Add a new user

Add a new user and give them appropriate permissions:

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. Click Add. The Create User pane displays.
3. In the Username field, enter the email or service account name. A service account is a special account used by an application, compute workload, or CI/CD tool, rather than a person. A users username must be an email to match up to the SSO to access the web portal.

4. Select a Role, and Provision VPN access and Read Only Access, if required.

5. Click Submit.

Edit permissions for an existing user

Edit an existing user's permissions and role:

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. From the Username column, select the user whose permissions you want to modify. The user's page displays.

3. Click the Actions menu and select Update.

4. Modify the user permissions.

5. Click Submit.

View users

View users and their permissions:

1. In the DuploCloud Portal, navigate to Administrator -> Users. The Users page displays.
2. From the Username column, select the user that you want to view. The user's page displays tabs with more information about Tenant Access, VPN access, and API Tokens.

Delete an existing user

Delete an existing user and their permissions:

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. From the Username column, select the user that you want to delete. The user's page displays.

3. Click the Actions menu and select Delete.

4. Review the confirmation message and click Confirm to permanently delete the user.

You can configure the DuploCloud Portal to support various types of Cross-tenant access. Cross-tenant access enables you to share access to resources and services between two DuploCloud .

Configure Cross-tenant access to:

• .

• that IAM policies restrict.

Prerequisites

Before you can use Cross-tenant access, you must do the following:

• Add a to allow port access between each of the Tenants requiring Cross-tenant access in the Security Group.

• Include the full application Namespace when accessing the domain in this format: https://NAMESPACE.duploservices-TENANT_NAME:PORT

For example, If Tenant dev01 is running an app named myapp on port 8080, then access the domain using the URL https://myapp.duploservices-dev01:8080.

Granting general non-IAM restricted access between Tenants

When you grant general non-IAM restricted access between Tenants, you allow one DuploCloud Tenant full access to another Tenant's workspace or Namespace. Your Security Groups define restrictions in your underlying Cloud Platform. In the DuploCloud Portal, you configure general access between Tenants using a Tenant's Security tab.

To grant Cross-tenant access only to specific services restricted by IAM policies, see .

1. In the DuploCloud Portal, navigate to Administrator -> Tenants.

2. Select the Tenant whose resources you want to share from the Name column.

3. Click the Security tab.

4. Click Add. The Add Tenant Security pane displays.

5. From the Source Type list box, select Tenant.

6. From the Tenants list box, select another Tenant with whom you want to share resources.

7. From the Protocol list box, select the protocol that you want to use for sharing.

8. In the Port Range field, specify the range of ports to which you want to grant access.

9. Add a user-friendly Description of this sharing rule.

10. Click Add.

Granting Cross-tenant access to specific IAM-restricted services

To allow access or create a share between two Tenants for specific IAM-restricted services, perform this procedure using the Tenant Grants tab.

You can share access to the following Services between Tenants:

• KMS Keys

1. In the DuploCloud portal, navigate to Administrator -> Tenants. The Tenants page displays.

2. From the Name column, select the Tenant with access to the restricted resource that you want to share. In this example, we choose to share resources to which Tenant uat-01 has access.

3. Click the Grants tab. Select Allow Other Tenants to access TENANT_NAME, where TENANT_NAME is the Tenant you selected.

4. Click Add. The Grant Cross-Tenant Access pane displays.

5. From the Requesting Tenant list box, select the Tenant with whom you want to share access from the Requesting Tenant list box. In this example, the Requesting Tenant is demo01.

6. From the Access to Area list box, select the restricted policy-based resource you want to share.

7. Click Create. Your Cross-tenant Access share is created.

Viewing Cross-tenant grants to restricted policy-based resources

1. In the DuploCloud portal, navigate to Admini> Tenants. The Tenants page displays.

2. From the Name column, select the Tenant whose Cross-tenant grants you want to view. In this example, we select Tenant uat-01.

3. Click the Grants tab. Select Allow Other Tenants to access TENANT_NAME, where TENANT_NAME is the Tenant you selected.

4. The resources that TENANT_NAME (uat-01, in this example) can access are displayed.

Access roles

The DuploCloud Portal contains the following access roles:

• An Administrator has access to all Tenants plus access to administrative functions like Plan configuration, system dashboards, system defaults, etc.

• A User is a regular user that can be given access to a specific Tenant. A Tenant can be accessed by multiple users and a user can be given access to multiple Tenants.

• The Security role is for security and compliance auditors, in order to verify security and compliance dashboards and reports.

