4.3. Web interface accounts and their management

GCenter enables access to:

• Managing users and related groups

• History of authentications, account creations/deletions, and rights changes on the platform

• Linking with an LDAP server

---

4.3.1. Web Interface Accounts

Depuis le menu de configuration des comptes utilisateurs, il est possible de créer des comptes utilisateurs ayant chacun des droits différents.

These rights are defined by groups.

Each user can therefore belong to one or more groups, thus inheriting the rights of the group.

Note

The proposed groups fully comply with the Military Programming Law.

In the GCenter web interface, there are two different types of rights:

• Operator

• Administrator

Generic accounts are defined with the following rights levels:

Account...	type of rights or group	intended for a...
`operator`	operator	analyst
`administrator`	administrator	administrator
`admin`	operator and administrator	access to all analyst and administrator functions

Note

It is necessary to modify the password upon the first connection, and to keep it in a safe place, for example, with the encryption keys of the devices.

---

4.3.2. Functions allowed with the group or role `operator`

From the operator account, it is possible to access the entire set of menus present in the Web UI.

On the other hand, the menus dedicated to the administration of the GCenter will not be accessible, functions are present in the legacy web UI.

---

4.3.3. Functions authorized with the group or role `administrator`

From the administrator account, it will be possible to access all the menus present in the legacy Web UI.

On the other hand, the menus dedicated to the data analysis of the GCenter will not be accessible, functions are present in the web UI.

---

4.3.4. Functions allowed in the admin account

From the Admin account, it is be possible to access all the features present in the two Web UI.

---

4.3.5. Summary tables of the menus per level

4.3.5.1. Access via icon

Icon	Description	Operator	Administrator
API	Interface Gatewatcher API	limited access	access
Gstats	Interface System Overview	no access	access

---

4.3.5.2. Main menu

Menu	Description	Operator	Administrator
GATEWATCHER logo	page `home` : general view of the GCenter	access	no access
Home
Overview	`Global overview` page	access	no access
Relations	`Relations` page showing the relationships between the elements on the network	access	no access
Hunting	KIBANA user interface	access	no access
Assets	`Assets` page showing the characteristics of the elements present on the network	access	no access
Users	`Users` page showing the characteristics of the users on the network	access	no access
Alerts	`Alerts` page showing the characteristics of the alerts displayed	access	no access
Gscan	`GScans` page to run a scan on a specific file	access	no access
Config	display of the sub-menu `Configuration`	access	no access
Admin	displayed only for Administrator accounts	access	no access

---

4.3.5.3. Config Menu

Sub Menu	Description	Operator	Administrator
Assets users association rules command	Association page rules	access	no access
Gcap Profiles	GCaps page profiles	access	no access
Sigflow Sources command	`Sources` page of the legacy WEB UI	access	no access
Sigflow Rulesets command	`Rules` page of the legacy WEB UI	access	no access

---

4.3.5.4. Admin Menu

Sub Menu	Description	Operator	Administrator
NDR configuration	NDR page Configuration	no access	access
GCaps pairing and status	`GCaps pairing and status` page of the legacy WEB UI	no access	access
Backup / restore command configuration	`Backup configuration` page of the legacy WEB UI	no access	access
Backup / restore operations command	`Backup operations` page of the legacy WEB UI	no access	access
GUM Config command	`GUM configuration` page of the legacy WEB UI	no access	access
GUM Updates command	`Updates` page of the legacy WEB UI	no access	access
GUM Hotfix command	`Hotfix` page of the legacy WEB UI	no access	access
GCenter Monitor command	`GCenter monitoring` page of the legacy WEB UI	no access	access
GCenter Data exports command	`Data exports` page of the legacy WEB UI	no access	access
GCenter Data Management command	`Data Management` page of the legacy WEB UI	no access	access
GCenter ML Management command	`Machine Learning Management` page of the legacy WEB UI	no access	access
Gcenter Malcore Management command	`Data Management` page of the legacy WEB UI	no access	access
GCenter Third-party modules command	`Third-party modules` page of the legacy WEB UI	no access	access
GCenter Diagnostics command	`Diagnostics` page of the legacy WEB UI	no access	access
GCenter Accounts command	`Accounts` page of the legacy WEB UI	no access	access
GCenter Configuration command	`Configuration` page of the legacy WEB UI	no access	access
Gcenter CTI Configuration command	`CTI Configuration` page of the legacy WEB UI	no access	access
GCenter Trackwatch logs command	`Syslog - Overview` page of the KIBANA user interface	no access	access

