP domain restrictions and OR/AND logic for combining user restrictions)


This guide provides a comprehensive overview of how to create and manage user accounts, permissions, and access restrictions within the VoIPmonitor web GUI.

Important: Local GUI vs. voipmonitor.org Portal

This page covers user management for your local VoIPmonitor GUI installation.

If you are looking for information about managing users for your voipmonitor.org account (the billing and portal website at https://www.voipmonitor.org), that is handled separately from your local VoIPmonitor installation.

To manage users in the voipmonitor.org portal:

How to Invite a New User

To add a new contact or user to your voipmonitor.org portal:

  1. Log in to https://www.voipmonitor.org using your main account email address
  2. In the top-right corner, click on the Hello [Name] dropdown menu
  3. Select User management
  4. From the User management section, send an invitation by entering the new user's email address
  5. The system will send them an email invitation to set their password and log in

Important Note: Only the main account holder has access to the User management feature to invite new users. If you are unable to see the User management option, you may not have the appropriate permissions.

Troubleshooting Invitation Emails

If a newly invited user does not receive their password setup invitation email:

  • Check the user's Spam, Junk, or Promotions folders (most common cause)
  • Verify the email address was entered correctly
  • Invitation links are typically valid for 24 hours
  • If the email cannot be found, contact VoIPmonitor Support with the correct email address to manually resend the invitation

Requesting Support for Invitations:

If you are unable to use the User management feature (for example, if you are not the main account holder) and need to create new portal users, you can request assistance from VoIPmonitor Support. Support can send invitations to contacts listed under Account Details -> Contacts to convert them into portal users.

  • Make sure the recipient email addresses are listed in your Account Details > Contacts section
  • Contact VoIPmonitor Support and request that invitations be sent to the listed contacts
  • Support can also resend expired or missing invitations upon request

The users you create in the voipmonitor.org portal are separate from the users you create here in your local VoIPmonitor GUI.

Introduction to User Management

VoIPmonitor allows you to create multiple user accounts, each with a specific set of permissions and data access restrictions. This is essential for providing secure, role-based access to your call data.

Important Default Behavior:

  • A fresh VoIPmonitor installation starts with a single default user: admin with the password admin.*
  • The moment you create your first new user, this default `admin/admin` account is automatically deleted.
  • Golden Rule: Your very first action should be to create a new, personal administrator account with a strong password. If you create a non-admin user first and log out, you will lose administrative access to the GUI.

How to Create or Edit a User

All user management is done by navigating to the user management section of the GUI. Depending on your GUI version, this can be accessed via:

  • GUI -> Users & Audit -> Users (recommended approach for current versions)
  • Settings -> Users (alternate navigation in some versions)
  • To create a new user, click the New user button.
  • To edit an existing user, click the pencil icon next to their username in the list.

Changes made to a user's permissions will only take effect after that user logs out and logs back in.

The New/Edit User form where all permissions and restrictions are configured.

Understanding User Permissions

User permissions are divided into two main levels, controlled by a single checkbox.

Administrator vs. Standard User

Is administrator
This is the most important permission.
  • Checked (Admin): The user has full, unrestricted access to all GUI features, including creating other users, configuring sensors, and viewing all call data.
  • Unchecked (Standard User): The user has limited access. They cannot see the "Settings" menu, and their view of call data can be restricted based on the settings below.

Feature and Data Access Permissions

These checkboxes control a user's access to specific features and data types.

Core Data Access

Can download PCAP
Allows the user to download the full network packet capture for a call.
Can listen
Allows the user to play or download the audio recording (WAV/OGG) of a call.
Remove RTP from PCAP
A security feature. If a user with this permission downloads a PCAP, the audio portion (RTP stream) will be automatically stripped from the file, leaving only the signaling data (SIP).

GUI Feature Access

Simple CDR
Hides advanced QoS and network metrics (MOS, jitter, packet loss) from the CDR view. This is ideal for users (e.g., in a call center) who only need to see basic call information and listen to recordings.
Enable capture rules
Allows the user to view and manage call recording rules.
Enable alerts
Allows the user to create, edit, and view alerts in the reporting section.
Enable audit
Grants access to the Audit Log, which tracks actions taken by other users.
Options:
  • Yes/checked: User can view audit logs and needs to manually fill out audit forms when performing actions
  • Auto: Enables automatic audit log generation without requiring the user to fill out a form. The system automatically generates audit entries for user actions using a predefined message template. See GUI Configuration for customization options.
  • No/unchecked: User cannot view audit logs (access denied)
Hide CDR groups
When checked, this permission hides the bottom panel in the CDR view that contains the CDR/messages groups dashboard. If users are not seeing charts or panel information at the bottom of the CDR view, ensure this checkbox is not enabled (or uncheck it to show the panel).
And others: Permissions like `Enable active calls`, `Enable register`, and `Enable live sniffer` grant access to their respective sections in the GUI.

