To restrict access to the administrator portal and self-service portal, as well as to sections, subsections and functions, the solution implements a role-based access control model (Role Based Access Control; RBAC). User accounts can have the following roles:
Deploying the solution creates the Administrator user with the administrator role and the User user with the tenant role.
You can create local users, LDAP users, and LDAP user groups. The solution does not support creating local user groups. Credentials of local users are stored in the orchestrator database. Credentials of LDAP users and LDAP user groups are stored on a remote server. Supported servers include the remote OpenLDAP server with Simple SSL authentication, as well as Microsoft Active Directory with Kerberos authentication and Kerberos SSL authentication.
You must first create an LDAP connection that the orchestrator uses to connect to the remote server, and then create LDAP users and/or LDAP user groups. Created LDAP users and LDAP user groups can log in to the orchestrator web interface using their credentials.
Two-factor authentication
To improve the overall security level of the solution, you can require two-factor authentication of users using the Time-based one-time password (TOTP) algorithm. You can enable or disable two-factor authentication for all users. You can also enable or disable two-factor authentication when creating or editing local users, LDAP users, and LDAP groups.
If two-factor authentication is enabled for a user, a unique QR code is generated the next time that user logs in to the orchestrator web interface. The user must scan a QR code using a software or hardware RFC 6238 compliant authenticator, such as Kaspersky Password Manager, Google Authenticator, Yandex Key, and Microsoft Authenticator. The authenticator generates a unique code that the user must enter to complete two-factor authentication and log in to the orchestrator web interface. If the user enters the unique code incorrectly more than five times, that user is blocked for 30 minutes.
After completing two-factor authentication, the user must enter a user name, password, and a unique code to log into the orchestrator web interface. If necessary, you can make the user complete two-factor authentication again.
If the time discrepancy between the orchestrator and the authenticator is greater than 30 seconds, two-factor authentication may fail. We recommend synchronizing the time on the orchestrator and the authenticator using an NTP server.
Access permissions
If necessary, you can create access permissions that determine which sections and subsections of the orchestrator web interface, and which actions are available to which users, and assign these access rights when creating or editing LDAP users and/or LDAP user groups. For example, you can create an access permission that prohibits gaining access to the Catalog section and creating network service templates.
By default, LDAP users and groups have the Full Access permission, which grants full access to all functionality of the solution.
Confirmation requests
When creating or editing a user, you must specify if you want to have a confirmation request automatically created whenever this user performs an action. Confirmation requests can be confirmed, denied, or deleted. When a request is confirmed, the associated action is performed. Denied confirmation requests are saved in the orchestrator web interface.
User sessions
The following functions are used to manage user sessions: