Getting started with Tehama Administration

Have you completed the Getting Started with Tehama Installation Guide? If not, please go back and do so before proceeding.

Purpose

This guide provides the basic steps necessary in order to set up:

When you have completed all the steps and tasks outlined in this guide, Tehama will be operational, and desktop users and service providers will have configured accounts.

Authorized Service Providers will be able to manage resources and customers will have full control over access to their data and their Room in Tehama including Tehama session recordings.

See the Rooms User Guide for more details.


Step 1: Organization Member Administration

Tehama provides an intuitive user administration interface allowing an administrator to perform the following tasks that are necessary for getting started:

Create New Teams

After the installation and configuration for Tehama is completed, the first task is to create a new Team for your members.

  • From the TEAM tab:
  • Click on the three vertical dots next to the team-selector field. Depending on whether you have "All Members" selected or an existing team selected, you will see
    either Team Page menu open when All Members selected
    or Team Page menu open when team selected

  • Select Add New Team.

  • Type in a name for the team (e.g., DB Admins).
  • Click CREATE.

Repeat these steps for each team needed.

Create New Members

After creating one or more new Teams, the next task is to invite new members to the Organization.

From the TEAM tab:

  1. Click the NEW dropdown menu to open it.
  2. Select Add New Member.
  3. Enter the member information:
    • Name
    • Email Address
    • Role (Staff or Manager)
    • Team (Select one of the team created in the previous step or leave this blank)
  4. Click INVITE.

Repeat these steps for each member you need to invite.

Once invited, new members will receive an invitation email to the address specified. The invitation email contains a link which each new team member must action to gain access to Tehama.

Note: Managers have elevated privileges in Tehama. In addition to using the services available to ‘Staff’, Managers are also able to create policies, create and delete team member accounts and create additional desktops.




Step 2: Room Member Administration

To begin using a room, the next task will be to grant members and/or Organizations access to the room. There are two ways of granting Room access:

Grant Room Access to Members

With members (and teams) now created, the next task is to grant member access to your room, either to individual members, or to entire Teams. Choose one method below to add members or teams to the Room.

Grant Access to Individual Members

From the ROOMS tab:

  1. Click the name of the room for which member access is to be granted.
  2. In the resulting screen, click MEMBERS.
    From the 'members' screen, you will see a list of organizations that have access to the room. (The initial setup will show only one organization.)
  3. To the left of the Organization name, Click the drop-down arrow dropdown-down-arrow-icon icon to show the list of members for the Organization.
  4. At the top of the drop-down, click the + MEMBER button.
    (or the + PROPOSE button if you are not part of the connected Organization).
  5. From the ADD dialog, choose Staff Members.
  6. Select the Staff Member (or multiple members) from the list to add to the room.
  7. Click the ADD button.
  8. Close the list of members by clicking on the drop-down arrow. dropdown-up-arrow-icon icon.

Grant Access to an Entire Team

From the ROOMS tab:

  1. Click the name of the room for which member access is to be granted
  2. In the resulting screen, click MEMBERS.
    From the 'members' screen, you will see a list of organizations that have access to the room. (The initial setup will show only one organization.)
  3. To the left of the Organization name, click the drop-down arrow dropdown-arrow-icon icon to show the list of members for the Organization.
  4. At the top of the drop-down, click the + MEMBER button
    (or the + PROPOSE button if you are not a part of the connected Organization).
  5. From the ADD dialog, choose Teams.
  6. Select the Team (or multiple teams) from the list to add to the room.
  7. Click the ADD button.
  8. Close the list of members by clicking on the drop-down arrow dropdown-up-arrow-icon icon
Note: See the Additional Administrative Functions section below for information on how to invite other authorized organizations to assist in the Room

Step 3: Room Administration

After assigning Staff Members (or whole teams) to the room, the next task is to create Desktops, enable connectivity (through the creation of firewall rules) and request applications to provide to Staff Members within Tehama. Configuration Options are:

Note: All Room administration functions are performed within the ROOMS tab, with the desired room selected.


Create a Virtual Desktop

Members require a desktop to perform their functions.

