Contents

EclecticIQ Intelligence Center enables managing application users, user groups, roles, as well as viewing permissions.

Upon user creation, newly created users receive a notification email with a link to update their profile and set their password.

Admin users can create, edit, and disable Intelligence Center users.

User access to the Intelligence Center relies on an authentication and authorization mechanism.

User access to threat intelligence data in the Intelligence Center is controlled based on:

The groups to users belong to.
The allowed data sources user groups are granted access to.
The TLP code Intelligence Center entities are flagged with.

About administrators

Intelligence Center administrators can configure and manage users to control access to Intelligence Center resources.

They can:

Users must belong to at least one user group to be able to access the Intelligence Center.

This is necessary because users inherit their access rights to data sources from the groups they belong to:

Groups control user access to data sources and to Intelligence Center resources.
Roles control what actions users are allowed to carry out on the resources they have access to, and where in the Intelligence Center they can perform those actions.

About user access

EclecticIQ Intelligence Center manages and controls resource access and consumption by defining access profiles at different access tiers with the following characteristics:

Users: individual Intelligence Center consumers.

They can access the Intelligence Center by signing in with their designated account credentials, such as user name and password.

Example: mhamilton / Apollo11
Groups: multiple users brought together under a common umbrella.

They share the same access rights to selected allowed data sources, such as specific datasets, feeds, enrichers, as well as other groups.

Example: Threat analysts

User groups enable controlling user group members’ access to specific Intelligence Center data, assets, and resources through the following mechanisms:
- Allowed sources: data origins of content stored in the Intelligence Center.
  
  Selecting an allowed data source for a group means that all group members can access Intelligence Center content that the data source in question is the producer of.
  
  Data sources can be existing incoming feeds, enrichers, as well as other user groups.
  
  Example: Entities from Feed A
- TLP: TLP stands for Traffic Light Protocol.
  
  TLP color codes flag information to provide handling and sharing guidelines.
  
  You can assign a TLP color value to restrict access to the following Intelligence Center items:
  - Entities.
  - Data you receive via incoming and send out via outgoing feeds.
  - Data created by users belonging to the groups associated with allowed data sources.
Roles: the expected functions assigned to an individual user or to a group of users.

Roles represent sets of actions users can be tasked with.

Roles group sets of permissions to define the allowed read and modify behaviors that are appropriate to the functions they are related to.

Example: Team lead
Permissions: rules and policies constraining user scope.

Permissions delimit scope by defining the types of action users are authorized to carry out.

For example: read; modify (that is, create, edit, and delete.)

Role-based permissions define:
- The type of actions users are allowed to perform.
- The type of objects users are allowed to interact with.
Group-based Allowed sources and TLP define:
- Specific Intelligence Center data, assets, and resources users are allowed to access.

When you assign permissions to a role, either to modify an existing role or to define a new role, make sure you understand what permissions are and how they work in the Intelligence Center.

For more information, see:

Write access to user profiles depends on the permissions assigned to a user role.

Usually, admin roles include the modify users permission, and they have read and write access to user profiles.

Non-admin roles should not require this permission: they should be able to edit their own user profiles, and they should access other user profiles in read-only mode.

To edit user accounts other than their own, users require:

Admin access level: in the Edit user view, the checkbox Administrator must be selected.
Non-admin access level with the following permissions:
- modify users to view and edit basic user profile details.
- read groups and modify user-groups to view and edit the group section in the user profile.
- read roles and modify user-roles to view and edit the role section in the user profile.

To manage Intelligence Center users, go to the Users view:

In the side navigation bar click , and then select User management.

The default User management view is Users. It shows an overview of the registered Intelligence Center users, with a summary of the basic user details.

Required fields are marked with an asterisk (*).

View users

The default User management view is Users. It shows an overview of the registered Intelligence Center users with a summary of the basic user details:

Username: the user name the administrator sets in the field with the same name when creating a new user account.

User name and password are the necessary sign-in credentials for users to authenticate and to be granted access to the Intelligence Center.
Status: a user account can have one of the following statuses:
- Pending: the initial status of a newly created account.
  
