User ###### You can find the User Settings at **Authentication → User**. .. image:: img/Users.png :width: 100% :align: center :alt: Users On the User screen you can quick edit some user settings like **activating/deactivating** and **deleting** users. Users are created in the Webgui and are **disabled in the Linux system** by default. You do need to activate them explicitly with the **System Access** option in the users setting. Users can be in any number of :ref:`Groups`. In order for a user to login to the webgui the **System Admin** or **System User** group membership is required. Other users can be used for services like OpenVPN or WebVPN. .. image:: img/Users-Create.png :width: 100% :align: center :alt: Create User Permissions *********** Each User can have a set of permissions. Permissions can be configured on the User itself or through group memberships. Permissions are **additive**, meaning all permissions from Groups and users are added together to get the set of all permissions for the user. Please be careful and consider which permissions each user should have. The **Admin** user always has all permissions, disregarding which permissions you configure in the GUI. This user is a super user. Language ******** Each user can change and configure their own language. By default all users have the global language defined in :ref:`Settings`. API Token ********* Each user has automatic generated API Token to access the REST API without a password. The user still needs the correct permissions to access any ressource, the token is just to make the authentication process easier. Never the less their user and password do work as well. SSH *** The User can add their SSH Key/s here. If configured in :ref:`Settings`, he can login without a password. The **system access** option is required for SSH access. If a user has *system access** you can also give him **sudo access** to become root. Authentication Server ********************* A User can have multiple authentication servers. When a user logs in, he will be authenticated against the selected authentication server. The default one is the *VT AIR DB*. To change your Authentication Servers setup please go to **System → Auth. Server** and refer to the documentation at :ref:`Authentication Server`. Bookmarks ********* .. image:: img/Users-Create2.png :width: 100% :align: center :alt: User Booksmarks and OpenVPN Profile Each user can have up to 5 bookmarks that will show up in the upper right corner under his profile widget. This is a shortcut to menus. User permissions are required to access a bookmark. OpenVPN Profile *************** If a user is part of a OpenVPN setup, as user or with a user certificate, the user can download the OpenVPN config at the OpenVPN profile section. The OpenVPN Profile section is at the bottom of the user update page as well as user settings/user profile page. A user can only download its own OpenVPN config files and not the config files of other users. Certificate *********** A user can be linked to a user certificte. If you update an existing user there is also a *Create Certificate* button which opens a user certificate creation window. Otherwise you can go to **General → Certificates** and create one there. Two Factor Authentication ================================== Two Factor Authentication can be used on the Webgui and OpenVPN. We use One Time Passwords and TOTP as an additional authentication on top of the username and password. You can create and delete the Two Factor Authentication elements here and also see the QR Code of the TOTP, as well as your One Time Passwords. One Time Passwords are deleted after they are used and a new one is generated automatically. You can use any TOTP enabled App for your phone to use the codes, please make sure that the VT AIR clock is synchronized as TOTP depends on the clock beeing correct. There are a lot of different Apps available for this, e.g. Google Authenticator or Authy. One Time Passwords can also be used to give a third person access to the device where you do not have to reset a user password everytime. Just hand out a one time password in addition to the username and password. Profile ******* Each logged in user can edit their own profile by navigating to the right upper corner of the screen and clicking on his name. The profile contains the name settings as well as password, language, SSH key and bookmarks. Logout ****** The logout option is also in the upper right corner by clickling on the name. Additionally after a period of inactivity the auto logout will disconnect the user from VT AIR.