Manage Security Settings

      +
      Enterprise Analytics security-settings can be managed from Couchbase Web Console, and by means of the REST API.

      Couchbase Security Settings

      The basic settings for Couchbase security, available to Full and Security administrators, allow configuration of the following:

      • Users & Groups: Users and groups can be created, given passwords, and assigned roles that allow them to access specific system resources.

      • The Root Certificate for the node, which allows the server to identify itself to clients.

      • Client Certificate settings, which determine whether a client can or must present a certificate in order to authenticate with the server.

      • Audit settings, determining which system events are audited.

      • Log Redaction settings, determining what forms of content are to be considered private, and redacted from system logs.

      • Session management setting, whereby users are logged out of Enterprise Analytics Web Console after a specified period of inactivity.

      These areas are described below.

      Access the Security Screen

      To start managing Enterprise Analytics security-settings, within Enterprise Analytics Web Console, access the Security screen, by means of the Security tab, on the left-hand navigation bar.

      This brings up the Security screen. It features a horizontal control-bar with tabs for Users & Groups, Certificates, Audit, Log Redaction, and Other Settings. To display the corresponding screen-content for each, left-click on the tab.

      The upper area of the screen displays notices regarding the enablement-status of LDAP, which can be used in support of external user-authentication. See Authentication Domains, for an overview.

      Users & Groups

      The Users & Groups display (shown above) lists users and groups currently registered on the cluster. The display can be toggled, to provide information for either users or groups.

      Each user has a username and (optionally) a full name; and can have one or more roles associated with them. These roles are themselves associated with privileges that permit access to specified system-resources. The auth domain for each user can be Local or External. To add users and, in so doing, assign them roles, administrators use the ADD USER button, at the upper right. Additionally, each user can be made a member of a defined group.

      Each defined group has a group name and (optionally) a description; and can have one or more roles assigned to it. If a user becomes a member of a group, the user inherts all the group’s assigned roles. A group can also be assigned a mapping to an LDAP group that is maintained on a remote, LDAP server. For information about how Native LDAP Support can be used to support mappings, see Authorization.

      A full account of adding and editing users and groups is provided in Manage Users, Groups, and Roles.

      LDAP

      The LDAP section of the Security screen provides a toggle to enable or disable LDAP support. When enabled, the Native LDAP Support feature allows users to authenticate with Enterprise Analytics using credentials stored in an external LDAP server.

      For more information, see Configure LDAP.

      SAML

      The SAML section of the Security screen provides a toggle to enable or disable SAML support. When enabled, the SAML feature allows users to authenticate with Enterprise Analytics using credentials stored in an external SAML Identity Provider (IdP).

      For more information, see Configure SAML.

      Certificates

      This displays a screen featuring two panels. The panel to the left features the root CA certificates that have been defined for the cluster.

      Initially, before any administrator-driven configuration has occurred, this panel contains a single, system-generated, self-signed certificate. To increase system-security, a new X.509 certificate should be created. Once this has been done, the new, uploaded certificate is displayed beneath the original, system-generated certificate as shown here.

      See Configure Server Certificates, for further information.

      The right-hand panel features settings for the cluster’s handling of certificates that are presented by clients attempting access.

      The user interface allows the handling of client certificates to be enabled, and optionally to be made mandatory. Note that such handling is disabled by default. The Path, Prefix, and Delimiter fields allow the specification of which details within the client certificate are to be used by the server for client-identification.

      An explanation of how to use this interface is provided in Enable Client-Certificate Handling. A detailed account of establishing client-certificate settings is provided in Configure Client Certificates.

      Audit

      This displays the audit options for the cluster.

      The options permit selection of the directory within which the audit log file is to be saved, and the frequency with which it will be rotated. Specific events can also be included in the audit process, or excluded from it.

      For further information, see Manage Auditing.

      Other Settings

      The Other Settings panel provides settings for Log Redaction, Session Timeout, and Cluster Encryption.

      Log Redaction

      This allows specification of whether log files should be redacted.

      A redacted log file is one purged of sensitive information: this allows log files to be shared for review purposes, without private data being compromised.

      For detailed information, see Manage Logging.

      Session Timeout

      This allows sessions with Enterprise Analytics Web Console to be terminated, following a specified period of user-inactivity. The UI provides a field to enter the timeout duration in minutes.

      For information about how to use, see Manage Sessions.

      Cluster Encryption

      The cluster encryption control provides a pull-down menu to select the encryption level.

      The pull-down menu offers three values, which are control, all, and strict. For a full explanation, see On-the-Wire Security.