From the ROOMS tab:

  1. Click the name of the room for which you want to configure a desktop.
  2. In the resulting screen, click CONFIGURE.
    From the 'configure' screen you can see your room's configuration details, add/remove secrets and, of interest to us here, add/edit/remove desktop configurations.
  3. Click on the WINDOWS DESKTOPS or LINUX DESKTOPS sidebar item, depending on what type of desktop configuration you wish to add.
    • A list of previously configured desktop configurations will appear. On initial configuration, there will be no desktop configurations displayed.
  4. Click ADD DESKTOP CONFIGURATION if there are no existing pre-desktop configurations.
    Otherwise:
    • For Windows desktops:
      Select the Desktop item from the ADD drop-down menu in the top right corner of the page.
    • For Linux desktops:
      Click ADD DESKTOP in the top right corner of the page.
  5. Enter the requested information:
    • For Windows desktops:
      • Name of desktop (friendly name used to identify the desktop function or owner)
      • Specification (Hardware specifications)
      • Always On (Choose if the desktop needs to remain powered on idle)
      • Mode (Choose if multiple login functionality is enabled)
      • Quantity (Choose how many desktops are to be instantiated)
      • Users (Choose the user(s) who will have access to the Virtual Desktop)
    • For Linux desktops:
      • Name of desktop (friendly name used to identify the desktop function or owner)
      • Users (Choose the user(s) who will have access to the Virtual Desktop)
      • Sudo Users (Choose the user(s) who will have sudo privileges in the Virtual Desktop)
      • Operating System
      • Specification (Hardware specifications)
  6. Click CREATE.
Note:
The Amazon Workspaces Application Manager® (WAM) service does not support Windows 10. For a more robust experience, we recommend using Windows 7 whenever possible.

Both the Windows 7 and Windows 10 desktops are based on a Windows Server platform. Although the two desktops offer the same user experience as their consumer counterparts, some features of Windows 10 may be missing, such as: Windows Subsystem for Linux


Add Additional Software

Members may require additional desktop software to perform their functions. If the desired software is not available in the default desktop configuration, you can send a request to the Tehama Concierge to add it to your catalogue.

From the ROOMS tab:

  1. Click the name of the room for which you want to request additional desktop software.
  2. In the resulting screen, click CONFIGURE.
    From the 'configure' screen you can see your room's configuration details, add/remove secrets and, add/edit/remove desktop configurations; of interest here is a special feature for Windows desktop configurations that allows you to request additional desktop software.
  3. Click on the WINDOWS DESKTOPS sidebar item.
  4. Select the Desktop Applications item from the ADD drop-down menu in the top right corner of the page.
  5. This will take you to the Tehama Support Portal, where you can request your application.
  6. In your request, type the name of the application desired and any additional information on the software you are requesting, including:
    • Licensing
    • Software vendor
    • Desired Configuration Options
  7. Submit your request.

See the Desktops User Guide for more information on configuring and working with desktops.

Create a Firewall Rule

Before the Room can communicate with network resources, you need to configure firewall rules. By default, all outbound traffic is restricted. Configuring a secret (below) also allows the creation of a firewall exception.

From the ROOMS tab:

  1. Click the name of the room for which you want to add firewall rules.
  2. In the resulting screen, click CONNECTION.
    From the 'connection' screen you can see your room's connection status, test the connection and, of interest here, add/remove firewall rules.
  3. Click on the FIREWALL RULES sidebar item.
  4. Click ADD RULE.
  5. In the resulting screen, enter the following information:
    • Rule Name (a friendly name for the firewall exception)
    • IPv4 CIDR block (IP addresses to expose with Subnet Prefix). E.g.: 127.0.0.1/32)
    • Protocol - the protocol supported by the rule (TCP or UDP).
    • Port Single or Range (choose one).
    • Port (enter the port number or Port range required for the application
  6. Click CREATE.

Note 1: Click the ALLOW ACCESS TO WAM button to allow instant room access to the Amazon Workspaces Application Manager® (WAM) service.

Note 2: Using the CIDR block of 0.0.0.0/0 will disable the firewall and expose the workspace to the internet. While this may be desirable to install software packages, it is not recommended to operate normally with this configuration.

Configure the Secret/Password store

To avoid sharing network resource credentials insecurely, Tehama provides access to an encrypted Secret Password store used to securely store, encrypt, and grant authorized members access to credentials and other sensitive information.

From the ROOMS tab:

  1. Click the name of the room for which you want to configure secrets.
  2. In the resulting screen, click CONFIGURE.
    From the 'configure' screen you can see your room's configuration details, add/edit/remove desktop configurations and, of interest here, add/remove secrets.
  3. Click on the SECRETS sidebar item.
    You will see a list of secret types, (Cassandra, Generic, MongoDB, etc)
  4. Click the type of secret you wish to add.
    The secret view is organized by:
    • asset (secret, e.g. Database credentials)
    • folder (for logical storage of assets)
  5. Create a Folder to organize the secrets.
    • (a) Click the ADD secret type FOLDER button.
    • (b) In the resulting screen, enter the desired Folder name and fill in the required fields. e.g: a firewall exception may need to be specified. (See the Secrets User Guide for more guidance.)
    • (c) Click CREATE.
  6. Create an Asset.
    • (a) Double-click the folder name where the Asset is to be filed.
      If no folder is specified, the root folder will be used.
    • (b) Click the ADD ASSET button.
      In the resulting screen, enter the following:
      • Asset Name (friendly name for your asset/secret) and fill in any required fields. (See the Secrets User Guide for more guidance.)
    • (c) Click CREATE.