Read Only Permissions

For each of the access roles above, DuploCloud supports Read Only permissions, which restrict a user to "view" the resources that are in scope of that particular role but prevents them from making any updates to those resources. Read Only permissions also prevent Just-In-Time access to the underlying Cloud platform.

Single Sign On (SSO)

The user name is meant to be an email address associated with an Identity provider. Currently, supported identity providers are Google and Microsoft Azure. Once a user is created in the DuploCloud portal, the user receives an account-creation email with login instructions. No passwords are involved, the user simply has to navigate to their DuploCloud environment and use SSO to log in to their account.

Give a User Tenant Access

1. In the DuploCloud Portal, navigate to the Administrators -> Users.

2. Select the user in the USERNAME column.
3. Select the Tenant Access tab and click Add. The Add User Access pane displays.

4. From the User field, select the user name and click Add.

1. Select the Tenant(s) from the Tenant list box..

2. Optionally, enable Readonly access.

3. Click Add. The user can access the selected Tenant(s).

When DuploCloud is installed, a Delete protection setting is created that prevents you from deleting a Tenant, even if you have Administrator privileges.

In order to override this protection:

1. In the DuploCloud Portal, navigate to Administrator -> Tenants.

2. Select the Tenant that you want to delete from the Name column.

3. Click the Settings tab. Note that the value for the Delete protection setting is True, indicating that Delete protection is enabled.

4. In the Delete protection row, click the open pane () icon. The Update Tenant Feature pane displays.

5. Select the Enable switch to disable Delete protection for the Tenant.
6. Click Update. Note that the value of the Delete protection setting is now False.

7. Navigate back to Administrator -> Tenants and select the Tenant that you want to delete.

8. From the Actions menu, select Delete. The Tenant is deleted.

Administrators have full access to all databases created in all DuploCloud Tenants.

A non-administrator user can view and use database engine types created by an administrator if the administrator grants them view rights with an AppConfig setting in the DuploCloud Portal.

Granting users view access to database engines

1. In the DuploCloud Portal, navigate to Administrator -> System Settings.

2. Click System Config.

3. Click Add. The Add Config pane displays.

4. From the Config Type list box, select AppConfig.

5. From the Key list box, select RDS approved list for non admin users.

6. Select the Value list box and select the types of databases you want non-administrator users to access. In this example, the user is granted access to any Aurora-MySql and Aurora-PostgreSql database engines that the Administrator creates.

7. Click Submit. The AppConfig configuration setting is displayed on the System Settings page.

In order for DuploCloud users to have access to internal resources within a Tenant, such as an internal host or a database, you need to add Security rules to allow a VPN connection.

Adding tenant security rules for a VPN

Define Tenant Security rules for Tenant access over a VPN:

1. In the DuploCloud Portal, navigate to Administrators -> Tenants.

2. Select the Tenant in the Name column. The Tenant's permissions page displays.

3. Click the Security tab.

4. Click Add. The Add Tenant Security pane displays.

5. Complete the rule fields and add a Description of your changes for future reference.

Example: Adding a rule allowing VPN traffic to access a Tenant

In this example, you create a security rule allowing traffic originating from the VPN IP Address to access resources that are private or internal to the Tenant.

Setting a User's Tenant access to read-only

Set read-only access for a specific user to temporarily or permanently block the user from making changes to an existing Tenant in the DuploCloud Portal.

1. In the DuploCloud Portal, navigate to Administrator -> Tenants.

2. From the Name column, select the Tenant for which you want to limit access by a user.

3. Click the User Access tab.

4. Click Add. The Add User Access pane displays.
5. From the User list box, select the user for whom you want to limit access.

6. Select Read only Access.

7. Click Add. The User Access tab displays Yes in the READ ONLY column.

The user you specified now has only read access to the Tenant.

Adding VPN access for a user

Add a VPN connection for a user:

1. In the DuploCloud Portal, navigate to Administrator -> Users. The Users page displays.

2. Select the name of the user that will have VPN access.

3. Click the VPN tab.

4. Click Set VPN. The Set VPN pane displays.

5. Select the appropriate options, including Reallocate VPN Address and Regenerate Password.

6. Click Create.

Deleting a VPN user

To delete VPN access, you must have administrator privileges.

Delete a user's VPN connection:

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. On the Users page, select the user name from the Username column.

3. Click the VPN tab.

4. Click Remove VPN and Confirm.

VPN access is removed for the user that you selected.

