CoPilot User Access & Visibility

Aviatrix CoPilot is a multi-cloud and multi-user enterprise platform. CoPilot User Access & Visibility or User Permission Groups ensure that your CoPilot account stays secure while enabling users to access specific Aviatrix features and permissions.

For example, you can create a Permission Group for a team who should access the Billing & Cost section of CoPilot, but not the networking-building and security sections such as Gateways and Distributed Cloud Firewall.

The User Access & Visibility feature has two main goals:

  • Granular Access Control A CoPilot administrator in a specific permission group can perform certain tasks for a subset of an Aviatrix Access Account.

  • Self Service A CoPilot administrator in a specific permission group can onboard their own cloud accounts and perform tasks.

If you redeploy CoPilot without using the official data migration process, your user permission groups reset to give all users total access to CoPilot. To avoid this issue, use this document to migrate your CoPilot instance when you redeploy.

To access this feature in CoPilot, navigate to CoPilot > Administration > User Access.

Users

Creating Users

To create a new user in CoPilot, go to CoPilot > Administration > User Access. The Users tab opens by default.

  1. Click + User in the top left.

  2. Enter the following information:

Parameter

Description

Name

Enter the user’s name. You can also add a job title or description.

Email

Enter the user’s email or email mailing list.

Password

Enter a strong password or passphrase for the user.

Permission Groups

Click on the dropdown menu and select the permission groups this user should belong to.

Each user must belong to at least one permission group.

  1. Click Save.

The user appears in the table. This user receives an email inviting them to access CoPilot.

Editing Users

To edit a CoPilot user’s account or permissions, go to CoPilot > Administration > User Access. The Users tab opens by default.

  1. Find the user in the table and click the Edit icon in their row.

  2. Edit the user’s name, email address, or password as needed.

  3. Edit the user’s permissions in the Permission Groups field:

    • To add a user to a new Permission Group, click on the dropdown menu and select another Permission Group.

    • To remove a user from a Permission Group, click the x on the right of the permission group.

  1. Click Save.

Your edits are saved.

Deleting Users

To remove a CoPilot user, go to CoPilot > Administration > User Access. The Users tab opens by default.

  1. Find the user in the table and click the Delete icon in their row.

  2. Click Confirm.

  3. Click Save.

This user account has been removed.

Permission Groups

Creating Permission Groups

A Permission Group is a group of users who have permission to access certain areas, pages, and tabs of CoPilot and perform certain functions in your Controller.

To add a Permission Group to CoPilot, go to CoPilot > Administration > User Access > select the Permission Group tab.

  1. Click + Permission Group in the top left.

  2. Enter the following information:

    Parameter

    Description

    Name

    Enter a clear name for this Permission Group.

    Users

    Click on this dropdown menu and select users to add to this Permission Group. See Adding Users for instructions on adding new users.

    Cloud Accounts

    Click on this dropdown menu and select which Cloud Accounts members of this group should be able to access.

  1. Click Save.

Use the sections below to determine what users in this Permission Group can see in CoPilot or do in the Controller.

CoPilot Visibility

When creating a permission group, select the CoPilot Visibility tab to determine which pages and tabs users in this Permission Group can access in CoPilot.

  • In each section, you can select a page and individual tabs. The label underneath the page’s title calculates how many out of the total number of tabs this group can see: for example, 3/5 Tabs.

  • Users in this Permission Group have Write access, or editing access, for every page and tab you select here.

If you select the "All Tabs" option for any page, users in this group will automatically be able to access any tabs added to CoPilot in the future.

Area

Description

Cloud Fabric

Includes the Topology and Gateway areas.

Networking

Security

SmartGroups

Cloud Resources

Monitor

Diagnostics

Billing & Cost

Administration

Settings

Controller Permissions

  1. Under API/Terraform Permissions in the Create Permission Group dialog, click on the dropdown menu and select which Controller permissions this Group has.

    If you have existing Permission Groups in your Controller, those groups and their permissions appear here automatically.

  1. Click Save.

Editing Permission Groups

To edit a Permission Group to CoPilot, go to CoPilot > Administration > User Access > select the Permission Groups tab.

  1. Select the Permission Group in the table.

  2. On the right, review the Permission group’s information and the permissions included. Click the Edit icon to edit these settings.

  3. Select the CoPilot Visibility tab to edit which areas of CoPilot this Permission Group can access. Note that these users have Write access to all areas, pages, and tabs included here.

  4. Select the Controller Permissions tab to edit which Controller features this group can access.

  5. Click Save.

Deleting a Permission Group

To remove a Permission Group, go to CoPilot > Administration > User Access > select the Permission Groups tab.