Authorized staff members can click the asset name to access the asset under the SECRETS sidebar item within the room's WORK tab. They may also access the asset from the Workspace Agent's SECRETS tab with one of the room's desktops.


Step 4: Desktop Management

Now that the configuration of your Room and Desktop is completed, you are ready (almost) to use your new Desktop.

To use your virtual Windows Desktop:

To use your virtual Linux Desktop you need to:

Connect to a Virtual Windows Desktop

Connect to your Windows desktop using the credentials displayed in the ACCESS DESKTOP dialog:

Either:
Use the "Desktop Client" option:

This connection method generates a simple, custom link for your desktop that launches the desktop client application pre-populated with the Registration Code and Username authentication information (which you can see displayed on the dialog when viewing the "Web Client" option). You only have to paste in the Password.

  1. Open a pre-populated instance of the Amazon Workspaces® Client as follows:
    • (A) Select the "Desktop Client" option in the dropdown at the top of the ACCESS DESKTOP dialog. (See step two above.)
    • (B) Click on the words Download desktop client in the ACCESS DESKTOP dialog to download the application to your host machine (if you haven't already).
      A new tab opens to Amazon WorkSpaces® Client.
      • (a) Click on the correct icon for your device to begin installation.
      • (b) Follow the installation wizard (for Windows Users) to install the client.
        • NOTE: Make sure the version of the application is at least 2.4.9.837. (Older versions of the application do not support the API used to pre-populate the authentication data.)
    • (C) Click on the LAUNCH button in the ACCESS DESKTOP dialog to launch your desktop, via a custom link.
    • (D) Note the link will open in a new tab and the desktop client application will be launched. Also, the contents of the Password field will be automatically copied to the clipboard.
  2. Paste the Password value into the application from the clipboard.
  3. Click Sign In.

Or:
Use the "Web Client" option:

This connection method requires you to open the Amazon Workspaces® Web Client and manually populate it with the Registration Code, Username and Password authentication information displayed on the dialog (only displayed when you are viewing the "Web Client" option).

  1. Open an instance of the Amazon Workspaces® Client.
    • (A) Select the "Web Client" option in the dropdown at the top of the ACCESS DESKTOP dialog. (See step two above.)
    • (B) Click on the LAUNCH button in the ACCESS DESKTOP dialog to launch the Amazon Workspaces® Web Client.
      • Alternative: You may also use the desktop client installed on your host machine instead of launching the web client. (Use the Download desktop client link found on the ACCESS DESKTOP dialog when viewing the "Desktop Client" to install it, if necessary.) Open the application on your host machine and proceed just as if you were using the web client.
  2. In the Amazon WorkSpaces® Client, ensure there is a green checkmark beside Network at the lower right corner.
  3. Note the Registration Code, the Username and the Password values in the ACCESS DESKTOP dialog. Refresh if expired.
  4. Copy the registration code from the ACCESS DESKTOP dialog and paste it into the Amazon Workspaces® Client as indicated.
    • Click Register.
  5. Copy the Username and Password from the ACCESS DESKTOP dialog and paste them into the Amazon Workspaces® Client as indicated.
    • Click Sign In.
  6. If you are prompted with a Remember Me option, click No.

Your Windows desktop session will begin.

Be aware of the following Windows Desktop Sessions behaviour:

  • Your desktop may be restarting or rebooting. If so, wait a few minute and try again.
  • Windows users may be prompted to allow firewall access. Click Allow Access to allow it.
    The connection can take a minute to be fully established.
  • Upon launch, your desktop will begin initializing/starting, resulting after a brief delay in the Workspace-Agent window being displayed, maximized with the desktop running behind it. The Workspace-Agent may detect an update. If it does, it will download the update automatically and the Workspace-Agent will restart.
Note: Desktop credentials are dynamic and are only valid for five minutes after they are generated. If the password expires prior to login, a Password expired message is displayed. Click the REFRESH button on the ACCESS DIALOG to refresh the credentials or close the dialog and try again.

Note: For convenience, in Tehama, copy buttons are available that automatically place the Registration Code, Username or Password into the clipboard.

Note: When logging off your Windows desktop, use the Start menu's "Log off" instead of X'ing out of the desktop. This ensures that the virtual desktop is properly logged out of and is available in a timely manner for re-login. This is particularly important in shared Windows desktops.

