Managing Users

Download this manual as a PDF file

This chapter describes how you can add administrators to Restorepoint and configure administrator roles.

Restorepoint supports three levels of user access:

Admin

Super User who has full access (can create/modify/delete devices and users, initiate backups/restores and change the appliance configuration). Admins also have an encryption password that allows Restorepoint to transition from the locked state to the normal state.

Backup

Backup Operator who can perform device backups and restores, but cannot modify devices, users, or appliance settings.

View Only

Monitor Operator who can only view existing backups, access logs, and verify that the system is operating normally.

 

Listing Logged-in Users

You can view a list of currently logged in users in the Logged-in Users tab (Administration > Users > Logged-in Users). The number of Logged-in users is also displayed on the dashboard (Info > Status).

Adding a New User

To add or modify administrators, navigate to the Users page (Administration > Users). Administrator passwords and encryption passwords, by default, must be at least 8 characters long. For more information, see Password Policies.

To add a new user:

  1. Navigate to the Users page (Administration > Users). The User Management page appears.

  2. Click Add User. The New User page appears:

    Image of the Restorepoint Add User page

  1. Complete the following fields on the Details tab:

    Full Name

    Enter the full name of the user

    Email

    Enter the user’s email address

    Role

    Select the privilege level from the drop-down list. See below for the privileges associated with each admin level.

    Disabled

    Select this checkbox to prevent the user from logging in.

    Allowed Networks

    If set, this field allows the user to connect to Restorepoint only from certain subnets. Enter an IP range in CIDR format in the IP Address/Mask box, and click Add.

  2. Complete the following fields on the Auth tab.

     

    Username

    Enter the new username. Usernames may be up to 16 characters long.

    Password

    Enter the password for the new user. By default, passwords must be between 8 and 24 characters long. The field color will range from red to green to indicate the password strength, according to the policy set in the Password Policies page. For more information, see Password Policies.

    Encryption Password

    This field appears if an Admin-level administrator is selected. The encryption password must be between 8 and 24 characters long, and must be different from the administrator password. The field color will range from red to green to indicate the password strength.

    Email activation link

    This field allows you to set up a user without specifying a password. The user will receive an activation email to let them set their own password.

    Expire Password

    This field allows you to override the global password expiry rules for this user. See Timeouts for the global password expiry settings.

    Use RADIUS

    Select this checkbox if you want the user to authenticate against an external RADIUS server. See RADIUS Authentication on how to configure a RADIUS server.

  3. Search for any domains that need to be associated for this user in the Domains tab.
    Image of the Restorepoint User Management page

  4. Click Save.

When a new administrator first logs in, they will be prompted to configure a password recovery question and answer. Restorepoint suggests that administrators assign an email and recovery question and answer in case you need to reset your password. For more information, see Password Reset.

Editing an Existing User

To edit the details of an existing user:

  1. Navigate to the Users page (Administration > Users).
  2. Click on the name of the user that you want to edit.
  3. Edit the user as needed and then click Save.

    4. Image of the Restorepoint Edit User page

  4. When editing an administrator's user details, there are two additional fields in the Auth tab:
  • Recovery Question/Answer. Type a Recovery Question / Answer for password recovery.
  • New Token. Generates and emails a new recovery token to the user. This allows the user to recover their encryption password, if forgotten. For more information, see Password Reset.

A new token is generated any time an administrator's recovery details are updated. Take note of the new token as this token will be used later if you forget your password.

Broadcasting to Users

You can use Restorepoint to send a notification message to a user or group of users. Select checkbox next to the users you want to message and click Broadcast. This opens the Broadcast Dialog, where you can enter the Text of the message, the Type of message to send, and how long the message should persist.

A UI message type appears as a pop-up in the User’s UI session. If the user is not currently logged in, the message will appear when they log in to the appliance until the Persist time is reached. An Email message type will send the notification to the User’s email address registered on the appliance.

Deleting a User

To delete one or more existing users:

  1. Select the checkboxes of the users you want to remove.

  2. Click Delete.

Password Reset

Restorepoint provides a password reset mechanism based on two-factor authentication.

Password Recovery Configuration

During the initial configuration procedure, or when an administrator logs in for the first time, the following information must be set:

  • A password recovery question and related answer. For security reasons, only an administrator should know these.

  • The administrator’s email address.

    Image of the Restorepoint Recovery page

Restorepoint will then email a recovery token, which can be used by the administrator to reset their password and encryption password, if the administrator knows the recovery question and answer.