  The account exists, the Intelligence Center sent an account activation email prompting the corresponding user to set a password, but no password has been specified, yet.
  
  A pending account cannot sign in to access the Intelligence Center.
- Active: after the user follows up on the activation email and they set a password for their account, the status changes to Active.
  
  The user can sign in to the Intelligence Center, and they can access assets and resources, based on their role and permissions.
- Inactive: administrators can deactivate an active account to prevent the corresponding user from accessing the Intelligence Center.
  
  An inactive account cannot sign in to access the Intelligence Center.
- Locked: consecutive failed attempts to authenticate and sign in to the Intelligence Center trigger account locking as a security measure against account tampering.
  
  A locked account cannot sign in to access the Intelligence Center.
  
  To unlock a locked account, users need to contact the Intelligence Center administrator for assistance.
- Password reset: the administrator requested the user to reset their password.
  
  If the user is logged in, they are automatically be logged out. They also receive an email notification with a link to reset their password.
  
  After resetting the password, the user account status changes to Active.

To view details about a specific user, on the user overview click anywhere in the row corresponding to the user whose profile you want to review.

The user detail pane is displayed.

The default user detail pane view is Overview, where you can view all the configured options for the current user profile.
Click History to display an overview in reverse chronological order of the actions performed on the user profile since its creation.

This reference view enables you to inspect what happened to the user profile (the action), who did it (the user who carried out the action), and when it happened (the date and time).

Create a user

To create a new user:

In the side navigation bar click >User management.
Click the Users tab, and then click + (Create user) to create a new user.

The user editor is displayed.

Under Create user, define the following configuration settings:

In the First name field, enter the user’s first/given name.
In the Last name field, enter the user’s last/family name.
In the Username field, enter the designated user name to identify the user when they are signed in to the Intelligence Center.

The Username field is case-sensitive.
In the Email field, enter the user’s valid email address.

After saving the new user account profile for the first time, the Intelligence Center sends an email notification to the email address specified here.

The email message notifies the recipient that they have a Intelligence Center account profile whose activation is pending.

The message also contains a link and instructions for the user to define their password.

As soon as they set a password, their account status changes from Pending to Active.
Optionally, in the Contact info field enter the user’s contact details such as home address or phone number.
Optionally, in the PGP public key field enter the user’s PGP public key, if available.
From the Locale drop-down menu, select a locale.

Selecting a Locale allows user to select a timezone from the Preferred timezone drop-down menu.
Select the Use system timezone to use the timezone set in Settings ( ) > System settings > General > Timezone.

When not selected, the Preferred timezone menu appears allowing you to select a specific timezone for selected Locale.
In the Groups section, you can add the user to groups, and you can designate them as members or admins of the groups you assign them to.

Group membership controls user access to Intelligence Center data, assets, and resources.

Users must belong to at least one user group to be able to access the Intelligence Center data, assets, and resources.
1. From the Group drop-down menu, select the group you want to add the user to.
2. From the User type drop-down menu, select whether you want the user to be a Member or a Group admin of the groups they belong to.
  
  To remove a selection, go to the item(s) you want to remove, and click the cross icon X.
3. Click + Add or + More to insert new rows or input fields, as necessary, where you can enter additional group membership and user type details.
In the Assigned roles section, click the Roles field, and then select one or more available roles from the drop-down menu.
- Start typing a role name in the autocomplete text input field.
- Select one or more filtered roles from the matching result list.
To remove a selection, go to the item(s) you want to remove, and click the cross icon X.

To remove all selections at once, click the cross icon X next to the drop-down menu arrow in the input field.

Alternatively, click Unselect all options.

The Roles field works like Groups, the only difference being that instead of adding the user to one or more groups, this option assigns one or more roles to the user.

Roles enable controlling what actions users are authorized to carry out in the Intelligence Center, and which Intelligence Center objects they can act on.
To access additional save options, click the down arrow on the Save button:
- Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
  
  For example, a new dataset, feed, policy, rule, task, or workspace.
- Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.

