Users

Users: Authentication, Authorization, and Access Control in rConfig V8

User management in rConfig V8 provides comprehensive control over system access, authentication, and authorization. This addresses the challenge of securing network configuration management systems that contain sensitive device credentials, configuration data, and network architecture information requiring strict access controls.

Organizations can leverage rConfig’s user management capabilities to implement role-based access control (RBAC), integrate with enterprise authentication systems (SSO/LDAP), and maintain detailed audit trails of user activity for compliance and security monitoring.

Understanding User Management

User Types and Authentication Methods

rConfig V8 supports multiple authentication methods to integrate with existing enterprise identity infrastructure:

Local users: Created directly in rConfig with username/password stored in the rConfig database. Suitable for small deployments, lab environments, or when external authentication is unavailable.

SSO users: Authenticate via Single Sign-On integration (SAML, OAuth). User accounts are created automatically upon first successful SSO login. Suitable for enterprise environments with centralized identity management.

LDAP users: Authenticate against Active Directory or other LDAP directories. User accounts sync from directory services. Suitable for organizations standardized on LDAP-based authentication.

All user types follow the same authorization model once authenticated, with permissions defined by assigned roles regardless of authentication method.

User Approval Workflow

rConfig V8 implements an approval workflow for SSO and LDAP users to prevent unauthorized self-registration:

How approval works:

1. User authenticates successfully via SSO or LDAP
2. rConfig creates user account in “pending approval” state
3. User cannot access rConfig until administrator approves account
4. Administrator reviews pending users and approves legitimate accounts
5. Approved users gain access according to assigned role

This workflow prevents external authentication systems from granting automatic rConfig access, maintaining administrator control over who can access sensitive network configuration data.

Note

Local users created directly by administrators bypass the approval workflow and are immediately active. Only SSO and LDAP users require explicit approval after first authentication.

Role-Based Access Control

rConfig V8 uses roles to define user permissions. Each user is assigned exactly one role determining their access level:

Admin: Full system access including user management, system settings, and all operational functions.

User: Standard operational access for device management, configuration downloads, and compliance monitoring. Cannot modify system settings or manage users.

Read-only: View-only access to devices, configurations, and reports. Cannot modify any system data or execute operations.

Custom roles: Organizations can define additional roles with granular permissions tailored to specific operational requirements.

Roles simplify permission management by grouping related capabilities. Changing a user’s role immediately updates all associated permissions without individual capability assignments.

Managing Users

Accessing User Management

To manage users:

1. Navigate to Users from the main navigation menu
2. The user list displays all accounts with username, email, role, status, and activity indicators
3. Use search and filters to locate specific users
4. Click action icons to edit, approve, or delete users

Creating Local Users

To create a new local user account:

1. From the Users page, click New User
2. Complete the user form:
   • Username: Unique identifier for login (alphanumeric, no spaces)
   • Email: Valid email address (must be unique across all users)
   • Password: Strong password meeting complexity requirements
   • Confirm Password: Re-enter password for verification
   • Role: Select appropriate role defining user permissions
3. Optionally disable email notifications if user should not receive system alerts
4. Click Save to create the user

The new user can log in immediately using the provided credentials.

Caution

Upon fresh installation, rConfig V8 includes a default admin account ([email protected]). You must create a new administrator account with your organization’s email address and delete the default account immediately. Leaving default accounts active creates significant security vulnerabilities.

Editing User Accounts

To modify existing user accounts:

1. From the Users page, locate the user to modify
2. Click the edit icon in the user row
3. Modify any fields except username (usernames are immutable)
4. Update password by entering new password in both password fields
5. Change role assignment if needed
6. Toggle notification preferences
7. Click Save to commit changes

Changes take effect immediately. Users logged in when their role changes must log out and back in for new permissions to apply.

Approving SSO and LDAP Users

To approve pending external authentication users:

1. Navigate to the Users page
2. Pending users display with “Pending Approval” status indicator
3. Review user details to verify legitimacy:
   • Verify email domain matches your organization
   • Confirm user should have rConfig access
   • Validate with user’s manager if necessary
4. Click the approve icon in the user row
5. Assign appropriate role during approval
6. User receives notification of approval and can now access rConfig

Reject suspicious or unauthorized pending accounts by clicking the delete icon. Rejected users cannot access rConfig and must contact administrators for assistance.

Tip

Establish procedures for SSO/LDAP user approval including verification requirements, approval timeframes (e.g., within 24 hours), and notification to approved users. Documenting this workflow ensures consistent security practices.

