User Interface

The DAP UI shows DAP resources, policy, and audit records in a graphical interface. Secret rotation is available to authorized users.

Who can see what?

All activity in the UI is subject to the authorization rules for users and groups as declared in policy. For example: 

  • Only users with privilege, through policy, to read a certain policy can see the resources declared in that policy.

  • The dashboard that shows a summary count of hosts, users, groups, and other resources, only reflects the resources that the currently logged in user has privileges to view.

  • Only users with privilege, through policy, to read a variable can see that variable in the UI.

  • Only users with privilege to update a variable can set or rotate a variable value in the UI.

Configuration

The docker container for the DAP Server must be started with a -p argument that maps the UI port 443. Otherwise, the UI will not be available. If the UI is not availble, remove the container and restart it using a command similar to the following: 

 
$ docker run --name $conjurhost -d --restart=always --security-opt seccomp:unconfined  -p "443:443" -p "636:636" -p "5432:5432" -p "5433:5433" repository:tag

Login

Access the UI here: 

 
https://<dap-master-endpoint>/ui

If you are logging in locally, you can use localhost:

 
https://localhost/ui

Log in using a DAP user and password or API key.

 

If your installation implemented LDAP authentication, an LDAP user name and password are required.

Configure UI session timeout

By default, UI sessions expire and log out automatically after 15 minutes of inactivity. This value is defined in UI_SESSION_TIMEOUT.

To change this value, do one of the following:

  • Add the UI_SESSION_TIMEOUT environment variable to the DAP container. The value of this variable represents the duration of inactivity, in minutes, after which a UI session times out.
  • If DAP is running:

    1. Log into the DAP container.

    2. Add the following line into the UI configuration file (/opt/conjur/etc/ui.conf):

       
      UI_SESSION_TIMEOUT=<number of minutes>
    3. Replace <number of minutes> with the duration of inactivity, in minutes, after which UI sessions should time out.
    4. Save the configuration file.
    5. Restart the DAP services by running the sv restart conjur command.

View current policy

  1. Click Policies in the left navigation.

  2. In the list of policy IDs, click an ID.

    Note that the policy IDs are not policy files. They are the ids for policy branches (policy namespaces) that are currently loaded and visible to you.

  3. In the resulting window, scroll to explore information about resources, roles and their relationships, and permissions in the policy as it is currently loaded into the system.

  4. Scroll to the end to view audit events related to the policy.

View users and user activity

Use the following procedure to view users and user activity:

  1. Click Usersin the left navigation.

  2. In the list of users, click an ID.

     

    You can also get to a user from a group page, by clicking a user name in the list of members in the group.

  3. Scroll to view information about the user, including the roles the user is granted membership to, associated permissions, and the resources that those permissions apply to.

  4. Scroll further to view recent audit events related to the user.
  5. Scroll even further to view an activity graph for this user, showing successful and failed reads and updates during the last 24 hours.

View and change variable values (secrets)

  1. In the left navigation, click Secrets.

  2. In the list of IDs, click an ID.

  3. Scroll to the Resource Permissions section to see which roles have privileges on this secret.

  4. If your currently logged in user id has any privilege on the secret, the Secret Manager section includes an active button named View/Edit Secret Data.

  5. Click the View/Edit Secret Data button.

  6. Set or change the secret value.

  7. Click Save.

  8. Scroll down to view an audit event recording your change.

  9. Scroll down to view an activity event of your change.

Search for an ID

  1. At the top of the left navigation, enter a search term in the text box. For example: 

    • Enter a user name, group name, policy name, variable name, or other resource name.
    • Enter annotation contents, including an integration name.
    • Partial search strings are valid. Just enter the string (no wildcards).
    • To filter on an integration, skip entering any search value, click the search icon, and use the filter checkboxes instead.
  2. Click the search icon.

  3. The right pane shows a list of predefined filters with checkboxes. You can: 

    • Click or unclick checkboxes to refine the search.
    • Scroll down to find the results of your search.
  4. Click an item in the result list to jump to that item.

Check permissions of a host or layer

  1. In the main navigation, click the kind of role (Hosts or Layers).

  2. Click the ID. If there are many in the list, use the search feature in the left navigation. You can search for host id or filter the list to a specific type of integration.

  3. Click an item in the result list.

  4. Scroll to the Privileges section.

View DAP health

  1. In the top right corner of the main window, click the Tools icon.

  2. Choose Conjur Cluster.

If you have a cluster configured, there will be entries for the Master, each Standby, and each Follower.

 
TrueApplication Access ManagerDynamic Access Provider10.10