Edit a user account

In the Users view, go to the row of the user you want to modify, click , and select Edit.

Alternatively:

Click anywhere in the row corresponding to the user you want to modify, on the top-right corner of the user detail pane click , and then select Edit.

The Edit user view is displayed.
Change the user details as necessary.
To store your changes, click Save; to discard them, click Cancel.

Resend the activation email

Users with a pending account status can contact their administrator to request sending them a new activation email, so that they can set their password to sign in and to access the Intelligence Center.

In the Users view, go to the row corresponding to the user who requested a new activation email, and click .
From the drop-down menu select Resend activation email.
The Intelligence Center sends a new activation email with a new valid activation link to the recipient user’s email address specified in the user account profile.

Any previous activation links for the same user account become invalid to prevent multiple activations.

(Re)activate a user account

Administrators can (re)activate a user account to restore a user’s ability to sign in and to access the Intelligence Center, based on the user account roles and permissions.

Users whose account is deactivated need to contact the Intelligence Center administrator to request (re)activation.

To (re)activate a user account:

In the Users view, go to the row corresponding to the user whose account you want to (re)activate, and click .
From the drop-down menu select Activate.
The user account status changes from Inactive to Active.

Deactivate a user account

To edit user accounts other than their own, users require that the Administrator checkbox in the Edit user view is checked, or a non-admin role that includes the modify users permission.

Administrators can deactivate a user account to revoke a user’s ability to sign in and to access the Intelligence Center.

Users whose account is deactivated need to contact the Intelligence Center administrator to request (re)activation.

In the Users view, go to the row of the user whose account you want to deactivate, and click .
From the drop-down menu select Deactivate.
The user account status changes from Active to Inactive.

Force a password reset

An administrator, or a non-admin user with read users and reset password permissions, can request a password reset for an account.

For example, this can occur if a user account is compromised.

To force a password reset:

In the side navigation bar click , and select User management.
In the Users view, click in the row corresponding to the user whose password you want to reset.
Select Force password reset.
If the user is currently logged in, they are automatically logged out, and they receive an email notification with instructions to reset and change their password.

The user account status changes from Active to Password reset.

Alternatively:

In the side navigation bar click , and select User management
In the Users view, click anywhere in the row corresponding to the user whose password you want to reset.

The Edit user view is displayed.
In the top-right corner click , and select Force password reset.
If the user is currently logged in, they are automatically logged out, and they receive an email notification with instructions to reset and change their password.

The user account status changes from Active to Password reset.

If the user is automatically logged out, a pop-up is displayed to notify them.

They need to reset their password before they can sign back in to the Intelligence Center.

Set reset password link expiration

To reset and to change their password, click Reset password on the sign-in page. The Intelligence Center sends you an automatic email message with a link to a password reset page, where they can complete the operation.

By default, the password reset link in the automatic email expires 60 minutes after sending the message.

System administrators with SSH access and root-level access to the Intelligence Center can change this time value as needed.

To set the link to expire after a predefined amount of time:

Open the /etc/eclecticiq/platform_settings.py file in a text editor.
Browse to the ONE_TIME_PASSWORD_EXPIRATION_MINUTES parameter.
Change the ONE_TIME_PASSWORD_EXPIRATION_MINUTES value as needed.

# By default, the emailed reset password link

expires after 1 hour

ONE_TIME_PASSWORD_EXPIRATION_MINUTES = 60

# The emailed reset password link expires after 24

hours/1 day ONE_TIME_PASSWORD_EXPIRATION_MINUTES = 24*60
Save the file.
Restart the Intelligence Center backend services.

To restart system-managed Intelligence Center services through the command line:

systemctl restart

eclecticiq-platform-backend-services

Lock a user account

Administrators can configure accounts to automatically lock users out after a predefined number of consecutive unsuccessful sign-in attempts.

This measure prevents account tampering, and it mitigates brute-force attacks.

