.. Reminder for header structure:
Parts (H1) : #################### with overline
Chapters (H2) : ******************** with overline
Sections (H3) : ====================
Subsections (H4) : --------------------
Subsubsections (H5) : ^^^^^^^^^^^^^^^^^^^^
Paragraphs (H6) : """""""""""""""""""""
.. |enterprise_feature| image:: wapt-resources/icon_wapt_enterprise.png
:scale: 3%
:alt: WAPT Enterprise feature only
.. |ok| image:: wapt-resources/icon-ok.png
:scale: 5%
:alt: Feature available
.. |nok| image:: wapt-resources/icon-nok.png
:scale: 5%
:alt: Feature not available
.. meta::
:description: WAPT usage advanced
:keywords: waptconsole, wapt_self_service, WAPT, documentation, the WAPT Console
.. _wapt-self-service:
#######################
Using WAPT Self-Service
#######################
************
Presentation
************
With WAPT your users can have a selfservice for software installation.
It's different in the **Discovery** and **Enterprise** versions.
.. list-table::
:header-rows: 1
:widths: auto
:align: center
* - Functionality
- Discovery
- Enterprise
* - Access to self-service
- |ok|
- |ok|
* - Deploying self-service packages
- |ok|
- |ok|
* - Filtering self-service packages
- |nok|
- |ok|
* - Management tab
- |nok|
- |ok|
*****************
Working principle
*****************
The :term:`Users` gain in autonomy while deploying software and configurations that are trusted and authorized by the :term:`Organization`.
This is a time saving feature for the Organization's IT support Helpdesk.
Discovery
=========
Only Local Administrators and members of the *waptselfservice* group can access self-service on the hosts.
.. attention::
These users have acces to all packages in your repository.
Enterprise
==========
You can filter the list of self-service packages available for your users.
A *self-service* package may be deployed on hosts to list the different self-service rules that apply to the host.
The *self-service* packages are based on user groups.
Your users will be able to install a selection of WAPT packages without having to be a :term:`Local Administrator`.
******************************
Using the self-service feature
******************************
Configuration Discovery Mode
============================
On Discovery create a *waptselfservice* security group on your Active Directory and add your users.
.. note::
**ALL** users in the *waptselfservice* security group and **ALL** Local Administrators will have access to **ALL** WAPT packages in the repository.
It is not possible to filter the WAPT packages made accessible to the users in Discovery mode.
Configuration Enterprise Mode
=============================
In the WAPT Console go to the :guilabel:`WAPT Packages` tab and select the :guilabel:`Self-service rules` menu item.
.. image:: wapt-resources/wapt_console_package-type_menu-list.png
:align: center
:alt: Menu list for creating WAPT packages
You can now create your *self-service* rules package.
.. figure:: wapt-resources/wapt_console_self-service_container-window.png
:align: center
:alt: Create a *self-service* package
#. Give a name to the *self-service* package.
#. Give a Description.
#. Click on the :guilabel:`Add` button to add the group (at the bottom left).
#. Name the *self-service* group (with :kbd:`F2` or type directly into the cell).
#. Select Maturity *self-service* package
#. Select the target OS for which the *self-service* package is designed.
#. Drag and drop the allowed software and configuration packages for this *self-service* group into the central panel.
#. Add as many groups as needed to be included to the WAPT *self-service* package.
#. Save the WAPT package and deploy on the selected hosts.
.. note::
* The name of the *self-service* package **MUST** be the same as the name of the **Active Directory user security group** to which the *self-service* rules will apply..
* If a group appears in multiple *self-service* packages, then the rules are merged.
* Once the *self-service* package is deployed, only allowed WAPT packages listed in the *self-service* group(s) of which the :term:`User` is a member will be shown to the logged in :term:`User`.
***********************
Using WAPT Self-Service
***********************
WAPT Self-service is accessible in the Windows start menu under the name :guilabel:`Self-Service software WAPT`.
.. image:: wapt-resources/wapt_selfservice_windows-start-menu_screen-item.png
:align: center
:alt: Starting the WAPT Self-Service from the Windows Start Menu
It is also available directly in the WAPT directory :file:`\\waptself.exe`.
.. note::
The login and password to enter when launching the self-service are the User's credentials (local or Active Directory credentials).
The WAPT Self-service then displays a list of packages available for installation.
