Users options:
This is list of options regarding Users section, these options can be set from manage → users.
These options are saved inside given user configuration file. The filename depends on the name of the users → nameOfUser.conf.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
| Key | Requirements | Conf File field | Description | Possible values | Default |
|---|---|---|---|---|---|
| Enable | - | enabled | If the given user is enabled and will be allowed to log in | ||
| Username | - | name | Unique username that is identifying given user | String | - |
| Password | - | password | The password of the user–please avoid using “:” as it may impact authentication. It is stored as hash for safety | String | - |
| Secret | Authentication Mode = Local/Secret | useSecret | Use a secrets manager | Boolean | false |
| Secret Name | Authentication Mode = Local/Secret AND Secret | secretName | Secret to be used by secrets manager. For more information read Secrets | String | - |
| - | The email associated with given user, used for receiving Portal notifications about sessions. | String | - | ||
| Management Privilege | - | (isAdmin, isReadOnly) | Defines what set of permissions is assigned to the user. One of: none - users won't see any configurations, usually used with Portal user or Audit user option, admin (see below), read only (see below). | None / Admin / Read Only | Admin |
| (Management Privilege) | - | isAdmin | Admin - Users will have admin rights, allowing them to perform tasks such as configuring settings, managing users, and accessing all resources. | Boolean | true |
| (Management Privilege) | - | isReadOnly | Read only - Users will be unable to make any changes to the configuration, but they will retain access to resources based on their filter settings. Additionally, it will block access to management tabs, such as Users, Admin, Certificates, and various options like the 'Test Connection' button in the Data Sources tab. | Boolean | false |
| Audit User | - | isAuditUser | If enabled, users will have access to the Audit tab, where they can view and save records from the Audit Trail table, which logs all session operations within the portal. | Boolean | false |
| Portal User | - | isPortalUser | If enabled, users will have access to the Portal. | Boolean | false |
| Authentication Mode | - | (isLdapEnabled, isKerberosEnabled, isSamlEnabled, isJwtEnabled) | Method to perform authentication by. One of: Ldap, Kerberos, Saml, (see below). Local/Secret: user will be authenticated by username & password. Note: The username and password can be stored in the Secrets Manager. This configuration currently does not support rotating credentials, that means that once we save a user, and values stored in Secrets Manager change, the heimdall user will still be using old values. | Local/Secret / LDAP / SAML / Kerberos | Local/Secret |
| (Authentication Mode) | - | isLdapEnabled | User will be authenticated by LDAP server configured in Admin tab. | Boolean | false |
| LDAP Configuration | Authentication Mode = LDAP | ldapConfigData | LDAP configuration to be used for the given user | (Ldap Configuration) | - |
| (Authentication Mode) | - | isKerberosEnabled | User will be authenticated by KDC server configured in Admin tab. | Boolean | false |
| (Authentication Mode) | - | isSamlEnabled | User will be authenticated by SAML server configured in Admin tab. | Boolean | false |
| (Authentication Mode) | - | isJwtEnabled | Should JWT key be used. It is used to sign and validate the token signature. | Boolean | false |
| - | - | isExternalPortalApprover | Is it external approver? The External Approvals option is a feature that allows external users (without a Heimdall account) to approve or deny sessions requested in the portal. To enable this, several prerequisites must be met: External Approvals Overview | Boolean | - |
| Groups Add | - | groupsToAdd | Groups to add to given user | (List of groups) | - |
| Groups Remove | - | groupsToRemove | Groups to delete from given user | (List of groups) | - |
| Two Factor Authentication | Authentication Mode = Local/Secret OR LDAP | sharedSecret | If enabled, it will present bar-code that can be scanned into the Google Authenticator software, and an account code, which can be used in place of the bar-code. This ID is in addition to the normal password authentication the user will be required to provide. Not available with Authentication mode: Kerberos. | String | - |
| - | - | file | Name of the file that contains given user configuration | String | - |