Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Create, edit, view, or delete users and assign appropriate roles
You need to be an Administrator to add, edit, or delete permissions.
Add a new user and give them appropriate permissions:
In the DuploCloud Portal, navigate to Administrator -> Users.
Click Add. The Create User pane displays.
In the Username field, enter the email or service account name. A service account is a special account used by an application, compute workload, or CI/CD tool, rather than a person. A users username must be an email to match up to the SSO to access the web portal.
Select a Role, and Provision VPN access and Read Only Access, if required.
Click Submit.
Edit an existing user's permissions and role:
In the DuploCloud Portal, navigate to Administrator -> Users.
From the Username column, select the user whose permissions you want to modify. The user's page displays.
Click the Actions menu and select Update.
Modify the user permissions.
Click Submit.
View users and their permissions:
In the DuploCloud Portal, navigate to Administrator -> Users. The Users page displays.
From the Username column, select the user that you want to view. The user's page displays tabs with more information about Tenant Access, VPN access, and API Tokens.
Use the Last Login card for the date and time of the user's last log-in.
Delete an existing user and their permissions:
In the DuploCloud Portal, navigate to Administrator -> Users.
From the Username column, select the user that you want to delete. The user's page displays.
Click the Actions menu and select Delete.
Review the confirmation message and click Confirm to permanently delete the user.
Limit a user's access to a Tenant to read-only
Set read-only access for a specific user to temporarily or permanently block the user from making changes to an existing Tenant in the DuploCloud Portal.
In the DuploCloud Portal, navigate to Administrator -> Tenants.
From the Name column, select the Tenant for which you want to limit access by a user.
Click the User Access tab.
Click Add. The Add User Access pane displays.
From the User list box, select the user for whom you want to limit access.
Select Read only Access.
Click Add. The User Access tab displays Yes in the READ ONLY column.
The user you specified now has only read access to the Tenant.
Roles and access types across the DuploCloud Portal
The DuploCloud Portal contains the following roles:
An Administrator has access to all Tenants plus access to administrative functions like Plan configuration, system dashboards, system defaults, etc.
A User is a regular user that can be given access to a specific Tenant. A Tenant can be accessed by multiple users and a user can be given access to multiple Tenants.
The Security role is for security and compliance auditors, in order to verify security and compliance dashboards and reports.
The Signup role is for users who create and manage DuploCloud resources via API.
The user name is meant to be an email address associated with an Identity provider. Currently, supported identity providers are Google and Microsoft Azure. Once a user is created in the DuploCloud portal, the user receives an account-creation email with login instructions. No passwords are involved, the user simply has to navigate to their DuploCloud environment and use SSO to log in to their account.
Give a user access to a Tenant
In order for a DuploCloud user to access a Tenant, an Administrator must give a user Tenant Access permissions.
Note: Users with the Administrator role have persistent access to all Tenants. Administrators do not need to add individual Tenant access for themselves.
Give a non-Administrator user access to a Tenant:
In the DuploCloud Portal, navigate to the Administrators -> Users page.
Select the user in the Username column. The user's permissions page displays.
On the Tenant Access tab, Click Add. The Add User Access pane displays.
From the User field, select the user name and click Add.
Grant a Tenant specific access over a VPN
In order for DuploCloud users to have access to internal resources within a Tenant, such as an internal host or a database, you need to add Security rules to allow a VPN connection.
Note: Users with the Administrator role have persistent access to all Tenants. Administrators do not need to add individual Tenant access for themselves.
Define Tenant Security rules for Tenant access over a VPN:
In the DuploCloud Portal, navigate to Administrators -> Tenants.
Select the Tenant in the Name column. The Tenant's permissions page displays.
Click the Security tab.
Click Add. The Add Tenant Security pane displays.
Complete the rule fields and add a Description of your changes for future reference.
In this example, you create a security rule allowing traffic originating from the VPN IP Address to access resources that are private or internal to the Tenant.
Temporary and permanent API Tokens
DuploCloud supports two kinds of API tokens, temporary API tokens and permanent API tokens. For normal use cases, we recommend using a temporary API token. For CI/CD or other DevOps automation, a permanent API token is warranted.
Permanent API tokens will expire after one year.
Every time a user logs in to DuploCloud, a temporary API token is created for that user that only lasts for the duration of their session.
Only administrators can create permanent API tokens. Permanent tokens are always associated with a specific Duplo user.
Note: Permanent API tokens will expire after one year.
Navigate to the Administrator -> Users page. Click the username in the list, to go to a specific user's page. Click the Tokens tab.
Click the blue + Add button. Give your token a memorable name and click Create.
Click the Copy button to copy your token to the clipboard. Save it somewhere safe, you will not be able to retrieve it from Duplo later.
Caution: Always save your token somewhere safe. You will not be able to retrieve it again from Duplo after you have created it. However, if you lose your token, you can always create a new one.
You can configure DuploCloud system settings to generate faults and send notification emails when API tokens are nearing expiration.
From the DuploCloud portal, navigate to Administrator -> Systems Settings. Select the Config tab, and click Add.
For Config Type select App Config, for Key, select Enable User Token Notification, and in the Value field, enter the number of days before token expiration when faults should show.
Click Submit. DuploCloud will generate a fault when an API token is the set number of days from expiration.
From the DuploCloud portal, navigate to Administrator -> Systems Settings. Select the Config tab, and click Add.
For Config Type select App Config, for Key, select User Token Expiration Notification Emails, and in the Value field, enter the user email addresses (separated by semicolons) to which notification emails will be sent.
Click Submit. DuploCloud will send an email to the listed email address(es) when an API token is the set number of days from expiration.
