Manage users#
EclecticIQ Intelligence Center enables managing application users, user groups, roles, as well as viewing permissions.
Upon user creation, newly created users receive a notification email with a link to update their profile and set their password.
Admin users can create, edit, and disable Intelligence Center users.
User access to EclecticIQ Intelligence Center relies on an authentication and authorization mechanism.
User access to threat intelligence data in EclecticIQ Intelligence Center is controlled based on:
The groups to users belong to.
The allowed data sources user groups are granted access to.
The TLP code Intelligence Center entities are flagged with.
About administrators#
Intelligence Center administrators can configure and manage users to control access to Intelligence Center resources.
They can:
Users must belong to at least one user group to be able to access EclecticIQ Intelligence Center.
This is necessary because users inherit their access rights to data sources from the groups they belong to:
Groups control user access to data sources and to Intelligence Center resources.
Roles control what actions users are allowed to carry out on the resources they have access to, and where in the Intelligence Center they can perform those actions.
About user access#
EclecticIQ Intelligence Center manages and controls resource access and consumption by defining access profiles at different access tiers with the following characteristics:
Users: individual Intelligence Center consumers.
They can access EclecticIQ Intelligence Center by signing in with their designated account credentials, such as user name and password.
Example: mhamilton / Apollo11
Groups: multiple users brought together under a common umbrella.
They share the same access rights to selected allowed data sources, such as specific datasets, feeds, enrichers, as well as other groups.
Example: Threat analysts
User groups enable controlling user group members’ access to specific Intelligence Center data, assets, and resources through the following mechanisms:
Allowed sources: data origins of content stored in EclecticIQ Intelligence Center.
Selecting an allowed data source for a group means that all group members can access Intelligence Center content that the data source in question is the producer of.
Data sources can be existing incoming feeds, enrichers, as well as other user groups.
Example: Entities from Feed A
TLP: TLP stands for Traffic Light Protocol.
TLP color codes flag information to provide handling and sharing guidelines.
You can assign a TLP color value to restrict access to the following Intelligence Center items:
Entities.
Data you receive via incoming and send out via outgoing feeds.
Data created by users belonging to the groups associated with allowed data sources.
Roles: the expected functions assigned to an individual user or to a group of users.
Roles represent sets of actions users can be tasked with.
Roles group sets of permissions to define the allowed read and modify behaviors that are appropriate to the functions they are related to.
Example: Team lead
Permissions: rules and policies constraining user scope.
Permissions delimit scope by defining the types of action users are authorized to carry out.
For example: read; modify (that is, create, edit, and delete.)
Note
Role-based permissions define:
The type of actions users are allowed to perform.
The type of objects users are allowed to interact with.
Group-based Allowed sources and TLP define:
Specific Intelligence Center data, assets, and resources users are allowed to access.
When you assign permissions to a role, either to modify an existing role or to define a new role, make sure you understand what permissions are and how they work in EclecticIQ Intelligence Center.
For more information, see:
Write access to user profiles depends on the permissions assigned to a user role.
Usually, admin roles include the modify users permission, and they have read and write access to user profiles.
Non-admin roles should not require this permission: they should be able to edit their own user profiles, and they should access other user profiles in read-only mode.
Note
To edit user accounts other than their own, users require:
Admin access level: in the Edit user view, the checkbox Administrator must be selected.
Non-admin access level with the following permissions:
modify users to view and edit basic user profile details.
read groups and modify user-groups to view and edit the group section in the user profile.
read roles and modify user-roles to view and edit the role section in the user profile.
To manage Intelligence Center users, go to the Users view:
In the side navigation bar click , and then select User management.
The default User management view is Users. It shows an overview of the registered Intelligence Center users, with a summary of the basic user details.
Note
Required fields are marked with an asterisk (*).
View users#
The default User management view is Users. It shows an overview of the registered Intelligence Center users with a summary of the basic user details:
Username: the user name the administrator sets in the field with the same name when creating a new user account.
User name and password are the necessary sign-in credentials for users to authenticate and to be granted access to EclecticIQ Intelligence Center.
Status: a user account can have one of the following statuses:
Pending: the initial status of a newly created account.
The account exists, EclecticIQ Intelligence Center sent an account activation email prompting the corresponding user to set a password, but no password has been specified, yet.
A pending account cannot sign in to access EclecticIQ Intelligence Center.
Active: after the user follows up on the activation email and they set a password for their account, the status changes to Active.
The user can sign in to EclecticIQ Intelligence Center, and they can access assets and resources, based on their role and permissions.
Inactive: administrators can deactivate an active account to prevent the corresponding user from accessing EclecticIQ Intelligence Center.
An inactive account cannot sign in to access the Intelligence Center.
