CoPilot User Access & Visibility
Aviatrix CoPilot is a multi-cloud and multi-user enterprise platform. CoPilot User Access & Visibility or User Permission Groups ensure that your CoPilot account stays secure while enabling users to access specific Aviatrix features and permissions.
For example, you can create a Permission Group for a team who should access the Billing & Cost section of CoPilot, but not the networking-building and security sections such as Gateways and Distributed Cloud Firewall.
The User Access & Visibility feature has two main goals:
-
Granular Access Control A CoPilot administrator in a specific permission group can perform certain tasks for a subset of an Aviatrix Access Account.
-
Self Service A CoPilot administrator in a specific permission group can onboard their own cloud accounts and perform tasks.
If you redeploy CoPilot without using the official data migration process, your user permission groups reset to give all users total access to CoPilot. To avoid this issue, use this document to migrate your CoPilot instance when you redeploy. |
To access this feature in CoPilot, navigate to CoPilot > Administration > User Access.
Users
Creating Users
To create a new user in CoPilot, go to CoPilot > Administration > User Access. The Users tab opens by default.
-
Click + User in the top left.
-
Enter the following information:
Parameter |
Description |
||
Name |
Enter the user’s name. You can also add a job title or description. |
||
Enter the user’s email or email mailing list. |
|||
Password |
Enter a strong password or passphrase for the user. |
||
Permission Groups |
Click on the dropdown menu and select the permission groups this user should belong to.
|
-
Click Save.
The user appears in the table. This user receives an email inviting them to access CoPilot.
Editing Users
To edit a CoPilot user’s account or permissions, go to CoPilot > Administration > User Access. The Users tab opens by default.
-
Find the user in the table and click the Edit icon in their row.
-
Edit the user’s name, email address, or password as needed.
-
Edit the user’s permissions in the Permission Groups field:
-
To add a user to a new Permission Group, click on the dropdown menu and select another Permission Group.
-
To remove a user from a Permission Group, click the x on the right of the permission group.
-
-
Click Save.
Your edits are saved.
Permission Groups
Creating Permission Groups
A Permission Group is a group of users who have permission to access certain areas, pages, and tabs of CoPilot and perform certain functions in your Controller.
To add a Permission Group to CoPilot, go to CoPilot > Administration > User Access > select the Permission Group tab.
-
Click + Permission Group in the top left.
-
Enter the following information:
Parameter |
Description |
Name |
Enter a clear name for this Permission Group. |
Users |
Click on this dropdown menu and select users to add to this Permission Group. See Adding Users for instructions on adding new users. |
Cloud Accounts |
Click on this dropdown menu and select which Cloud Accounts members of this group should be able to access. |
Use the sections below to determine what users in this Permission Group can see in CoPilot or do in the Controller.
CoPilot Visibility
When creating a permission group, select the CoPilot Visibility tab to determine which pages and tabs users in this Permission Group can access in CoPilot.
-
In each section, you can select a page and individual tabs. The label underneath the page’s title calculates how many out of the total number of tabs this group can see: for example, 3/5 Tabs.
-
Users in this Permission Group have Write access, or editing access, for every page and tab you select here.
If you select the "All Tabs" option for any page, users in this group will automatically be able to access any tabs added to CoPilot in the future. |
Area |
Description |
Cloud Fabric |
Includes the Topology and Gateway areas.
|
|
|
|
|
|
|
|
|
Administration |
|
Settings |
|
Controller Permissions
-
Under API/Terraform Permissions in the Create Permission Group dialog, click on the dropdown menu and select which Controller permissions this Group has.
If you have existing Permission Groups in your Controller, those groups and their permissions appear here automatically. |
-
Dashboard
-
Gateway
-
UserVPN
-
Useful Tools
-
Troubleshoot
-
AllWrite - Gives Write permission for every area of the Controller.
-
Click Save.
Editing Permission Groups
To edit a Permission Group to CoPilot, go to CoPilot > Administration > User Access > select the Permission Groups tab.
-
Select the Permission Group in the table.
-
On the right, review the Permission group’s information and the permissions included. Click the Edit icon to edit these settings.
-
Select the CoPilot Visibility tab to edit which areas of CoPilot this Permission Group can access. Note that these users have Write access to all areas, pages, and tabs included here.
-
Select the Controller Permissions tab to edit which Controller features this group can access.
-
Click Save.
Deleting a Permission Group
To remove a Permission Group, go to CoPilot > Administration > User Access > select the Permission Groups tab.