Any user can retrieve their own temporary API token from DuploCloud. Navigate to the User -> Profile page. Click the copy icon in the Temporary API Token pane.
Local DNS config might need to be fixed in order to resolve hostnames
Sometimes local machine DNS configuration drift which causes DNS resolutions to fail, especially to private resource that are secured in your Cloud account behind the VPN connection. These resources include private hosts, and databases.
If you run into such an issue, configure your computer's domain servers to use custom entries such as 8.8.8.8 for GCP and 1.1.1.1 for AWS and Azure.
Override Delete Protection in order to delete a Tenant
When DuploCloud is installed, a Delete protection setting is created that prevents you from deleting a Tenant, even if you have Administrator privileges.
In order to override this protection:
In the DuploCloud Portal, navigate to Administrator -> Tenants.
Select the Tenant that you want to delete from the Name column.
Click the Settings tab. Note that the value for the Delete protection setting is True, indicating that Delete protection is enabled.
Select the Enable switch to disable Delete protection for the Tenant.
Click Update. Note that the value of the Delete protection setting is now False.
Navigate back to Administrator -> Tenants and select the Tenant that you want to delete.
From the Actions menu, select Delete. The Tenant is deleted.
Manage VPN access for users
To add or delete VPN access for users you must have Administrator privileges.
Add a VPN connection for a user:
In the DuploCloud Portal, navigate to Administrator -> Users. The Users page displays.
Select the name of the user that will have VPN access.
Click the VPN tab.
Click Set VPN. The Set VPN pane displays.
Select the appropriate options, including Reallocate VPN Address and Regenerate Password.
Click Create.
To delete VPN access, you must have administrator privileges.
Delete a user's VPN connection:
In the DuploCloud Portal, navigate to Administrator -> Users.
On the Users page, select the user name from the Username column.
Click the VPN tab.
Click Remove VPN and Confirm.
VPN access is removed for the user that you selected.
Allow multiple Tenants access to the same resources
These features are currently only available for AWS.
You can configure the DuploCloud Portal to support various types of Cross-tenant access. Cross-tenant access enables you to share access to resources and services between two DuploCloud Tenants.
Configure Cross-tenant access to:
Share specific services between Tenants in the DuploCloud Portal that are restricted by IAM policies.
Before you can use Cross-tenant access, you must do the following:
Add a Security Group rule to allow port access between each of the Tenants requiring Cross-tenant access in the Security Group.
Include the full application Namespace when accessing the domain, in this format: https://NAMESPACE.duploservices-TENANT_NAME:PORT
For example, If Tenant dev01 is running an app named myapp on port 8080, then access the domain using the URL https://myapp.duploservices-dev01:8080
.
When you grant general non-IAM restricted access between Tenants, you allow one DuploCloud Tenant full access to another Tenant's workspace or Namespace. Restrictions are defined by your Security Groups in your underlying Cloud Platform. In the DuploCloud Portal, you configure general access between Tenants using a Tenant's Security tab.
To grant Cross-tenant access only to specific services that are restricted by IAM policies, see the next section.
In the DuploCloud Portal, navigate to Administrator -> Tenants.
Select the Tenant whose resources you want to share from the Name column.
Click the Security tab.
Click Add. The Add Tenant Security pane displays.
From the Source Type list box, select Tenant.
From the Tenants list box, select another Tenant with whom you want to share resources.
From the Protocol list box, select the protocol that you want to use for sharing.
In the Port Range field, specify the range of ports to which you want to grant access.
Add a user-friendly Description of this sharing rule.
Click Add.
To allow access, or create a share, between two Tenants for specific IAM-restricted services, perform this procedure using the Tenant Grants tab.
To establish general non-IAM restricted Cross-tenant access, see the previous section.
You can share access to the following Services between Tenants:
KMS Keys
Ensure that the two Tenants that are sharing resources reside within the same region in the AWS Portal.
In the DuploCloud portal, navigate to Administrator -> Tenants. The Tenants page displays.
From the Name column, select the Tenant with access to the restricted resource that you want to share. In this example, we choose to share resources to which Tenant uat-01 has access.
Click the Grants tab. Select Allow Other Tenants to access TENANT_NAME, where TENANT_NAME is the Tenant you selected.
Click Add. The Grant Cross-Tenant Access pane displays.
From the Requesting Tenant list box, select the Tenant with whom you want to share access. In this example, the Requesting Tenant is demo01.
From the Access to Area list box, select the restricted policy-based resource that you want to share.
Click Create. Your Cross-tenant Access share is created.
In the DuploCloud portal, navigate to Administrator -> Tenants. The Tenants page displays.
From the Name column, select the Tenant whose Cross-tenant grants you want to view. In this example, we select Tenant uat-01.
Click the Grants tab. Select Allow Other Tenants to access TENANT_NAME, where TENANT_NAME is the Tenant you selected.
The resources that TENANT_NAME (uat-01, in this example) has access to are displayed.
In the Delete protection row, click the open pane () icon. The Update Tenant Feature pane displays.
Grant access to specific databases for DuploCloud users
Administrators have full access to all databases created in all DuploCloud Tenants.
A non-administrator user can view and use database engine types created by an administrator if the administrator grants them view rights with an AppConfig setting in the DuploCloud Portal.
In the DuploCloud Portal, navigate to Administrator -> System Settings.
Click System Config.
Click Add. The Add Config pane displays.
From the Config Type list box, select AppConfig.
From the Key list box, select RDS approved list for non admin users.
Select the Value list box and select the types of databases you want non-administrator users to access. In this example, the user is granted access to any Aurora-MySql and Aurora-PostgreSql database engines that the Administrator creates.
Click Submit. The AppConfig configuration setting is displayed on the System Settings page.