Locked: consecutive failed attempts to authenticate and sign in to EclecticIQ Intelligence Center trigger account locking as a security measure against account tampering.
A locked account cannot sign in to access EclecticIQ Intelligence Center.
To unlock a locked account, users need to contact the Intelligence Center administrator for assistance.
Password reset: the administrator requested the user to reset their password.
If the user is logged in, they are automatically be logged out. They also receive an email notification with a link to reset their password.
After resetting the password, the user account status changes to Active.
To view details about a specific user, on the user overview click anywhere in the row corresponding to the user whose profile you want to review.
The user detail pane is displayed.
The default user detail pane view is Overview, where you can view all the configured options for the current user profile.
Click History to display an overview in reverse chronological order of the actions performed on the user profile since its creation.
This reference view enables you to inspect what happened to the user profile (the action), who did it (the user who carried out the action), and when it happened (the date and time).
Create a user#
To create a new user:
Click the Users tab, and then click + (Create user) to create a new user.
The user editor is displayed.
Under Create user, define the following configuration settings:
In the First name field, enter the user’s first/given name.
In the Last name field, enter the user’s last/family name.
In the Username field, enter the designated user name to identify the user when they are signed in to the Intelligence Center.
The Username field is case-sensitive.
In the Email field, enter the user’s valid email address.
After saving the new user account profile for the first time, EclecticIQ Intelligence Center sends an email notification to the email address specified here.
The email message notifies the recipient that they have a Intelligence Center account profile whose activation is pending.
The message also contains a link and instructions for the user to define their password.
As soon as they set a password, their account status changes from Pending to Active.
Optionally, in the Contact info field enter the user’s contact details such as home address or phone number.
Optionally, in the PGP public key field enter the user’s PGP public key, if available.
From the Locale drop-down menu, select a locale.
Tip
Selecting a Locale allows user to select a timezone from the Preferred timezone drop-down menu.
Select the Use system timezone to use the timezone set in Settings () > System settings > General > Timezone.
When not selected, the Preferred timezone menu appears allowing you to select a specific timezone for selected Locale.
In the Groups section, you can add the user to groups, and you can designate them as members or admins of the groups you assign them to.
Group membership controls user access to Intelligence Center data, assets, and resources.
Note
Users must belong to at least one user group to be able to access EclecticIQ Intelligence Center data, assets, and resources.
From the Group drop-down menu, select the group you want to add the user to.
From the User type drop-down menu, select whether you want the user to be a Member or a Group admin of the groups they belong to.
To remove a selection, go to the item(s) you want to remove, and click the cross icon X.
Click + Add or + More to insert new rows or input fields, as necessary, where you can enter additional group membership and user type details.
In the Assigned roles section, click the Roles field, and then select one or more available roles from the drop-down menu.
Start typing a role name in the autocomplete text input field.
Select one or more filtered roles from the matching result list.
To remove a selection, go to the item(s) you want to remove, and click the cross icon X.
To remove all selections at once, click the cross icon X next to the drop-down menu arrow in the input field.
Alternatively, click Unselect all options.
The Roles field works like Groups, the only difference being that instead of adding the user to one or more groups, this option assigns one or more roles to the user.
Roles enable controlling what actions users are authorized to carry out in the Intelligence Center, and which Intelligence Center objects they can act on.
To access additional save options, click the down arrow on the Save button:
Click Save and new to save the current data or configuration for the item you are working on, and to create a new item of the same type right away.
For example, a new dataset, feed, policy, rule, task, or workspace.
Click Save and duplicate to save the current data for the item you are working on, and to create a new prepopulated copy of the same item, which you can use as a template or a blueprint to speed up repetitive manual work.
Edit a user account#
In the Users view, go to the row of the user you want to modify, click , and select Edit.
Alternatively:
Click anywhere in the row corresponding to the user you want to modify, on the top-right corner of the user detail pane click , and then select Edit.
The Edit user view is displayed.
Change the user details as necessary.
To store your changes, click Save; to discard them, click Cancel.
Resend the activation email#
Users with a pending account status can contact their administrator to request sending them a new activation email, so that they can set their password to sign in and to access EclecticIQ Intelligence Center.
In the Users view, go to the row corresponding to the user who requested a new activation email, and click .
From the drop-down menu select Resend activation email.
EclecticIQ Intelligence Center sends a new activation email with a new valid activation link to the recipient user’s email address specified in the user account profile.
Any previous activation links for the same user account become invalid to prevent multiple activations.
(Re)activate a user account#
Administrators can (re)activate a user account to restore a user’s ability to sign in and to access EclecticIQ Intelligence Center, based on the user account roles and permissions.