Deleting a Permission Group does not delete the accounts of users in that group. |
-
Find the Permission Group in the table and click the Delete icon in that row.
-
Click Confirm.
The Permission Group is deleted.
Access Management
Use the Access Management tab to manage access for all users, including the password policy, Controller and gateway access, and ability of Administrators to log in.
Security and Password Settings
Managing Password Policy
To manage your password policy:
-
Go to CoPilot > Administration > User Access > select the Access Management tab.
-
Under Password Policy, click Manage Policy.
-
Edit the settings as needed:
Setting | Description |
---|---|
Minimum Password Length |
Enter a password length between 8 and 32 characters. |
Maximum Password Age |
Enter a maximum number of days before a user has to change their password. The minimum password age is 1 day and the maximum is 365 days. |
Enforce Password History |
Enforce a number of old passwords a user is not allowed to set as a new password. The range is 1-12. If you enter 12 here, a user can reuse a password after using 12 different passwords. |
Refreshing Credentials on Controller and Gateways
To refresh the account credentials for the Controller and gateways:
-
Go to CoPilot > Administration > User Access > select the Access Management tab.
-
Click Refresh.
Disabling Admin User Login
You can disable login access for the user account named "admin" for security reasons.
If your CoPilot Service Account is named "admin," you cannot disable admin login. This limitation is set because you need a Service Account to use CoPilot. You can change the Service Account by going to CoPilot > Settings > Configuration. Under Service Account, click Reset. |
To disable Admin login access:
-
Go to CoPilot > Administration > User Access > select the Access Management tab.
-
Under Allow Admin User to log in, click on the toggle switch to turn it OFF.
-
Click Turn Off.
To re-enable admin login access, click on the toggle switch again to turn it ON.
Login Authentication
Enabling DUO
The Aviatrix UserVPN solution provides Duo authentication integration. This document helps you set up Duo to connect with Aviatrix.
You need to first have a Duo account set up. If you do not have one, please see https://www.duosecurity.com/product.
Getting Duo API Credentials
This step requires admin privileges in Duo. |
You must first add an application to Duo for Aviatrix before you can connect. If you have already completed this step, these same steps will take you to the API credentials needed to connect Aviatrix with this application.
Setting |
Description |
DUO Integration Key |
Enter your DUO Integration Key in this field. |
DUO Secret Key |
Enter your DUO Secret Key in this field. |
DUO API Hostname |
Enter your DUO API Hostname in this field. |
Click Save.
Your DUO integration is saved.
Enabling LDAP
Aviatrix allows you to configure LDAP authentication for users logging into CoPilot. At the login prompt for CoPilot, the user will enter their username and LDAP/AD password to authenticate.
To enable LDAP:
-
Go to CoPilot > Administration > User Access > select the Access Management tab.
-
Under LDAP, click Enable.
-
Enter the following information:
Setting |
Description |
||
LDAP Server |
Enter the IP or hostname of the LDAP / AD server. |
||
Server Port |
UDP Port 389 is the standard port for both encrypted LDAP (using STARTTLS) and non-encrypted connections. |
||
Bind DN (Distinguished Name) |
DN the CoPilot user will use to authenticate with the LDAP server to handle user authentication. For example, uid=john. doe. |
||
Password |
The password of the Bind DN user. |
||
Base DN |
Starting point in the directory for searching for matching usernames. |
||
Username Attribute |
User attribute name for username to match. |
||
LDAP User |
This field is only used when clicking on the Test LDAP Configuration button. It will use this value to search and respond if it is able to connect and find the user. |
||
Use TLS to connect to Server |
When this setting is enabled, STARTTLS is used to connect with the LDAP server.
|
||
Client Key/Certificate Bundle (if Use TLS to Connect to Server is On) |
Upload a client key or certificate bundle. |
||
CA Certificate (if Use TLS to Connect to Server is On) |
Upload a CA certificate. |
-
You can click Test LDAP Configuration to test the implementation before saving.
-
Click Save. Your LDAP configuration is saved.
Allowing Local Login
Use this setting to enable users to log in who are not listed in the Active Directory using a local name and password. You can enable this setting for specific Permission Groups.
To enable users outside the Active Directory to log in with a username and password:
-
Go to CoPilot > Administration > User Access > select the Access Management tab.
-
Under Allow Local Login, in the Permission group field, enter the name of each Permission Group to give local login access and press Enter after each one.
Users in these Permission Groups now have local login access.