Managing FileWave Administrators

FileWave supports tiered administration so you can create additional administrators in order to spread the workload, you are not limited to the amount of admins you can have in FileWave.

How to log into FileWave Admin

When you log into the FileWave Admin to access the FileWave Server you will be asked for the server address, and user credentials which can be a local account or an LDAP account.

FileWave supports multiple admin connections from the same or separate admin accounts. If you try to log in with the same account that is already connected somewhere else you will get prompted to either end that first connection, start a second connection, or cancel. 

If you are currently using a self-signed certificate then you may also get a prompt that the Admin cannot verify the identity of the FileWave server. The recommend way to fix this is to, hit connect and then switch to a root trusted certificate. Please visit the KB linked here for instructions on how to do this.


You will also be able to see two active connections if you look in the Administrators Online... window located under the Assistants menu 

The bolded entry is your current connection

FileWave Administrators and Inventory

In the FileWave Admin console you have the ability to set read/write/delete permissions to specific objects which include devices, filesets, and groups. These permissions will follow the user all the way into inventory so that only what the current administrator has access too can be seen in the inventory results.

Example:

You have to select Propagate to children if you are setting permissions on a group and want those permissions to be added to sub-objects.

read/write/delete permissions are received from the original object and the clones will get the same permissions. If you modify these permissions on a clone, only this specific clone will get them not the original or other clones.

Types of Administrator Accounts

FileWave has three different account types; 

Other than the Superuser, which has full rights by default, you have the ability set granular permissions for your Local and LDAP users.

Superuser

The default credentials for your Superuser account is fwadmin/filewave which FileWave highly recommends that you change so the password is something more secure! 

There are areas and features in FileWave that can only be accessed with the FileWave Superuser account. Three of these sections won't even be visible to any other Admin account, one (Software Update) is grayed out for all but the Superuser, and the other features will trigger a dialog window requesting the Superuser credentials to be entered.

Only Visible from the Superuser logged in:

All Admins will be prompted for Superuser credentials:

Local Account

Local Accounts can be created very simply and then given whatever permissions you wish them to have. Keep in mind even if a Local Administrator Account is given full rights they will still be prompted for Superuser credentials in the areas listed in the Superuser section above.

To create a Local Account for the FileWave Admin follow the steps below:


If you selected Set password you will get the following window to type in the user's password:

If you selected Generate and email password you will need to hit the Apply button at the bottom of the FileWave Administrators window and you will then get an email with the following information:

Permissions15.3.1.png

LDAP Group Account 

If you have a LDAP server configured within your FileWave Preferences, administrators can authenticate using credentials stored in the LDAP server, based on Group membership. If a user is a member of multiple Groups, the final permissions will be the UNION of the permissions of these Groups. Only Active Directory is able to detect recursive membership. FileWave will not be able to detect nested Groups in an Open Directory or eDirectory. 

To setup LDAP please see: LDAP Preferences

To create a LDAP Group Account for the FileWave Admin follow the steps below:

Permissions

Account permissions will determine what the Administrator can and cannot do in the FileWave Admin. 

Selecting your Local Account or LDAP Group account and then going into the Permissions tab will give you all the permissions you can select for that user or group of users from LDAP.

LDAP Group Account Permissions

If you have a user in multiple LDAP Group Accounts the user will take the collective permissions from each group. You can check on what permissions a LDAP user will get by selecting the LDAP user application tokens... and searching for that user:

As you can see in the screenshots above the user Kamala Khan is in both the FW Admins and the iOS Admins LDAP Group which has fewer permissions than the FW Admins group does. So this user will use the permissions gathered from both of these groups which will give her full access as you can see in the screenshot below:

What are all the permissions you can choose from?

Server / Model

General

Clients and Groups

Filesets and Groups

Associations

DEP

Dashboard

Discovery Administration

Custom Fields

Full Disk Encryption 

Classroom

Important Note: If you are upgrading from below FileWave 12.9 this Classroom option will be unchecked by default. So you will no longer able to view Classroom in FileWave until this is checked for selected administrators.

Application tokens

FileWave security for inventory has been built on top of a shared secret, which is a long token generated randomly and shared between the server (inventory server) and clients (admin, FileWave server, client machines, scripts, etc)

Any script or 3rd party component that needs access to FileWave Inventory will need to have this token that has been assigned to a user. These tokens can be revoked, re-generated, and a user can have multiple tokens assigned to it.

Every Local account starts with a Default Token which can be used along with any news ones that are created. 

The Default Token for your Superuser will be the same token that was originally in the Inventory tab in FileWave Preferences in versions 12.8.1 and below. If you upgraded from 12.8.1 or below then all communication with this token will stay intact unless you Regenerate the default token.

Local Account New Application Token Setup:

LDAP user application tokens

Just like Local Accounts it is possible to define application tokens for LDAP users as well. This will not be done at the group level but for the specific LDAP Users.

To setup the application tokens for LDAP users follow the steps bellow:

LDAP User TEST
The test will make sure the user belongs to the LDAP server configured for authentication in the FileWave Preferences and will also make sure the user belongs to at least 1 LDAP group defined in the main FileWave Administrators window.

Note: The part of the test to check for the LDAP group in FileWave is cached for 1 hour. The cache is reset every time you save the user dialog, or change the LDAP server in preferences or if you do a LDAP "synchronize".


If you search for a user that is not in your directory service or it doesn't belong to an LDAP Group Account in FileWave it will fail.

Manage VPP Tokens

To allow specific FileWave Administrators to access and see VPP purchases they will need to be given access using this Manage VPP Tokens option in the Manage Administrators... section.

By default only the Superuser (fwadmin) has access to new VPP tokens imported in FileWave any other Administrators created needs to be given access. 


Revision #4
Created 12 July 2023 01:49:50 by Josh Levitsky
Updated 30 April 2024 12:22:59 by Andrew Kloosterhuis