.. figure:: wapt-resources/wapt_selfservice_main_container-window.png
:align: center
:alt: Main window of the WAPT Self-service
Main window of the WAPT Self-service
* The user can have more details on each WAPT package by clicking the :guilabel:`+` button.
.. image:: wapt-resources/wapt_selfservice_more-info_container-window.png
:align: center
:alt: Info panel in the WAPT Self-service window
* Different filters are available for the user on the left side panel.
.. image:: wapt-resources/wapt_selfservice-filters_menu-list.png
:align: center
:alt: Filter panel in the WAPT Self-service window
* The :guilabel:`Update Catalog` button is used to force a :command:`wapt-get update` on the WAPT Agent;
* The current task list of the WAPT Agent is available by clicking the :guilabel:`task bar` button;
.. image:: wapt-resources/wapt_selfservice_task-bar_dialog-box.png
:align: center
:alt: Dialog box showing the status of WAPT tasks in WAPT Self-service
* It is possible to change the language of the interface with the :guilabel:`⚙` button at the bottom left.
.. image:: wapt-resources/wapt_selfservice_language-selection_dialog-box.png
:align: center
:alt: Dialog box for selecting the locale in WAPT Self-service
Default package categories available
====================================
By default, WAPT manage these categories of packages:
* Internet;
* Utilities;
* Messaging;
* Security;
* System and network;
* Storage;
* Media;
* Development;
* Office;
* Education.
It is possible to :ref:`add other categories ` to the WAPT packages that you design.
*****************************************
WAPT Agent settings for WAPT Self-Service
*****************************************
:ref:`WAPT Agent ` can be configured to allow WAPT self-service.
Configuring a different authentication method for the self-service
==================================================================
This behavior is defined with the value of :code:`service_auth_type` in :ref:`wapt-get.ini `:
.. list-table::
:header-rows: 1
:widths: auto
:align: center
* - Value
- Description
* - ``filetoken`` *Default value*
- WAPT service uses Active Directory computer account for LDAP queries (filetoken auth method makes use of an encrypted (temporary key) token created by WAPT service in the user’s profile with restricted ACLs. It works only if the user has a local profile directory writable for LOCAL SYSTEM)
* - ``system``
- WAPT service transmits the authentication directly to the operating system; it also recovers the groups by directly interrogating the operating system.
* - ``waptserver-ldap``
- This mode allows authentication to the WAPT Server. The WAPT Server will make a LDAP request to verify authentication and groups. For this to work, you **MUST** have configured :ref:`LDAP authentication ` on the WAPT Server.
* - ``waptagent-ldap``
- This mode allows authentication with an LDAP server identified in :file:`wapt-get.ini`.
The WAPT Agent will make a LDAP request to verify authentication and groups.
For this to work, you **MUST** have configured :ref:`LDAP authentication ` on the WAPT Server.
You may be interested in looking up this article describing the :ref:`settings for WAPT Self-Service and the WAPT service Authentification ` for more options.
.. note::
For the system authentication under GNU/Linux to work correctly, be sure to correctly configure your pam authentication and your :file:`nsswitch.conf`.
The :command:`id username` command **MUST** return the list of the groups the user is member of.
.. warning::
In ``system`` mode we assume that :term:`Local Administrators` can see all the WAPT packages.
To change this behavior see the next point.
Configuring the authentification for Administrator
==================================================
In ``system`` mode, the :term:`Local Administrators` can see all the packages of WAPT Server repository.
If you do not want this behavior there are **2** possibilities:
* Block the view of all packages for :term:`Local Administrators`.
* All packages are only visible for a specific user group.
Block Local Administrator on self-service
-----------------------------------------
To block all packages from being displayed to :term:`Local Administrators` you have to add the parameter :code:`waptservice_admin_filter` in :file:`wapt-get.ini`.
.. list-table::
:header-rows: 1
:widths: auto
:align: center
* - Value
- :guilabel:`True`
- :guilabel:`False`
* - :code:`waptservice_admin_filter`
- Enable *selfservice package* view filtering for Local Administrators.
- Disable *selfservice package* view filtering for Local Administrators.
User group self-service Administrator
-------------------------------------
It is possible to use a special user group to define a list of administrators in the Self-Service.
Create a user security group named ``waptselfservice`` and add members.
All members of this group can view all packages on the WAPT Self-Service.
With :code:`waptservice_admin_filter` parameter, you have secured the administrator acces of WAPT Self-Service.
*******************
Video demonstration
*******************
.. youtube:: -_sm8KBwDOw