Users and Groups#
Auditing Logs#
The Admin > Users & Groups > Auditing Logs page displays logs of Scrutinizer web interface user actions.
The main table of the Auditing Logs page includes the following details for each activity log:
Timestamp - Date and time of the user activity
Message - Description of the user activity
IP Address - Local IP address of the device/machine used
Operating System - Operating system of the device/machine used
Category - Category or related page where the user action occurs (e.g. settings, admin, dashboards)
User Agent - Web browser used
Username - Username of the person who performed the activity
Time range filter
The Auditing Logs view can be set to show information for either a custom date and time range or a specified Last X period (last 15 minutes, last 24 hours, last week, etc.).
To view data for a different period, click the Time Range (calendar) button and configure the range to apply.
Hint
When a custom range is specified, click the up/down arrows to automatically adjust the dates to cover the same period of time.
Advanced filters
Clicking the Filters button opens a tray where one or more filters can be manually configured.
The following filtering options are available:
Message
IP Address
Operating System
Category
User Agent
Username
To apply a filter, expand the filter option/section, and select the criteria to use. Multiple options and criteria can be applied at the same time.
Note
When exporting activity logs (via the Options button/tray), use the Export CSV (All) option to ignore any filters currently applied.
Authentication Providers#
The Admin > Users & Groups > Authentication Providers page can be used to set up and manage additional authentication methods/servers for the Scrutinizer web interface.
Adding a new authentication server#
To set up a new authentication server, follow these steps:
In the main view, click the + button.
Select the authentication method to set up.
Enter the required details for the server in the secondary tray.
Click the Save button.
Once saved, the authentication server will be added to the list/table in the main view. To edit the details for a server, click on its name and make the necessary changes in the configuration tray.
Note
Users can be redirected to a custom URL on logout instead of the default Scrutinizer login page (/ui/login). This URL can be defined using the Logout URL setting under Admin > Settings > System Preferences.
Single sign-on
After adding Scrutinizer to the IdP application list, the following details must be entered in the Scrutinizer web interface:
Name |
Name identifying the SSO service configuration in Scrutinizer |
IdP Identifier URL |
IdP-provided redirect URL for user authentication |
Entity ID |
|
Assertion URL |
|
Audience Value |
|
Name Attribute |
User identifier attribute passed by the IdP |
Groups Attribute |
User group identifier attribute passed by the IdP |
IdP Metadata URL |
URL to access the IdP metadata XML (only required if metadata XML cannot be downloaded) |
IdP Metadata XML |
Metadata XML downloaded from the IdP |
Signing Certificate |
Path to the SAML signing certificate obtained from the IdP (e.g., |
Note
If no group identifier attribute is provided, only the name attribute will be referenced for authentication.
Adding Scrutinizer as an SAML application
To set up SSO authentication for Scrutinizer, it should first be added to the application list of the SAML 2.0 SSO platform.
Note
Scrutinizer can be integrated into any SAML 2.0 SSO platform. For further information, contact Plixer Technical Support or refer to the provider’s documentation.
Azure AD FS
To add Scrutinizer as an enterprise application to Azure AD FS, follow these steps:
Log in to the Azure portal as a global administrator.
Go to Enterprise Applications > New Application, and then select Create your own application.
Enter a name for the application (e.g., Scrutinizer).
Select the option to create a non-gallery application, and then click the Create button.
Under Getting Started in the application overview, click on Set up single sign on, and then select SAML as the single sign-on method on the next page.
In the next step, configure the following details under Basic SAML Configuration (other fields should be left blank):
Identifier (Entity ID):
https://<SCRUTINIZER_SERVER_IP>/Reply URL (Assertion Consumer Service URL):
https://<SCRUTINIZER_SERVER_IP>/fcgi/scrut_fcgi.fcgi?rm=usergroups&action=sso_responseSign on URL:
https://<SCRUTINIZER_SERVER_IP>/
From the previous SAML SSO setup page, obtain the following for the Scrutinizer SSO configuration form/tray:
IdP Identifier URL: Azure AD Identifier (under Set up application)
Name Attribute: Source attribute for the Unique User Identifier (Name ID) claim name (under Attributes & Claims)
Groups Attribute: Source attribute for the
http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsclaim name (under Attributes & Claims)IdP Metadata URL/XML: Copy the App Federation Metadata URL or download the Federation Metadata XML (under SAML Certificates)
Signing Certificate: Download the x64/Base64 certificate (under SAML Certificates)
After completing all configuration steps in Azure and Scrutinizer, users and/or groups should be added to the Scrutinizer application to enable SSO authentication for the web interface.
Okta
To add Scrutinizer as a direct-access application to an Okta org, follow these steps:
Note
The instructions below are specific to the Okta Classic Engine. For Identity Engine users, click here.