Configure SSO for DuploCloud using the Azure Application Deployment (AD) Portal as an Identity Provider (IDP). To configure Azure SSO, you must:

• Register your application in the Azure AD Portal.

• Create a secret for authentication.

• Assign API Permissions.

Register your application in the Azure AD Portal

1. Log in to the Azure AD Portal as an Administrator.

2. In the Azure AD Portal, navigate to Manage -> App Registrations. The App registrations page displays.
3. Click New registration. The Register an application page displays.

4. Enter a Name for the application, for example, duplo-app1.
5. In the Supported account types area, select Accounts in any organizational directory (Any Azure AD directory - Multitenant).

6. In the Redirect UTI field, select Web and type the DuploCloud URL https://company.duplocloud.net/app/signin-microsoft replacing company with your company's DuploCloud deployment.

7. Click Register.

Note the Application (Client) ID for future reference; for example, 8a6acf76-555e-4782-a8a4-abcd283d889d.

Create a secret for authentication.

1. In the Azure AD Portal, navigate to Manage -> Certificates & secrets.
2. In the Client Secret tab, click New Client Secret.

3. In the Add a client secret window, enter a Description for the secret.

4. In the Expires list box, select 12 months for the expiration duration.

Note the Value displayed in the client secrets tab; for example, hFFC8Q~z.bHooBGcwftnh2LRgp53M62XJdLIrXxyz.

Step3: Assign API Permissions

1. In the Azure AD Portal, navigate to Manage -> API Permissions.
2. Click Microsoft Graph & Delegated Permissions. The Request API Permissions page displays.

3. On the Select permissions area of the Request API Permissions page, select openid, email, and profile. Add the User.Read permission if it is not present by entering User.Read in the search box and selecting it from the search results.
4. Click Add permissions.

5. In the Configured Permissions area of the Request API Permissions page, click Grant admin consent for Default Directory and confirm by clicking Yes.

Next Steps

When setup is complete, supply the Application ID and Client Secret to DuploCloud to integrate Login Authentication with your Azure AD.

Introduction

DuploCloud supports two kinds of API tokens: temporary and permanent. For normal use cases, we recommend using a temporary API token. A permanent API token is warranted for CI/CD or other DevOps automation.

Temporary API tokens

Every time a user logs in to DuploCloud, a temporary API token is created for that user that only lasts for their session.

Getting a Temporary API token

Any user can retrieve their temporary API token from DuploCloud. Navigate to the User -> Profile page. Click the copy icon in the Temporary API Token area.

Permanent API tokens

Only administrators can create permanent API tokens. Permanent tokens are always associated with a specific Duplo user.

Creating a Permanent API token

1. In the DuploCloud Portal, navigate to Administrator -> Users.

2. Click the Username in the list. The user's page displays.

3. Click the Tokens tab.

4. Click Add. The Create a new token pane displays.

5. Create a meaningful Token Name and click Create—a window containing the token displays.

6. Click the Copy button to copy your token to the clipboard. Store it somewhere safe. You cannot retrieve it from DuploCloud.

Configuring notifications for API tokens nearing expiration

You can configure DuploCloud system settings to generate faults and send notification emails when API tokens are nearing expiration.

Generating a fault when API tokens are near expiration:

1. From the DuploCloud portal, navigate to Administrator -> Systems Settings. Select the Config tab, and click Add.

2. For Config Type, select App Config; for Key, select Enable. For Token Notification, and in the Value field, enter the number of days before token expiration when faults should show.

1. Click Submit. DuploCloud will generate a fault when an API token is the set number of days from expiration.

Sending automatic notifications when API tokens are near expiration:

1. From the DuploCloud portal, navigate to Administrator -> Systems Settings. Select the Config tab, and click Add.

2. For Config Type, select App Config; for Key, select User Token Expiration Notification Emails; and in the Value field, enter the user email addresses (separated by semicolons) to which notification emails will be sent.
3. Click Submit. DuploCloud will email the listed email address(es) when an API token is set to expire in a set number of days.

Use these pages to configure SSO for cloud platforms with custom procedures.

To configure SSO through GCP, Microsoft Azure, or Okta as an identity provider, contact DuploCloud for support.

Sometimes local machine DNS configuration drift which causes DNS resolutions to fail, especially to private resource that are secured in your Cloud account behind the VPN connection. These resources include private hosts, and databases.

If you run into such an issue, configure your computer's domain servers to use custom entries such as 8.8.8.8 for GCP and 1.1.1.1 for AWS and Azure.