Connect to a Virtual Linux Desktop

Connect to your Linux desktop as follows:

From the ROOMS tab:

  1. Click the name of the room containing the Linux desktop configuration that you want to access.
  2. In the resulting screen, click WORK.
    From the 'work' screen you can access the secrets that have been configured for the room, view/upload/download/remove files from the file vault for the room and, of interest here, see the desktops assigned to you in the room and access them. (Note that this is also where users without privileges in the room can request desktops and view pending desktop requests.)
  3. Click on the MY DESKTOPS sidebar item.
    • A list of previously configured desktops that are assigned to you, both Windows and Linux, will appear.
  4. Click the CONNECT button adjacent to the desired Linux desktop instance.

This will launch your Linux desktop in a new tab in your browser.


Additional Administrative Functions

These tasks are performed only as needed, and are not necessary to begin using Pythian Tehama.

They are included here in this getting started guide since they are commonly performed tasks.

User Management

Resend an Invite

In the event the original email invitation link has expired, a new invite may be generated and sent. Follow these steps to resend an invite:
From the TEAM tab:

  1. Click name of the invited, but still pending, member you wish to resend an invite to.
  2. In the resulting screen, Click the blue RESEND INVITE button.
    • If there is a need to send the link manually, you can use the invitation link presented.

Delete Existing Members

Should you need to delete existing members, follow these steps:
From the TEAM tab:

  • Option 1 (allows for bulk deletions):

    1. Select the member you wish to delete by clicking in the checkbox to the left of the member's name. Select multiple members for bulk deletions.
      selected member row in team page
    2. At the bottom of the page, click the Trash Can icon. You will see the DELETE STAFF MEMBER(S)) dialog.
    3. Confirm that you want to continue with the deletion and click DELETE.
  • Option 2:

    1. In the row for the member you wish to delete, click on the three vertical dots menu under the Actions column.
      member row in team page actions menu open
    2. Select the Delete Member item. You will see the DELETE STAFF MEMBER(S)) dialog.
    3. Confirm that you want to continue with the deletion and click DELETE.

Room Management

Grant Room Access to other Organizations

As an alternative to adding individual members or teams from your organization, you can add users from other invited Organizations:

From the ROOM tab:

  1. Click the name of the room where member access will be granted.
  2. In the resulting screen, click MEMBERS.
    From the 'members' screen, you will see a list of organizations that have access to the room. (The initial setup will show only one organization.)
  3. Click the ADD ORGANIZATION button at the bottom of the list or select Organization from the ADD dropdown menu in the top right corner of the page. You will see the ADD ORGANIZATION dialog.
  4. Select the desired Organization from the list in the dialog to invite to the Room.
  5. Select the desired Policy for the Organization.
  6. Click INVITE.
Note: Only authorized Organizations are available in this list. If no additional Organizations have been previously authorized, the option to invite a new organization is available.


Edit or Delete a Virtual Desktop

If you need to modify the Virtual Desktop (Desktop Name or Member permissions only) or to delete the desktop completely, follow these steps:

To Edit a Desktop:

From the ROOMS tab:

  1. Click the name of the room that contains the desktop you wish to edit.
  2. In the resulting screen, click CONFIGURE.
    From the 'configure' screen you can see your room's configuration details, add/remove secrets and, of interest to us here, add/edit/remove desktop configurations.
  3. Click on the WINDOWS DESKTOPS or LINUX DESKTOPS sidebar item, depending on what type of desktop configuration you wish to edit.
    • A list of previously configured desktops will appear.
  4. Click the name of the desktop you wish to modify.
    In the resulting dialog:
    • (a) Modify the name of the desktop.
    • (b) Modify the authorized users (and sudo users for Linux desktops) by clicking in the drop-down list for the field.
    • (c) Add or remove members as necessary.
    • (d) Click SAVE.

To Delete a Desktop:

From the ROOMS tab:

  1. Click the name of the room that contains the desktop you wish to delete.
  2. In the resulting screen, click CONFIGURE.
    From the 'configure' screen you can see your room's configuration details, add/remove secrets and, of interest to us here, add/edit/remove desktop configurations.
  3. Click on the WINDOWS DESKTOPS or LINUX DESKTOPS sidebar item, depending on what type of desktop configuration you wish to edit.
    • A list of previously configured desktops will appear.
  4. Select the desktop you wish to delete by clicking in the checkbox to the left of the desktop's name.
    Select multiple desktops for bulk deletions.
    selected desktop row in rooms configure desktop page
  5. At the bottom of the page, click the Trash Can icon. You will see the DELETE DESKTOPS dialog1.
  6. Type the name of the Virtual Desktop to confirm deletion (case sensitive).
  7. Click DELETE.

1. If at least one of the selected desktops you intend to delete is in a pending state, you will see the REJECT CONFIGURATION dialog. Enter a reason to reject the desktop and click REJECT.