User interface

The Conjur UI shows Conjur resources, policy, and audit records in a graphical interface. Secret rotation is available to authorized users.

Who can see what?

All activity in the UI is subject to the authorization rules for users and groups as declared in policy. For example: 

• Only users with privilege, through policy, to read a certain policy can see the resources declared in that policy.

• The dashboard that shows a summary count of hosts, users, groups, and other resources, only reflects the resources that the currently logged in user has privileges to view.

• Only users with privilege, through policy, to read a variable can see that variable in the UI.

• Only users with privilege to update a variable can set or rotate a variable value in the UI.

Configuration

$ docker run --name $conjurhost -d --restart=always --security-opt seccomp=unconfined  -p "443:443" -p "5432:5432" -p "5433:5433" repository:tag

Login

Access the UI here: 

https://<master-endpoint>/ui

If you are logging in locally, you can use localhost:

https://localhost/ui

Log in using a Conjur user and password or API key.

Configure UI session timeout

By default, UI sessions expire and log out automatically after 15 minutes of inactivity. This value is defined in the UI_SESSION_TIMEOUT system environment variable.

To change this value, do one of the following:

• Add the UI_SESSION_TIMEOUT environment variable to the Conjur machine. The value of this variable represents the duration of inactivity, in minutes, after which a UI session times out.

• If Conjur is running:

  1. Log in to the Conjur machine.

  2. Add the following line into the UI configuration file (/opt/conjur/etc/ui.conf):

     UI_SESSION_TIMEOUT=<number of minutes>

  3. Replace <number of minutes> with the duration of inactivity, in minutes, after which UI sessions should time out.
  4. Save the configuration file.

  5. Restart the Conjur services by running the sv restart conjur command.

View current policy

1. Click Policies in the left navigation.

   

2. In the list of policy IDs, click an ID.

   Note that the policy IDs are not policy files. They are the ids for policy branches (policy namespaces) that are currently loaded and visible to you.

3. In the resulting window, scroll to explore information about resources, roles and their relationships, and permissions in the policy as it is currently loaded into the system.

4. Scroll to the end to view audit events related to the policy.

View users and user activity

Use the following procedure to view users and user activity:

1. Click Usersin the left navigation.

2. In the list of users, click an ID.

   You can also get to a user from a group page, by clicking a user name in the list of members in the group.

3. Scroll to view information about the user, including the roles the user is granted membership to, associated permissions, and the resources to which those permissions apply.

   

4. Scroll further to view recent audit events related to the user.

5. Scroll even further to view an activity graph for this user, showing successful and failed reads and updates during the last 24 hours.

View and change variable values (secrets)

1. In the left navigation, click Secrets.

2. In the list of IDs, click an ID.

3. Scroll to the Resource Permissions section to see which roles have privileges on this secret.

4. If your currently logged in user id has any privilege on the secret, the Secret Manager section includes an active button named View/Edit Secret Data.

5. Click the View/Edit Secret Data button.

6. Set or change the secret value.

   

7. Click Save.

8. Scroll down to view an audit event recording your change.

9. Scroll down to view an activity event of your change.

Search for an ID

1. At the top of the left navigation, enter a search term in the text box. For example: 

   • Enter a user name, group name, policy name, variable name, or other resource name.
   • Enter annotation contents, including an integration name.
   • Partial search strings are valid. Just enter the string (no wildcards).
   • To filter on an integration, skip entering any search value, click the search icon, and use the filter check boxes instead.

2. Click the search icon.

3. The right pane shows a list of predefined filters with check boxes. You can: 

   • Click or unclick check boxes to refine the search.
   • Scroll down to find the results of your search.

4. Click an item in the result list to jump to that item.

Check permissions of a host or layer

1. In the main navigation, click the kind of role (Hosts or Layers).

2. Click the ID. If there are many in the list, use the search feature in the left navigation. You can search for host id or filter the list to a specific type of integration.

3. Click an item in the result list.

4. Scroll to the Privileges section.

View Conjur health

1. In the top right corner of the main window, click the Tools icon.

2. Choose Conjur Cluster.

   

If you have a cluster configured, there will be entries for the Leader, each Standby, and each Follower.

View replicated data

Prerequisite

To view the replicated data, you must be granted the !user admin role.

- !grant
  role: !user admin
  members:
  - !user admin1

View replication data

1. In the left navigation, go to Secrets > Replicated Data.

2. If a data export link already exists for your current configuration, click the link under the Export Data button to download the CSV file.

3. If no exported data link is available or you want to generate a new data export, click the Export Data button to generate a CSV file containing the replication data.

   This process might take several minutes. When the exported data is ready to download, a timestamped link to the CSV file appears under the Export Data button.

4. Click the link to download the file.

   The CSV file lists each Follower with its corresponding replication set and the policies and variables assigned to that replication set.

For more information about data segregation per Follower, see Segregate secrets per Follower.