From the Admin Console, navigate to the Applications page.
Click Create App Integration, and then select SAML 2.0 as the sign-in method.
After clicking Next, enter the general information for the application integration.
In the next step, enter the following SAML configuration details (other fields should be left blank):
Single sign on URL:
https://<scrutinizer_server>/fcgi/scrut_fcgi.fcgi?rm=usergroups&action=sso_responseAudience URL:
https://<SCRUTINIZER_SERVER_IP>/
When done, click Finish, and then select the Scrutinizer application from the Applications page.
Click on the Sign On tab, and then click Identity Provider metadata under the SAML 2.0 section of the Settings page.
Obtain the details required for the Scrutinizer SSO configuration form/tray.
Download the active signing certificate from the SAML Signing Certifications section.
After completing all configuration steps in Okta and Scrutinizer, users and/or groups should be added to the Scrutinizer application to enable SSO authentication for the web interface.
LDAP
When adding an LDAP authentication server, the following details must be entered:
LDAP Server |
IP address or hostname of the LDAP server |
LDAP Port |
TCP port used on the LDAP server |
Domain |
Domain used for authentication at the login page (e.g., |
Administrator Password |
Password to use in conjunction with the Administrator DN |
Administrator DN |
Distinguished name (DN) string to use (e.g., |
LDAP Server CA Certificate File |
[Optional] Full path to the LDAP server’s CA-signed certificate (must be in PEM format) |
Certificate Verification |
Select Require to use the specified certificate for verification with the server |
ID Attribute |
Attribute to use for verifying provided usernames ( |
Searchbase |
Groups (semicolon-delimited if more than one) to search for authorized users (e.g., |
Security Groups Allowed |
[Optional] Security groups users must be assigned to for authentication (e.g., |
SSL Protocol |
SSL/TLS protocol to use (if LDAPS is configured) |
Timeout |
Timeout (in seconds) for LDAP authentication requests |
Group syncing
When LDAP is enabled and a local user group shares the exact same name with an LDAP security group, Scrutinizer will automatically keep both groups synced by adding or removing users from the local user group as they log in.
Examples:
If a member of the security group Analysts logs in to Scrutinizer using their LDAP credentials, they will automatically be added to the local Analysts user group (if they were not a member when they logged in).
If the user is not a member of the Analysts LDAP security group, they will be removed from the local Analysts user group (if they were a member when they logged in).
Important
This feature requires the names of the local user group and the LDAP security group to be an exact match, including any capitalization and/or punctuation.
When an LDAP user logs into a Scrutinizer server configured with multiple LDAP servers, authentication attempts will be made against each server in the order they appear in the LDAP server list until one is successful, otherwise the user authentication fails.
RADIUS
When adding a RADIUS server for authentication, the following details must be entered:
RADIUS Server |
IP address or hostname of the RADIUS server |
RADIUS Timeout |
Timeout (in seconds) for RADIUS authentication requests |
Shared Secret |
Shared secret for the RADIUS server |
TACACS+
When adding a TACACS+ server for authentication, the following details must be entered:
Pre-shared Key |
Pre-shared secret/key for the TACACS+ server |
TACACS+ Port |
TCP port used on the TACACS+ server (Default: 49) |
TACACS+ Server |
IP address or hostname of the TACACS+ server |
TACACS+ Timeout |
Timeout (in seconds) for TACACS+ authentication requests |
Authentication Settings#
The Admin > Users & Groups > Authentication Settings page is used to manage the following global options for each of Scrutinizer’s supported authentication methods:
Enable/disable the authentication method
Default local group for new users created/added via the authentication method
User access exception rules
To edit the settings for an authentication method, select the method in the main view and make the desired changes in the configuration tray. Settings are applied to all servers for the same authentication method.
Note
If an authentication method is disabled, users without credentials associated with a different method will not be able to access the web interface.
The authentication method associated with a user account can be changed from the Admin > Users & Groups > User Accounts view.
Additional settings related to user logins/authentication can be found under Admin > Settings > Security.
Authentication Tokens#
The Admin > Users & Groups > Authentication Tokens can be used to add and manage authentication tokens, which can be used to grant external applications permissions based on a specified user account. Authentication tokens also allow applications to access the web interface without having to include the username and password in the URL.
Creating a new token
To create a new authentication token, click the + button in the main view, and then configure the following details in the tray:
Expiration date
User account whose permissions should be enabled by the token
When done, click the Generate Token button. The token string can be copied from the configuration tray or from the main list/view.
Token management
The main view of the Authentication Tokens page lists the following details for all existing tokens:
Status (active/inactive)
Token string
Expiration date
Timestamp when the token details were last modified
To modify the settings for a token, click on the string and make the necessary changes in the configuration tray.