Sharing Permissions

Enable local share CDR
Allows the user to generate a shareable link for a specific call that can be viewed by others within your organization.
Enable share.voipmonitor.org
Allows the user to share a call publicly via the voipmonitor.org sharing service.

Restricting User Access to Call Data

For standard (non-admin) users, it is crucial to restrict which calls they are allowed to see. This is done using three primary methods on the user's edit page.

1. Restriction by IP Address

The IP addresses text box allows you to limit a user to seeing only calls that involve specific IP addresses or subnets.

  • Enter one IP address or CIDR network per line (e.g., `192.168.1.10` or `10.0.0.0/8`).
  • The user will only see calls where either the source or destination IP address matches an entry in this list.

Important: What IPs Are Matched

The filter_ip feature matches SIP call endpoint IP addresses only - specifically the source and destination IP addresses extracted from SIP signaling packets (INVITE, etc.).

Limitation: Proxy IPs Are NOT Matched
IP-based user restrictions do NOT filter by intermediate proxy, SBC, or B2BUA IP addresses in the call path. Only the two endpoints involved in the SIP dialog are considered.

For example, if a call flows through a proxy (Phone A -> Proxy -> Carrier):

  • Adding the proxy IP to a user's restrictions will NOT work (SBC_IP/10.1.1.1 is ignored)
  • Only endpoint IPs (Phone A and Carrier) can be used for filtering

This is a limitation of the current implementation. If you need to control access based on proxy IP addresses, this feature request ([VG-2923]) is tracked for future development. Custom development may be available as a paid service - contact VoIPmonitor Support for details.

2. Restriction by Telephone Number

The Tel. Numbers text box limits a user based on the caller or called number.

  • Enter one number or prefix per line.
  • You can use the `%` character as a wildcard. For example, `4420%` will allow the user to see all calls to or from numbers starting with `4420`.

2.5. Restriction by SIP Domain

The Domain text box allows you to restrict a user to seeing only calls involving specific SIP domains.

  • Enter one SIP domain per line (e.g., `customerA.example.com`, `sip.customerB.com`).
  • The user will only see calls where any domain in the SIP signaling (From, To, Request-URI, etc.) matches an entry in this list.
  • This is useful when customers are using SIP domains as identifiers rather than IP addresses or phone numbers.

Combining Multiple Restriction Types

When you configure multiple restriction types (IP addresses, telephone numbers, domains), the system uses a logic operator to determine which calls the user is allowed to see.

OR logic
The user can see calls that match any of the configured restrictions. For example, if you have IP restrictions and telephone number restrictions set, the user sees calls that match the IP restrictions OR calls that match the telephone number restrictions.
AND logic
The user can only see calls that match all of the configured restrictions at the same time. This is more restrictive - the user must have calls that satisfy IP restrictions AND telephone number restrictions simultaneously.

To configure the logic operator, use the checkbox at the bottom of the restrictions area. The exact text and location may vary depending on your GUI version.

3. Restriction by Sensor

By default, all users can see calls from all sensors. In a multi-sensor deployment, you can restrict a user to data from specific sensors.

  • Click the Sensors tab on the user's edit page.
  • Check the boxes next to the only sensors this user should be able to see data from.

The Sensors tab allows you to assign specific data sources to a user.

Restricting GUI Login by Source IP Address

In addition to restricting what call data a user can see, you can also restrict where a user can log in from by whitelisting specific source IP addresses. This is a security feature that allows clients to access the GUI only from authorized network locations.

Difference: Data Visibility vs. Login Access

It is important to understand the distinction between the two IP-related restrictions:

  • IP Addresses field (in the main user edit screen): Controls which call data the user can see. The user can log in from anywhere, but will only see calls involving the specified IP addresses.
  • Enable remote addresses (in the "Secure users" tab): Controls where the user can log in from. The user can only access the GUI login page from the specified whitelisted IP addresses.

How to Configure IP-Based Login Restrictions

To restrict GUI login access by source IP address:

  1. Navigate to GUI -> Users & Audit -> Users
  2. Edit the user account for which you want to restrict access
  3. Click the Secure users tab
  4. In the Enable remote addresses field, enter the list of allowed source IP addresses
  5. Enter one IP address or CIDR per line (e.g., `192.168.1.10` or `10.0.0.0/24`)
  6. Click Save to apply the changes

Once configured, users will be able to access the GUI login form only from the IP addresses listed. Attempts to log in from other IP addresses will be blocked.

Important Use Cases:

  • Provide client access to your VoIPmonitor GUI while restricting them to specific office networks
  • Allow remote access only from specific VPN ranges or partner networks
  • Implement additional security for sensitive accounts by limiting login locations

Emergency: Recovering a Lost Admin Password

If you have lost access to all administrator accounts, you cannot reset passwords through the GUI. You must perform an emergency reset directly in the database.

Warning: These commands directly modify your database. Proceed with caution.

Option A: Delete All Users (Clean Slate)

This command will delete all user accounts, resetting the GUI to its initial state where the `admin/admin` user is active. 

echo "DELETE FROM users;" | mysql voipmonitor

You can then log in with `admin/admin` and recreate your user accounts.

