VMmanager 6: Administrator guide

Restricting user access to the platform

ISPSystem

You can allow the platform users to log in only from specific IP addresses and subnets:

  1. Create user groups in the platform.
  2. Specify for each group the list of allowed IP addresses.

If the platform user is a member of the group and tries to log in from an IP address that is not listed in the group settings, the platform will block the user's access to the login service.

If the user is not a member of any of the groups, he/she can log into the platform from any IP address.

Managing user groups


To manage groups, enter UsersUser groups.


Section interface


To create a group:

  1. Press Create group.
  2. Specify the group parameters:
    1. Name.
    2. IP addresses for access to the platform . The list can contain individual IP addresses, ranges and subnets of IP addresses.
  3. Press Save .

Example of creating a group

Example of creating a group


To change the settings of the created group, press  or Configure.

To delete a group, press or Delete.

To add or delete users from a group:

  1. Press Change group members.
  2. Select the users you want to add.
  3. Uncheck the users you want to delete.
  4. Press Save changes.

Example of editing group members

Access control via API


The platform creates an access control list (ACL) for each user group. The ACL contains the group members' emails and lists of allowed IP addresses.

Creating an ACL

To create an ACL:

  1. Get an authorization token:

    Error rendering macro 'excerpt-include'

    User 'null' does not have permission to view the page.

  2. Execute the request:

    curl -H 'x-xsrf-token: <token>' -X POST https://domain.com/auth/v4/acl -d '{"name": "<acl_name>", "ip_list": [<ip>], "members": [<users_id>]}' 

    <token> — authorization token

    domain.comdomain name of the server with the platform

    <acl_name> — ACL name

    <ip> — list of allowed IP addresses. The list can contain individual IP addresses, ranges and subnets of IP addresses. Each value of the list must be specified in quotation marks

    <users_id> — list of the platform user IDs. Each value of the list must be specified in quotation marks

    Note:

    You can view the user IDs in the interface of the platform in the Users section.

    The response will contain the ID of the created ACL.

    Example of creating an ACL
    curl -H 'x-xsrf-token: 4-e9726dd9-61d9-2940-add3-914851d2cb8a' -X POST https://domain.com/auth/v4/acl -d '{"name": "admin1", "ip_list": ["192.0.2.1","192.0.2.10-192.0.2.20","192.0.2.100/28"], "members": ["1","3","7"}' 

    The request will create an ACL named admin1. Users with id 1, 3, 7 will be allowed access to the platform from IP-addresses 192.0.2.1, 192.0.2.10-192.0.2.20 and subnet 192.0.2.100/28.

    Example of response
    {
      "id": "12"
    }

Viewing an ACL

To view all created ACLs, execute the request:

curl -H 'x-xsrf-token: <token>' GET https://domain.com/auth/v4/acl

<token> — authorization token

domain.comdomain name of the server with the platform

To view a specific created ACL, execute the request:

curl -H 'x-xsrf-token: <token>' GET https://domain.com/auth/v4/acl/<acl_id>

<token> — authorization token

domain.comdomain name of the server with the platform

<acl_id> — id of the created ACL

Example of response
{
  "ip_list": [
    "192.0.2.1",
    "192.0.2.10-192.0.2.20",
    "192.0.2.100/28"
  ],
  "name": "admin1",
  "users": [
    "user1@example.com",
    "user3@example.com",
	"user7@example.com"
  ]
}

Deleting an ACL

To delete a specific created ACL, execute the request:

curl -H 'x-xsrf-token: <token>' -X DELETE https://domain.com/auth/v4/acl/<acl_id>

<token> — authorization token

domain.comdomain name of the server with the platform

<acl_id> — id of the created ACL

If the ACL is deleted successfully, the response will contain "true".

Thank you for your feedback!
Was the article useful?
Tell us why not:

it does not match the title

it was hard to understand

I didn't find the answer

recommendations from the article did not help

other

Tell us what you didn't like in the article: