Improvements to user management, provisioning and access policies in Unimus 2.5
With the 2.5.0 release, we are bringing a lot of improvements and changes to User Management and Access Policies in Unimus. We are also adding the ability for User Provisioning from external AAA sources (LDAP or Radius).
In this post, we would like to walk you through what is new, and what has changed.
How user management and security worked before 2.5
We've had full role-based access controls (RBAC), as well as per-object access policies in Unimus for a long while now. We also have support for external auth (AAA) from LDAP and/or Radius.
How this worked is that you would first setup your external AAA connector - either LDAP or Radius (assuming you wanted to use external AAA).
Then you would create a local Unimus user. You would set this user to use your preferred auth method, either local, or external. You could also assign a Role for your user, limiting them to specific actions (more info in our Role documentation).
After the user was created, you could then limit which objects they have access to in Unimus using the Device Access rules. By default, users would have access to all devices, and you could restrict that access to only devices with particular Tags.
Using the combination of roles and Device Access rules, you could achieve control of both what users can do (limit their actions), as well as which objects they can see and perform actions on.
Why are we changing this
The existing system had a few limitations. In particular:
- A local Unimus user had to exist before they could auth from an external auth source. This means that even if you were using LDAP as your auth source, when adding a new user, you would still have to log in to Unimus and create a local user and set it to auth from LDAP. This was a little tedious.
- During a new deployment in large networks, even if you had a single central auth source, you still needed to create all users in Unimus locally (related to previous point).
- Due to how Device Access rules worked, you could not, for example, create a rule which gave access to all devices other than a particular device set.
- The Ownership system was only applied to Devices, so users could create other objects and immediately lose access to them due to their access rules.
- You had no way to see all objects owned by a User.
In 2.5.0, we hope to solve all these issues.
What is new in Unimus 2.5
To solve the issues described above, we have made 3 major changes to the user management system in Unimus:
- We have reworked Device Access rules into Object Access Policies.
- We have extended the Ownership system to now cover not just Devices, but also Tags and Zones.
- We have created an Automatic User Creation system, which can be used for easy User provisioning.
Let's look at each of these in detail:
Object Access Policies
Device Access rules have been replaced by Object Access Policies. A Policy has 2 components, a "base access" component and optional exceptions.
There are 2 base access policies:
- All objects
- No objects
You can combine these base policies with Tag-based exceptions, to create a custom access policy that covers exactly the objects you need.
First you need to create a policy:
After creating a policy, if it has exceptions, you can select which Tags are applied as the exception. In the example below, the user to which this policy would be applied would only have access to objects tagged by the "Routers" Tag.
This is because the base policy is "No objects", but there is an exception for the Routers Tag, allowing access to those objects.
All of your existing Device Access rules will be converted to the new Object Access Policies automatically after you upgrade to 2.5.0. You can find more info on Object Access Policies in our documentation on our Wiki.
Ownership for Tags and Zones
We have extended the Ownership system to include Tags and Zones:
We also added an option to show all objects owned by a particular user:
Automatic User Creation (User provisioning)
Finally, we have also added an option to automatically create new users in Unimus when they successfully auth from an external AAA system for the first time. This allows for automatic user provisioning in Unimus.
You can select both the Role, as well as the Object Access Policy you want the new users created with, so you can easily secure these new accounts, and elevate their permissions if needed.
The configuration is very simple:
After enabling this function, new users you create in LDAP / Radius can now login to Unimus without any manual user creation.
Final words
We hope these new features and options add more flexibility and options to our (and your) security model, and simplify user creation and management for you. If you run into any issues, or want to let us know if anything is missing, please head to our forums, either the support section or the feature request section, and let us know!
The new user management functions are available starting with Unimus 2.5.0. Please head over to the Download section to download the latest Unimus release.