Deleting a Permission Group does not delete the accounts of users in that group.

  1. Find the Permission Group in the table and click the Delete icon in that row.

  2. Click Confirm.

The Permission Group is deleted.

Access Management

Use the Access Management tab to manage access for all users, including the password policy, Controller and gateway access, and ability of Administrators to log in.

Security and Password Settings

Managing Password Policy

To manage your password policy:

  1. Go to CoPilot > Administration > User Access > select the Access Management tab.

  2. Under Password Policy, click Edit Configuration. The Manage Password Policy dialog opens.

  3. Edit the settings as needed:

    Setting Description

    Minimum Password Length

    Enter a password length between 8 and 32 characters.

    Maximum Password Age

    Enter a maximum number of days before a user has to change their password. The minimum password age is 1 day and the maximum is 365 days.

    Enforce Password History

    Enforce a number of old passwords a user is not allowed to set as a new password. The range is 1-12. If you enter 12 here, a user can reuse a password after using 12 different passwords.

  1. Click Save.

Refreshing Credentials on Controller and Gateways

To refresh the account credentials for the Controller and gateways:

  1. Go to CoPilot > Administration > User Access > select the Access Management tab.

  2. Click Refresh.

Disabling Admin User Login

You can disable login access for the user account named "admin" for security reasons.

If your CoPilot Service Account is named "admin," you cannot disable admin login. This limitation is set because you need a Service Account to use CoPilot.

You can change the Service Account by going to CoPilot > Settings > Configuration. Under Service Account, click Reset.

To disable Admin login access:

  1. Go to CoPilot > Administration > User Access > select the Access Management tab.

  2. Under Allow Admin User to log in, click on the toggle switch to turn it OFF.

  3. Click Turn Off.

To re-enable admin login access, click on the toggle switch again to turn it ON.

Login Authentication

Enabling Duo

The Aviatrix UserVPN solution provides Duo authentication integration. This document helps you set up Duo to connect with Aviatrix.

You need to first have a Duo account set up. If you do not have one, please see https://www.duosecurity.com/product.

Getting Duo API Credentials

This step requires admin privileges in Duo.

You must first add an application to Duo for Aviatrix before you can connect. If you have already completed this step, these same steps will take you to the API credentials needed to connect Aviatrix with this application.

Setting

Description

Duo Integration Key

Enter your Duo Integration Key in this field.

Duo Secret Key

Enter your Duo Secret Key in this field.

Duo API Hostname

Enter your Duo API Hostname in this field.

Click Save.

Your Duo integration is saved.

Enabling LDAP

Aviatrix allows you to configure LDAP authentication for users logging into CoPilot. At the login prompt for CoPilot, the user will enter their username and LDAP/AD password to authenticate.

To enable LDAP:

  1. Go to CoPilot > Administration > User Access > select the Access Management tab.

  2. Under LDAP, click Enable.

  3. Enter the following information:

Setting

Description

LDAP Server

Enter the IP or hostname of the LDAP / AD server.

Server Port

UDP Port 389 is the standard port for both encrypted LDAP (using STARTTLS) and non-encrypted connections.

Bind DN (Distinguished Name)

DN the CoPilot user will use to authenticate with the LDAP server to handle user authentication. For example, uid=john. doe.

Password

The password of the Bind DN user.

Base DN

Starting point in the directory for searching for matching usernames.

Username Attribute

User attribute name for username to match.

LDAP User

This field is only used when clicking on the Test LDAP Configuration button. It will use this value to search and respond if it is able to connect and find the user.

Use TLS to connect to Server

When this setting is enabled, STARTTLS is used to connect with the LDAP server.

LDAP Over SSL is not supported (port 636). You must provide an FQDN for the LDAP server if TLS is turned on.

Client Key/Certificate Bundle (if Use TLS to Connect to Server is On)

Upload a client key or certificate bundle.

CA Certificate (if Use TLS to Connect to Server is On)

Upload a CA certificate.

  1. You can click Test LDAP Configuration to test the implementation before saving.

  2. Click Save. Your LDAP configuration is saved.

Allowing Local Login

Use this setting to enable users to log in who are not listed in the Active Directory using a local name and password. You can enable this setting for specific Permission Groups.

To enable users outside the Active Directory to log in with a username and password:

  1. Go to CoPilot > Administration > User Access > select the Access Management tab.

  2. Under Allow Local Login, in the Permission group field, enter the name of each Permission Group to give local login access and press Enter after each one.

Users in these Permission Groups now have local login access.