To delete one or more existing tokens, select the tokens using the checkboxes, and then click the Delete button.
User Accounts#
The Admin > Users & Groups > User Accounts page is the configuration and management view for Scrutinizer user accounts.
The main view/table of the page lists the following details for all existing users/accounts:
User Groups: Current number of user groups the user is assigned to
Authentication Method: Authentication type/method associated with the user account
Last Activity: Timestamp of the most recent web interface activity logged for the user
Clicking on a username opens the account configuration tray, where the current settings for the account can be modified. The details in the User Groups and Authentication Method columns also function as shortcuts to edit those settings.
User account settings
The account configuration tray is divided into five sections:
Preferences: Set web interface preferences, including default views, display options, and timezone
User Group Membership: Add/remove the user to/from user groups
Password: Change the user’s password
Authentication Method: Edit the authentication type/method associated with the user account
Authentication Token: Create/manage user account authentication tokens
Users can edit their preferences or change their password at any time. However, only the admin user and users assigned to user groups with the appropriate permissions will have access to all account settings/options.
Note
The Locked authentication method is automatically applied to an account that has exceeded the maximum number of failed logins allowed. To unlock the account, select the previous authentication method used from the dropdown.
Creating a new local account
To create a new user account, click the + button in the main User Accounts view, and then enter the desired username and password in the fields provided. The new user must also be assigned to an existing user group via the dropdown.
When done, click the Save button to create the user account. Preferences and other settings for the account can be edited at a later time.
Bulk actions
When one or more user accounts are selected using the checkboxes, clicking the Bulk Actions button allows group membership changes to be applied to multiple groups at once.
Existing user accounts can also be deleted via the same tray/menu.
User Groups#
The Admin > Users & Groups > User Groups page is the configuration and management page for local Scrutinizer user groups.
The main view/table of the page lists the following basic details for all existing user groups:
Members: Number of users assigned to the group
Features: Number of features/permission sets enabled for the group
Devices: Number of devices/exporters that can be accessed
Interfaces: Number of device interfaces that can be accessed
Groups: Number of device/mapping groups that can be accessed
Saved Reports: Number of saved reports that can be accessed
Dashboard Gadgets: Number of dashboard gadgets that can be accessed
Third-Party Links: Number of third-party integration links that can be accessed
Clicking on a user group name opens a configuration tray where the group’s access privileges can be configured.
Creating a new user group
To create a new user group, click the + button in the main User Groups view, and then enter a name for the user group in the tray. An existing user group to use as a template for the new group must also be selected from the dropdown.
When done, click the Save button to create the user group. The group’s name and access privileges can be modified at a later time via the configuration tray.
Managing group membership
To add/remove one or more users to a user group, click on the user group name to open the configuration tray, and then click the edit (pencil) icon for Members.
In the secondary tray, use the checkboxes to select members to assign to the group. Changes are automatically saved as they are made.
Managing user group access
To manage access to resources, functions, and network assets for members of a user group, click on the edit (pencil) icon for the corresponding category below.
Note
The search field can be used to quickly find resources, functions, or assets, use the search field in the secondary tray for the category.
When one or more user groups are selected using the checkboxes, clicking the Bulk Actions button allows access settings to be applied to multiple groups at once. User groups can also be deleted from this tray.
Dashboard Gadgets
The dashboard gadget access list is used to manage the gadgets that can be added to dashboards by group members. The selected gadgets can also be viewed by group members through any other dashboards they have access to.
The group should also be granted access to the Dashboard User feature set (see below) to allow members to create and view dashboards.
Devices
The device access list grants the group access to the status and other basic activity details for the selected network devices. The devices are also made available for use in functions that leverage the information, such as network maps.
Features
The feature access list is used to manage permissions for groups of related web interface functions or feature sets. Access can also be enabled using granular permissions for individual functions by toggling on the Use Advanced option in the secondary tray.
Note
When upgrading to Scrutinizer 19.7.0, any existing user groups using granular permissions will need to be updated with the following permissions to grant members access to the corresponding functions of other Plixer One platform components:
AI Settings
AI User
FlowPro Administrator
Replicator
Replicator Administrator
For a full list of features sets and individual permissions, see this page.
Groups
The groups access list is used to manage viewing access to existing device/mapping groups.
The group should also be granted access to the Maps User feature set to enable access to the main Network Maps page.
Interfaces
The interface access list grants the group access to all data for the selected interfaces and any hosts associated with them. The interfaces are also made available for use in functions that leverage interface data, such as creating/running reports and network maps.
Saved Reports
The saved report access list is used to manage access to saved reports for the group. Access can be enabled by individual saved report or by report folder.
To allow members to run reports, the group should also be granted access to the Reporting User feature set.