Users whose account is deactivated need to contact the Intelligence Center administrator to request (re)activation.
To (re)activate a user account:
In the Users view, go to the row corresponding to the user whose account you want to (re)activate, and click .
From the drop-down menu select Activate.
The user account status changes from Inactive to Active.
Deactivate a user account#
To edit user accounts other than their own, users require that the Administrator checkbox in the Edit user view is checked, or a non-admin role that includes the modify users permission.
Administrators can deactivate a user account to revoke a user’s ability to sign in and to access EclecticIQ Intelligence Center.
Users whose account is deactivated need to contact the Intelligence Center administrator to request (re)activation.
Force a password reset#
An administrator, or a non-admin user with read users and reset password permissions, can request a password reset for an account.
For example, this can occur if a user account is compromised.
To force a password reset:
In the side navigation bar click , and select User management.
In the Users view, click in the row corresponding to the user whose password you want to reset.
Select Force password reset.
If the user is currently logged in, they are automatically logged out, and they receive an email notification with instructions to reset and change their password.
The user account status changes from Active to Password reset.
Alternatively:
In the side navigation bar click , and select User management
In the Users view, click anywhere in the row corresponding to the user whose password you want to reset.
The Edit user view is displayed.
In the top-right corner click , and select Force password reset.
If the user is currently logged in, they are automatically logged out, and they receive an email notification with instructions to reset and change their password.
The user account status changes from Active to Password reset.
If the user is automatically logged out, a pop-up is displayed to notify them.
They need to reset their password before they can sign back in to EclecticIQ Intelligence Center.
Set reset password link expiration#
To reset and to change their password, click Reset password on the sign-in page. EclecticIQ Intelligence Center sends you an automatic email message with a link to a password reset page, where they can complete the operation.
By default, the password reset link in the automatic email expires 60 minutes after sending the message.
System administrators with SSH access and root-level access to EclecticIQ Intelligence Center can change this time value as needed.
To set the link to expire after a predefined amount of time:
Open the
/etc/eclecticiq/platform_settings.py
file in a text editor.Browse to the
ONE_TIME_PASSWORD_EXPIRATION_MINUTES
parameter.Change the
ONE_TIME_PASSWORD_EXPIRATION_MINUTES
value as needed.# By default, the emailed reset password link expires after 1 hour ONE_TIME_PASSWORD_EXPIRATION_MINUTES = 60 # The emailed reset password link expires after 24 hours/1 day ONE_TIME_PASSWORD_EXPIRATION_MINUTES = 24*60
Save the file.
Restart EclecticIQ Intelligence Center backend services.
To restart systemd-managed Intelligence Center services through the command line:
systemctl restart eclecticiq-platform-backend-services
Limit for password reset requests#
A user can make a maximum of 3 password reset requests a day.
To change this number, an administrator
has to set the MAX_RESET_PASSWORD_PER_DAY
parameter in platform-settings.py
.
For example, adding this line to /etc/eclecticiq/platform-settings.py
:
MAX_RESET_PASSWORD_PER_DAY = 4
allows a user to request 4 password resets per day.
Lock a user account#
Administrators can configure accounts to automatically lock users out after a predefined number of consecutive unsuccessful sign-in attempts.
This measure prevents account tampering and mitigates brute-force attacks.
To set accounts to automatically lock after repeatedly failing to sign in:
In the side navigation bar click , select System settings, and then click Account Policy.
At the bottom of the Account Policy view, click Edit account policy.
In the Edit account policy settings view, edit and set the criteria defining valid passwords, and the account lock policy.
Under Locked account, enter an integer in the Maximum of failed attempts field to set the allowed maximum number of failed sign-in attempts for a user account.
This setting defines how many consecutive failed sign-in attempts users are allowed to attempt before automatically locking their account.
To unlock a locked account, users need to contact the Intelligence Center administrator for assistance.
Unlock a user account#
Intelligence Center administrators or non-admin users with the lock/unlock users permission can unlock locked user accounts to restore access to EclecticIQ Intelligence Center for the affected users.
To unlock a locked account:
In the side navigation bar click , and select User management.
In the Users view, click in the row corresponding to the user whose account you want to unlock.
From the drop-down menu select Unlock.
When an administrator unlocks a user account, EclecticIQ Intelligence Center sends email notifications to confirm the action:
The administrator is notified that one or more user accounts have been unlocked, and that the corresponding users have regained access to EclecticIQ Intelligence Center.
The user is notified that their locked account has become unlocked, and that they can sign in to EclecticIQ Intelligence Center to resume their work as usual.
Unlock a user account via the command line#
Administrators can also unlock a user account via the command line.
Example
# Unlock user account for the 'admin' user
$ eiq-platform user modify --unlock --name admin