To set accounts to automatically lock after repeatedly failing to sign in:

In the side navigation bar click , select System settings, and then click Account Policy.
At the bottom of the Account Policy view, click Edit account policy.
In the Edit account policy settings view, edit and set the criteria defining valid passwords, and the account lock policy.
Under Locked account, enter an integer in the Maximum of failed attempts field to set the allowed maximum number of failed sign-in attempts for a user account.

This setting defines how many consecutive failed sign-in attempts users are allowed to attempt before automatically locking their account.

To unlock a locked account, users need to contact the Intelligence Center administrator for assistance.

Unlock a user account

Intelligence Center administrators or non-admin users with the lock/unlock users permission can unlock locked user accounts to restore access to the Intelligence Center for the affected users.

To unlock a locked account:

In the side navigation bar click , and select User management.
In the Users view, click in the row corresponding to the user whose account you want to unlock.
From the drop-down menu select Unlock.

When an administrator unlocks a user account, the Intelligence Center sends email notifications to confirm the action:

The administrator is notified that one or more user accounts have been unlocked, and that the corresponding users have regained access to the Intelligence Center.
The user is notified that their locked account has become unlocked, and that they can sign in to the Intelligence Center to resume their work as usual.

Unlock a user account via the command line

Administrators can also unlock a user account via the command line.

Example

# Unlock user account for the 'admin' user
$ eiq-platform user modify --unlock --name admin

Activate your own account

As soon as your user account profile is saved to the Intelligence Center for the first time, you receive an email notification containing:

An activation link.
A request to set your password.

Your account only becomes active and ready for use after setting a password.

As long as you do not specify a valid password, your account is inactive, and you cannot use it to sign in and to access the Intelligence Center.

To activate your account and to set your password:

Open the notification email containing the activation link.
Click the link to follow it.
In the Set your password form, enter your password.
Enter it again to confirm it.
Click Submit.

You can now use your credentials — user name and the specified password — to sign in to the Intelligence Center.

After using the activation link to set the password the link becomes invalid, and you cannot reuse it.

If you click an expired activation link, request a password reset through the Reset password option on the Intelligence Center sign-in view.

Manage your own user profile

Change your own avatar image

In the side navigation bar click the avatar image of your user profile.
From the pop-up menu, click My profile.
In the My profile view, click or the avatar image you want to replace.
Browse to the location where the replacement image is stored, and double-click it to upload it as the new avatar image.

Edit your own user details

In the side navigation bar click the avatar image of your user profile.
From the pop-up menu, click My profile.
In the My profile view, click Edit on the bottom-right corner.
In the Edit your profile view, change your user details as necessary.
To store your changes, click Save; to discard them, click Cancel.

Change your own password

In the side navigation bar click the avatar image of your user profile.
From the pop-up menu, click My profile.
In the My profile view, in the Password field row click Change password.
In the pop-up dialog, confirm your current password.

This is the password you want to replace with a new one.
Click Proceed.
Enter the new password.

It must comply with the password guidelines and the account policies defined by the Intelligence Center administrator.
Enter the new password again to confirm it.
Click Submit to store your changes, or Cancel to discard them.

Follow these guidelines to define a strong password:

It should be between 10 and 64 characters long.
It should contain at least one uppercase alphabetic character.
It should contain at least one special character-
It should contain at least one number.
It should not reuse a previous password.

User password history logs the previous 100 passwords.
It should not be on NBP, the NIST Bad Passwords list.
It should not include the user name it is associated with.

For more information, see the NIST digital identity guidelines.

Unlock your own account

Your administrator can define Intelligence Center-wide account policies that include automatically locking a user account after a predefined number of consecutive unsuccessful sign-in attempts.

This measure prevents account tampering, and it mitigates brute-force attacks.

If your account is locked, you cannot sign in to access the Intelligence Center. Contact the Intelligence Center administrator for assistance.

Limit for password reset requests

A user can make a maximum of 3 password reset requests a day.

To change this number, an administrator has to set the MAX_RESET_PASSWORD_PER_DAY parameter in platform-settings.py.

For example, adding this line to /etc/eclecticiq/platform-settings.py:

MAX_RESET_PASSWORD_PER_DAY = 4

allows a user to request 4 password resets per day.