Changing User Roles

To modify a user’s role assignment:

1. From the Users page, locate the user
2. Click the three-dot menu icon in the user row
3. Select Change Role from the menu
4. A dialog displays showing current role
5. Select the new role from the dropdown
6. Click Save to apply the role change

Role changes take effect immediately for new sessions. Users currently logged in should log out and back in to activate new permissions.

Disabling Email Notifications

To prevent specific users from receiving email notifications:

1. Edit the user account
2. Toggle Email Notifications to disabled state
3. Save changes

Disabled notifications prevent the user from receiving:

• Device connection failure alerts
• Scheduled task completion notifications
• Compliance policy violation alerts
• System maintenance announcements

Users can still view all information through the web interface; they simply won’t receive email notifications.

Deleting User Accounts

To remove user accounts:

1. From the Users page, locate the user to delete
2. Click the delete icon in the user row
3. Confirm deletion when prompted

Caution

Deleted users cannot be recovered. Ensure you delete the correct account before confirming. Consider disabling accounts instead of deleting if you may need to restore access later or maintain audit trail integrity.

Deleting users does not remove their activity from audit logs. Historical records of actions performed by deleted users remain for compliance and forensic purposes.

User Activity Log

Understanding the Activity Log

The User Activity Log provides comprehensive audit trail of all authentication events:

Captured events:

• Successful login attempts with timestamp and source IP
• Failed login attempts with reason (invalid password, account locked, etc.)
• Logout events
• Password changes
• Role modifications
• Account approval actions

This audit trail supports security monitoring, compliance reporting, and forensic investigation of unauthorized access attempts.

Accessing the Activity Log

To view user activity:

1. Navigate to Users → Activity Log
2. The log displays all authentication events in reverse chronological order
3. Use filters to narrow results:
   • User: View activity for specific user
   • Event type: Filter by login, logout, failed attempt, etc.
   • Date range: Limit to specific time period
   • IP address: Find activity from particular source
4. Export log data for external analysis or compliance reporting

Interpreting Activity Patterns

Security indicators to monitor:

Multiple failed logins: Repeated failed authentication attempts may indicate brute force attacks. Investigate the source IP and consider blocking if malicious.

Unusual login times: User authentication outside normal working hours may indicate compromised credentials. Verify with user that activity was legitimate.

Impossible travel: Login from geographically distant locations within short timeframes (e.g., New York then Singapore 30 minutes later) suggests credential sharing or compromise.

Login after termination: Authentication by users whose employment ended indicates incomplete offboarding. Disable accounts immediately.

Anomalous IP addresses: Logins from unexpected countries or IP ranges may indicate unauthorized access. Investigate source and lock account if suspicious.

Regular review of the User Activity Log (daily for high-security environments, weekly for standard environments) enables early detection of security incidents before they cause damage.

Best Practices

Security

Eliminate default accounts immediately: Upon installation, create a new administrator account using your organization’s email domain and delete the default [email protected] account. Default accounts are well-known targets for attackers.

Enforce strong password policies: Configure password complexity requirements (minimum length, character diversity) and rotation policies. While rConfig provides basic password validation, consider integrating with enterprise password policy enforcement systems.

Implement least privilege access: Assign users the minimum role necessary for their job functions. Default to “User” or “Read-only” roles unless administrative access is genuinely required. Excessive permissions increase risk of accidental or malicious damage.

Review user accounts quarterly: Conduct periodic access reviews to identify orphaned accounts (employees who left), excessive permissions (users with more access than needed), or unused accounts (never logged in). Disable or delete identified accounts.

Require multi-factor authentication: When using SSO integration, ensure your identity provider enforces MFA. For local accounts, implement time-based one-time passwords (TOTP) or other second-factor authentication to protect against credential theft.

Monitor failed login attempts: Configure alerting for repeated failed authentication attempts indicating brute force attacks or credential stuffing. Consider implementing account lockout after a threshold of failures (e.g., 5 attempts in 15 minutes).

Organization

Establish user naming conventions: Define standards for usernames (firstname.lastname, employee ID, etc.) to maintain consistency and simplify user management. Document conventions in internal procedures.

Document role definitions: Create internal documentation describing each role’s capabilities and intended use cases. This guides administrators assigning roles and helps users understand their access level.

Implement approval workflows: Define procedures for SSO/LDAP user approval including who can approve, verification requirements, response timeframes, and escalation paths for approval delays.

