IP Restriction Manager
This is the Users Guide for the IP Restriction Manager plugin version 2.x.
The IP Restriction Manager plugin allows a Sugar Administrator to setup restrictive IP ranges for authentication. These ranges can be specific to a user, team, role or combination of all three. IP ranges can be specified in the following formats: specific, wildcard, CIDR and Start-End
Release Notes
- 2.4
- Support for SugarCRM v9, v10 and v11
- 2.3
- Support for SugarCRM v7.11 and v8
- 2.2
- Added Unit Tests
- 2.1
- Corrections For SugarCRM HealthCheck
- Removed use of
SugarQuery->compileSQL()
- Removed use of
app.view.invokeParent
- Removed use of
- Corrections For SugarCRM HealthCheck
- 1.0
- Initial release of the IP Restriction Manager package
Prerequisites
Requirements for installation
Supported Versions
- 9.x
- 10.x
- 11.x
Supported Editions
- Professional
- Enterprise
- Ultimate
Supported Databases
- MySQL
- MSSQL
- Oracle
- DB2
Supported Languages
- English
Generating The Module Loader Package
To build the installer package, you will need to download the contents on this repository and execute:
php build.php
Once completed, the installer *.zip
package will be located under ./builds/
and can be installed using Admin > Module Loader
Installation
Installation instructions for generating and installing a module loadable package.
- Login to your SugarCRM instance with an administrator account.
- Navigate to
Admin > Module Loader
- Browse to the IP Restriction Manager Package and upload it.
- Click the Install button for the IP Restriction Manager package.
- If you agree to the License Agreement, select ‘Accept’ and click ‘Commit’.
Upgrading
When upgrading to the latest release, there are several important steps to follow.
- Make a backup of your SugarCRM filesystem.
- Make a backup of your SugarCRM database.
- Follow the uninstallation steps and make sure to select ‘Do Not Remove Tables’ when prompted by the module loader uninstall wizard to remove database tables.
- Follow the installation steps to install the latest package from this repository.
Uninstallation
Steps for uninstalling the plugin.
Through Module Loader
- Login to your Sugar instance with an administrator account.
- Navigate to
Admin > Module Loader
- Find the ‘IP Restriction Manager’ entry in the list of installed plugins and click ‘Uninstall’.
- a) If you are planning to install an updated package, you will want to select ‘Do Not Remove Tables’. Please note that this is very important. Doing this will leave all relationship, template and backup records intact for when you install the updated package.
b) If you are not planning to continue using the IP Restriction Manager in the future, you will want to select ‘Remove Tables’.
Through FileSystem
Manual steps to remove the plugin. Once the following sections are complete, navigate to Admin > Repair
and run a Quick Repair and Rebuild
.
Files to Remove
- ./modules/IRM_IPRestrictionManager/*
- ./custom/tests/modules/IRM_IPRestrictionManager/*
- ./custom/src/Symfony/Component/HttpFoundation/*
- ./custom/clients/base/api/CustomOAuth2Api.php
- ./custom/clients/base/api/CustomCurrentUserApi.php
- ./custom/Extension/modules/IRM_IPRestrictionManager/*
- ./custom/Extension/modules/Administration/Ext/Administration/IPRestrictionManager.php
- ./custom/Extension/modules/Administration/Ext/Language/en_us.IPRestrictionManager.php
- ./custom/Extension/modules/Users/Ext/Language/{language key}.IP_Restriction_Manager.php
- ./custom/Extension/modules/Users/Ext/Layoutdefs/irm_iprestrictionmanager_users_Users.php
- ./custom/Extension/modules/Users/Ext/Vardefs/irm_iprestrictionmanager_users_Users.php
- ./custom/Extension/modules/Users/Ext/WirelessLayoutdefs/irm_iprestrictionmanager_users_Users.php
- ./custom/Extension/modules/Teams/Ext/Language/{language key}.IP_Restriction_Manager.php
- ./custom/Extension/modules/Teams/Ext/Layoutdefs/irm_iprestrictionmanager_teams_Teams.php
- ./custom/Extension/modules/Teams/Ext/Vardefs/irm_iprestrictionmanager_teams_Teams.php
- ./custom/Extension/modules/Teams/Ext/WirelessLayoutdefs/irm_iprestrictionmanager_teams_Teams.php
- ./custom/Extension/modules/ACLRoles/Ext/Language/{language key}.IP_Restriction_Manager.php
- ./custom/Extension/modules/ACLRoles/Ext/Layoutdefs/irm_iprestrictionmanager_aclroles_ACLRoles.php
- ./custom/Extension/modules/ACLRoles/Ext/Vardefs/irm_iprestrictionmanager_aclroles_ACLRoles.php
- ./custom/Extension/modules/ACLRoles/Ext/WirelessLayoutdefs/irm_iprestrictionmanager_aclroles_ACLRoles.php
These files should also be removed so they can be rebuilt by the extensions framework.