Option B: Add a Temporary Admin User

This command inserts a new, temporary user named test with the password testtest and full administrator rights. 

echo "INSERT INTO users SET username='test', name='test', password=MD5('testtest'), is_admin=1;" | mysql voipmonitor

After running this, log in as `test/testtest`, reset the password of your original admin account, and then immediately delete the temporary `test` user from within the GUI.

AI Summary for RAG

Summary: This guide provides a comprehensive overview of user management in the VoIPmonitor GUI. It begins by clarifying the distinction between local VoIPmonitor GUI users and users in the voipmonitor.org web portal (the voipmonitor.org portal is managed separately at https://www.voipmonitor.org under the dropdown menu's "User management" section where you can send invitations). It explains that only the main account holder can invite new users to the portal. Portal invitation troubleshooting steps include checking spam/junk folders (most common cause), verifying email addresses, noting 24-hour invitation validity, and contacting support for manual resend. For users without User management access, support can send invitations to contacts listed under "Account Details > Contacts" to convert them into portal users. The guide then explains the default `admin/admin` account and the critical rule that it is deleted upon the creation of the first new user. It details the process of creating and editing users via "GUI -> Users & Audit -> Users" (recommended) or "Settings -> Users" (alternate), and explains the key permission fields, distinguishing between an "Is administrator" account and a standard user. It covers permissions for data access (PCAP, audio), feature access (simple CDR which hides MOS/jitter/loss, capture rules, alerts, audit log, and "Hide CDR groups" which controls the CDR bottom panel visibility), and sharing. A major section is dedicated to restricting user access to specific calls, detailing how to filter a user's view by IP address, telephone number prefix, and by specific sensors in a multi-sensor deployment. CRITICAL LIMITATION: The IP-based filtering (filter_ip) feature matches ONLY SIP call endpoint IP addresses extracted from INVITE signaling packets. Intermediate proxy, SBC, or B2BUA IP addresses in the call path are NOT matched and cannot be used for user restrictions. This is a documented limitation (feature request VG-2923) requiring custom development for proxy-based filtering. It also documents the "Secure users" tab with "Enable remote addresses" field for whitelisting GUI login access by source IP address (restricting where users can log in from). Finally, it provides two emergency command-line procedures for recovering lost admin access by directly modifying the database: one to delete all users and reset to default, and another to insert a temporary admin account. Keywords: user management, users, permissions, rights, access control, administrator, admin, standard user, restrict, filter, IP address, telephone number, domain, SIP domain, sensor, password reset, lost password, `DELETE FROM users`, voipmonitor.org portal, web portal, invitation, invite new user, User management menu, simple CDR, MOS, jitter, packet loss, hide CDR groups, CDR panel visibility, chart panel, bottom panel, GUI users & audit, secure users, enable remote addresses, whitelist IP, login restriction, source IP, Account Details, Contacts, support invitation, invitation troubleshooting, spam folder, invitation expired, proxy IP, SBC IP, intermediate IP, filter_ip limitation, VG-2923, endpoint IP, SIP dialog IP, proxy filtering limitation, custom development, OR logic, AND logic, combining restrictions Key Questions:

  • How do I create a new user in VoIPmonitor?
  • What is the difference between an admin and a standard user?
  • Why does IP-based filtering not work for proxy IP addresses?
  • Can I filter users by proxy, SBC, or B2BUA IP addresses?
  • The filter_ip feature only matches SIP call endpoint IPs, not intermediate proxy IPs (limitation: VG-2923)
  • How can I restrict a user to only see calls from a specific customer or IP range?
  • How can I restrict a user by SIP domain?
  • What is the difference between OR and AND logic when combining user restrictions?
  • How can I limit a user's access to only certain sensors?
  • What do the permissions like "Simple CDR" or "Can download PCAP" do?
  • Why is the chart panel or MOS information not visible for a specific user in the CDR view?
  • How do I enable or disable the CDR groups panel for a user?
  • I lost my admin password, how can I get back into the GUI?
  • What is the default username and password for VoIPmonitor?
  • How do I invite a new user to my voipmonitor.org account?
  • What is the difference between local VoIPmonitor GUI users and voipmonitor.org portal users?
  • How do I send an invitation to a new user on voipmonitor.org?
  • Where is the User management option in the voipmonitor.org portal?
  • How to troubleshoot missing invitation emails for voipmonitor.org portal users?
  • Only the main account holder can invite new users to the voipmonitor.org portal
  • How do I restrict GUI login access by source IP address?
  • What is the Secure users tab used for?
  • How do I whitelist IP addresses for GUI login?
  • What is the difference between the IP addresses field and Enable remote addresses?
  • How can I allow clients to access the GUI only from specific networks?
  • How do I request support to send portal invitations if I cannot access User management?
  • Where should contact emails be listed for support to create portal users?
  • Can support send invitations to contacts listed under Account Details -> Contacts?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=User_Management&oldid=8656"