Recovery Procedure

When logging on with an incorrect password for the given account, the Forgotten password link displays:

Image of the Restorepoint Login page

To reset your password:

  1. Click the Forgotten password? link and the Reset Password pane displays.
  2. Complete the following fields:
  • Username. Type your Restorepoint username.
  • Recovery Token. Enter your recovery token. This field only displays and is only required for administrators.
  • Recovery Question. Administrators should have entered a recovery question when you set up your Restorepoint account. Your recovery question displays then type your recovery question answer. This field only displays and is only required for administrators.
  • New Password. Type a new password.
  • Confirm Password. Type the same password you entered above.
  • New Encryption Password. Type a new encryption password. This field is only required for administrators.
  • Confirm New Encryption Password. Type the same password you entered above. This field is only required for administrators.
  1. Click Reset Password and if your reset is successful, a notification appears.

Users with specific permissions can change another user's password.

Custom User Roles

In addition to the standard built-in administrator roles ( Admin, Backup, and View Only), which cannot be edited, it is possible to define custom roles that define which product elements are accessible to the user. This feature is only available with an Enterprise license.

In order to define a custom role:

  1. Navigate to the User Roles page (Administration > User Roles).

  2. Click Add Role, and enter a name for the role.

  3. Select the allowed actions for this role.

    4. Image of the Restorepoint Add Role page

  1. Click the Users tab to assign this role to one or more existing users.

    2. Image of the Restorepoint Add Role page

  1. Click Save.

After you add a role, it is immediately available in the Role drop-down on the Edit User page. Note that any changes to custom roles take effect immediately upon save.

For example, you can create a user role called Compliance Officer that can only create and modify compliance rules, and apply those to devices.

Image of the Restorepoint Edit User page

In addition to the global View (read-only) and Modify (read-write) permissions, you can allow the following actions:

Reports

Backup

Allows backup reports

Config

Allows configuration reports

Assets

Allows assets reports

Compliance

Allows compliance reports

Admin

Allows administration reports

Monitor

Allows monitoring reports

Dashboard

Allows dashboard reports

Modify

Allows users to modify and schedule reports

Logs

View Logs

Allows users to view the system log

View Syslogs

Allows users to view the device syslogs

Devices

View

Allows users to view the device list and device details (excluding authentication details)

View Auth

Allows users to view device authentication details

Backup

Allows device backup operations

Command

Allows device remote control

Configurations

List

Allows users to view the device configuration list

Export

Allows users to export device configurations

Restore

Allows users to restore a configuration to a device

Templates

List

Allows users to view the template list

Push

Allows users to push templates to devices

Firmware

Push

Allows users to push firmware images to devices

Assets

List

Allows users to view custom asset fields

Compliance Rules

Apply

Allows users to apply compliance rules to devices

System

Archive

Allows system archive operations

Users

View

Allows user to view the user list and user details (excluding authentication details)

View Auth

Allows users to view user authentication details

Authentication Servers

RADIUS Authentication

You can use this page to configure parameters for authenticating administrators via RADIUS. If Use RADIUS is selected for a user, Restorepoint will use RADIUS instead of the internal authentication database. Restorepoint supports the PAP and CHAP (not MS-CHAP) authentication protocols.

NAS Identifier

a string identifying Restorepoint to the RADIUS server

Primary Server

Address

IP address of the RADIUS server

Port

UDP port used by the RADIUS server (usually 1812)

Secret

a string shared between Restorepoint and the RADIUS Server

Secondary Server (optional)

A second RADIUS server, configured as above.

LDAP Authentication

This page can be used to connect to an LDAP (Active Directory) user authentication server.

Base DN

The top-level LDAP DN. This is usually (but not always) the DNS domain name, such as dc=company,dc=com.

User Search

Base DN

for example, cn=users,dc=company,dc=local

Username Field

what LDAP field to use as the Restorepoint login id, for instance uid or samAccountName.

Group Search

Base DN

for example, cn=security groups,dc=company,dc=local.

Search String

the group search filter, for instance objectClass=Group or objectClass=posixGroup, depending on the directory type.

Primary Server

Address

IP address of the LDAP server.

Port

UDP port used by the LDAP server (usually 389). LDAP over SSL may use 636. Use 3268 to query the Active Directory Global Catalogue (useful for multi-domain forests).

Bind DN

the DN to bind the LDAP with. For instance, gbh.

Bind Password

the bind password for the LDAP Server.

Use TLS

allows you to require encrypted connections to the LDAP Server.

Secondary Server (optional)

A secondary LDAP server

LDAP users will need to be assigned a role from the Administration > Users > LDAP Users tab before they can log in.

SAML Authentication

This page can be used to connect to a SAML authentication server.

Service Provider Settings

ACS URL

The ACS URL to communicate with your SAML server.

Entity ID

The entity ID to communicate with your SAML server.

Identity Provider Settings

IdP Metadata

The IdP metadata for your system.