- ./custom/application/Ext/Include/modules.ext.php
- ./custom/application/Ext/TableDictionary/tabledictionary.ext.php
- ./cache/file_map.php
- ./custom/modules/Users/Ext/*
- ./custom/modules/Teams/Ext/*
- ./custom/modules/Roles/Ext/*
Tables to Remove
Please note these should only be removed if you are not planning to install an updated version.
- irm_iprestrictionmanager
- irm_iprestrictionmanager_aclroles_c
- irm_iprestrictionmanager_audit
- irm_iprestrictionmanager_teams_c
- irm_iprestrictionmanager_users_c
Recovering When Locked Out
Should a situation occur where you are unable to authenticate, you can use the section below to regain access to the system. You should note that the the IP Restriction Manager is always disabled if the user is logging in from localhost
or 127.0.0.1
. If you need to disable this check for local testing, it can be found here.
On-Site
Option 1 - Database Update
If you have database access, you can run the following database query to disable all restrictions:
UPDATE irm_iprestrictionmanager SET status = 'Disabled' WHERE deleted = 0;
Option 2 - File Change
If you have file system access, modify the function validateAPI
in ./modules/IRM_IPRestrictionManager/IRM_IPRestrictionManager.php
to return before the validation logic:
public function validateAPI($api, $username, $platform)
{
return;
...
}
Sugar cloud
If you are On-Demand, you will need to submit a support ticket by logging into https://portal.sugarondemand.com/. Please describe the issue you are experiencing, reference the IP Restriction Manager, and provide a link to this documentation.
Using the Module
Documentation on the use and administration of ip restrictions.
Navigating to the IP Restriction Manager
The Ip Restriction Module is only accessible to system administrators. An administrator can navigate to the module in two different ways.
- Navigating directly to
/#IRM_IPRestrictionManager
in the browsers url - Navigating to
Admin > IP Restriction Management
Administering IP Restrictions
To create a restriction, you will need to click “Create” from the IP Restriction Modules submenu tabs. New restrictions will be in effect when current users refresh the browser or reauthenticate.
The fields presented on the quick create are outlines below:
IP Range
Type: Text
The IP restrictions you would like to implement. Valid restriction types are:
- Specific IP format: 1.2.3.4
- Wildcard format: 1.2.3.*
- you may use
*
or*.*.*.*
to signify any ip address
- you may use
- CIDR format: 1.2.3/24 OR 1.2.3.4/255.255.255.0
- Start-End IP format: 1.2.3.4-1.2.3.5
Status
Type: Dropdown
Whether or not the restriction is enabled/disabled. If the status is ‘Disabled’, the restriction will not be in effect.
Platforms
Type: Multi-Select
The allowed platforms a user is allowed to authenticate to. Available options are:
- All - all platforms
- Base (Sugar) - Sugar UI only
- Mobile - Mobile devices only
Adding Platforms
Adminitrators may need to add additional supported platforms to account for intergrations and plugins. To achieve this, navigate to Admin > Dropdown Editor
and find the ip_restriction_platforms_list
dropdown list. Next, add the new platform type making sure that the Item Name
field matches the platform type being passed to the Sugar REST v10 API. You can make the Display Label
field anything you would like. Click save when done.
Description
Type: Text
A description of the restriction for administrative use.
Contributing
Everyone is welcome to be involved by creating or improving functionality. If you would like to contribute, please make sure to review the contribution terms. When you update this README, please check out the contribution guidelines for helpful hints and tips that will make it easier to accept your pull request.
Contributors
Licensed under Apache
© 2017 SugarCRM Inc. Licensed by SugarCRM under the Apache 2.0 license.
Third Party Libraries
- Symfony HttpFoundation Component (3.3.6) - MIT - The HttpFoundation component defines an object-oriented layer for the HTTP specification. This plugin makes use of the symfony/http-foundation IpUtils Library. It is slightly modified to pass Sugars Package Scanner.