Coordinate with HR systems: Integrate user lifecycle (create, modify, delete) with HR onboarding and offboarding processes. Automate account creation for new hires and disablement for terminations when possible.

Maintain user contact information: Ensure email addresses remain current for notifications and communication. Coordinate with directory services to sync updated contact information automatically.

Compliance

Retain activity logs: Configure log retention periods aligned with regulatory requirements (commonly 90 days to 7 years depending on industry). Export and archive logs before deletion.

Audit privileged access: Maintain detailed records of all users with administrative roles including business justification, approval authority, and review dates. Compliance frameworks often require documentation of privileged access.

Implement segregation of duties: Avoid assigning conflicting permissions to single users (e.g., user who creates policies should not approve them). Use roles to enforce segregation requirements.

Generate access reports: Produce quarterly reports of all user accounts, assigned roles, last login dates, and approval status for compliance audits and management review.

Document access control policies: Create formal policies describing user access request procedures, approval requirements, review frequencies, and termination protocols. Compliance auditors often require documented access control policies.

Troubleshooting

Symptom: SSO User Cannot Login After Approval

Diagnosis: Verify user status and SSO configuration.

Possible Causes:

• User not properly approved in rConfig
• SSO configuration mismatch between identity provider and rConfig
• User role not assigned during approval
• Browser session caching old authentication state

Resolution Steps:

1. Verify user status shows “Active” in Users list
2. Confirm role is assigned to user
3. Have user clear browser cache and cookies
4. Test SSO authentication with different user to isolate issue
5. Review System Logs for SSO authentication errors
6. Verify SSO configuration matches identity provider settings

Symptom: User Receives “Insufficient Permissions” Error

Diagnosis: Check user role and required permissions for operation.

Possible Causes:

• User assigned read-only or limited role lacking necessary permissions
• Role definition changed removing previously available permissions
• User attempting operation outside their authorized scope
• Session established before role change requiring re-login

Resolution Steps:

1. Verify user’s assigned role in Users list
2. Review role definition to confirm required permissions included
3. Have user log out and back in to refresh session permissions
4. Assign more permissive role if user legitimately needs access
5. Document permission requirement if not already in role definition

Symptom: Cannot Delete Default Admin Account

Diagnosis: Verify alternative admin account exists first.

Possible Causes:

• No other administrator accounts exist (system requires at least one admin)
• Attempting to delete while logged in as that user
• Database constraint preventing deletion

Resolution Steps:

1. Create new administrator account first
2. Log out of default admin account
3. Log in with new administrator account
4. Delete default admin account while authenticated as different admin
5. Verify deletion successful by confirming account removed from Users list

Symptom: User Activity Log Shows No Recent Activity

Diagnosis: Verify logging is enabled and database is accessible.

Possible Causes:

• Activity logging disabled in configuration
• Database table for activity log corrupted or missing
• Clock synchronization issues causing timestamp problems
• Filter settings hiding relevant activity

Resolution Steps:

1. Clear all filters on Activity Log page
2. Verify database connectivity and activity log table exists
3. Check system time synchronization across application and database servers
4. Review System Logs for errors related to activity logging
5. Contact rConfig support if logging completely absent

Related Documentation

• Roles and Permissions - Detailed role definitions and permission management
• SSO Configuration - Single Sign-On integration setup
• LDAP Configuration - LDAP authentication setup
• Security Best Practices - Comprehensive security hardening
• Application Log - Viewing user activity and authentication events

Summary

User management in rConfig V8 provides the foundation for securing access to sensitive network configuration data through role-based access control, enterprise authentication integration, and comprehensive audit trails. Organizations must implement rigorous user management practices including elimination of default accounts, least privilege role assignment, and regular access reviews to maintain security posture.

Key takeaways for effective user management:

• Delete default accounts immediately upon installation to prevent unauthorized access via well-known credentials
• Approve SSO/LDAP users explicitly to maintain control over who can access rConfig despite successful external authentication
• Assign minimum necessary roles following least privilege principles to reduce risk of accidental or malicious damage
• Review activity logs regularly to detect security incidents, compliance violations, and unauthorized access attempts
• Coordinate with HR processes to ensure user accounts are created promptly for new hires and disabled immediately upon termination

Effective user management balances security with operational efficiency, enabling authorized personnel to perform their duties while preventing unauthorized access to critical network infrastructure management capabilities.