---

4.3.6. Related principles

4.3.6.1. Authentication mode

A user's authentication is achieved by means of a login/password pair.

---

4.3.6.2. Password management

The current account manages its own password and potentially other accounts as well.

Details are provided in the table below:

User	can change the password
	operator	administrator	admin
operator	X
administrator	X	X
admin	X	X	X

---

4.3.6.3. Password management policy

The passwords entered must comply with the password management policy.

The policy is divided into two categories:

• General settings

• Specific password settings

These general parameters are:

• Period of validity

• Recording of previous password hashes

These specific parameters are the criteria that passwords must contain, such as lower case, upper case, and so on.

The details of these parameters and the graphical interface enabling the management of this policy are described in The `Password Policy` section of the `Accounts` submenu.

For implementation, see the Managing the password policy.

---

4.3.7. Creating local users

In addition to generic accounts, it is possible to create user accounts each having different rights.

Note

The proposed groups fully comply with the Military Programming Law.

When creating a new user account, it is possible to assign different roles to the user.

The role(s) the user is assigned will enable them to access more or less menus in the web interface.

Indeed, depending on the actions carried out, it will be necessary to assign a specific role.

The administrator fills in the following fields concerning the user they wish to create:

• Username

• Password

• Email address

• First Name

• Last Name

It is also necessary to activate the account for it to be usable and to assign it the available roles: operator and/or administrator

These fields will be used later to trace the user in the connection history or in the event of changes concerning this same account.

The graphical interface enabling the creation of users is done in The `Users management` section of the `Accounts` submenu.

For implementation, see:

• the Creating local users

• the Changing some of a local user's information

• the Resetting a local user's password

• the Deleting a local user

---

4.3.8. LDAP integration / Active Directory

Authentication of the GCenter's user accounts can be managed by the GCenter as well as by a Lightweight Directory Access Protocol (LDAP) server.

Configuring the connection between the GCenter and the LDAP server is also done by the GCenter.

The main functions include:

• Displaying the connection status

• Enabling the connection to a remote authentication server

• Managing connection information to a remote authentication server

• Mapping of users and groups between the GCenter and the remote authentication server

• Advanced configuration of the connection to a remote authentication server

The graphical interface enabling the creation of users is done in The `LDAP configuration` section of the `Accounts` submenu.

For implementation, see:

• The Displaying of the connection status between the GCenter and the LDAP server

• The Enable the connection between the GCenter and the LDAP server

• The Configuring the connection between the GCenter and the LDAP server

• The Configuring the users and groups defined on LDAP / ActiveDirectory

---

4.3.9. Audit trail

The system records the various actions carried out in the web interface over time, in order to ensure traceability.

This traceability is carried out for:

• Users' connection or disconnection

• Creating and deleting accounts

• Changing the permissions of an account

---

4.3.9.1. Authentication history function

The history of all authentications on the GCenter is available.

To view the graphical interface presentation, see The `Authentications history` section of the `Accounts` submenu

For the implementation, refer to Viewing the authentication history.

---

4.3.9.2. Historical function of all creations or deletions

The history of all creations or deletions of GCenter users is available.

To view the graphical interface presentation, see The `Creations/Deletions history` section of the `Accounts` submenu.

For the implementation, refer to Viewing the history of user creations or deletions.

---

4.3.9.3. History function for all changes in user rights

The history of all user permissions on the GCenter is available.

To view the graphical interface presentation, see The `Permissions history` section of the `Accounts` submenu.

For the implementation, refer to Viewing the history function for all changes in user rights.

---