0
Votes

VIGI User Accounts Limited to "admin" only!

 
0
Votes

VIGI User Accounts Limited to "admin" only!

VIGI User Accounts Limited to "admin" only!
VIGI User Accounts Limited to "admin" only!
2022-06-11 01:22:02 - last edited 2022-06-13 05:42:41
Model: VIGI NVR1008  
Hardware Version: V1
Firmware Version: 1.0.1 Build 210825 Rel.74071n

The TP-Link NVR's allow you to create Operator and View Only accounts. However, the VIGI Secuirty Manager & Mobile Apps do not allow you to enter any username other than the default "admin" account. Therefore, there is no way of providing limited access to the system for other users except by giving them full administrative access. This is very poor for a business system. Please fix the VIGI Security Manager & Mobile App's so that other user accounts configured in the NVR can be used!!! 

#1
Options
2 Reply
Re:VIGI User Accounts Limited to "admin" only!
2022-06-13 05:42:23 - last edited 2022-06-13 05:42:41

 

Tomasin wrote

The TP-Link NVR's allow you to create Operator and View Only accounts. However, the VIGI Secuirty Manager & Mobile Apps do not allow you to enter any username other than the default "admin" account. Therefore, there is no way of providing limited access to the system for other users except by giving them full administrative access. This is very poor for a business system. Please fix the VIGI Security Manager & Mobile App's so that other user accounts configured in the NVR can be used!!! 

@Tomasin 

To gather feedback from others, I'd like to transfer this thread to the block of "Requests & Suggestions" so that it could be seen by more people.

2022 TP-Link Wi-Fi 7 Product Launch Event | Watch the Replay at https://www.tp-link.com/us/wifi7/event/.
#2
Options
Re:VIGI User Accounts Limited to "admin" only!
2022-06-17 03:31:48 - last edited 2022-06-17 03:35:38

Dear @Tomasin ,
I hope I've understood your wishes correctly, if not, please feel free to correct me. I've added some extra information provided by fellow users in other threads, the way I see it now, probably this user account / remote management topic is the one that occurs the most frequently in the forum (or at least it seems to be fairly common and affect many people). It is not environment-specific and not related to some old, used, third-party hardware of one customer, but it's rather something where the whole VIGI ecosystem may need to improve a bit and fixing this would help many users at once.

Dear
@Hank21 ,
first of all I have to tell you (and other readers), that I am a happy and satisfied VIGI user. I'd recommend this product line to others, yet as always, there is some room for improvement.
When I saw this post, I decided to gather some feedback already posted somewhere else by others related to similar topics to help you and to make the VIGI development even faster, maybe this makes somehow my life (and the life of other users) a bit easier.
I have noticed myself too, that this admin-only thing can be an issue, so I decided to look up what situations other users may have confronted...

This posts reflects my personal opinion as an embedded software engineer and as a TP-Link customer/VIGI ecosystem user, but wherever it was possible, I've added a reference from others to show, that there are multiple users affected, some directly, some indirectly...

Here is what I've found (I have not checked and verified all the issues myself):

 

VIGI NVR:
Actual state (what we have now): 

  1. Remote login via VIGI Security Manager (or mobile app) only possible with the username "admin".
    Related: This thread, original post (see above): https://community.tp-link.com/en/business/forum/topic/560246.
  2. Even by logging in as "admin", one can only see a restricted set of features (the VIGI NVR's local GUI is way more complex than it's remote counterpart inside the VIGI Security Manager).
    Related: https://community.tp-link.com/en/business/forum/topic/514316.
     

Desired state (what we want): 

  1. Remote login via VIGI Security Manager (or mobile app) possible with any existing user of the NVR (admin/operator/user).
  2. Complex, detailed GUI with many options (hopefully functionally equivalent to the one available locally on the NVR) if logged in to the NVR remotely using VIGI Security Manager (or mobile app) with an admin level account; simple GUI (watch live and replay only... etc.) if logged in to the NVR remotely using VIGI Security Manager with a user level account (and something in between with an operator level account).

 

VIGI Camera:
Actual state (what we have now):

  1. Creating/editing/deleting ONVIF non-admin level users (operator, user) on the camera is not possible via VIGI Security Manager. 
    See: this post of mine, scroll down to VIGI Camera ONVIF users
    Related (Dahua ONVIF non-admin user can be set): https://community.tp-link.com/en/business/forum/topic/513948.
    Related (non-admin usernames are mentioned in this thread too): https://community.tp-link.com/en/business/forum/topic/501194
    Related (RTSP, admin/root password of a business-class security/surveillance system stored a smart TV (?!)): https://community.tp-link.com/en/business/forum/topic/503726
  2. VIGI Security Manager does not support login with non-admin users to VIGI cameras (assumed non-admin ONVIF users work as intended on the camera).
     

Desired state (what we want):

  1. ONVIF operator and user level users work on VIGI cameras too and they can be configured via the VIGI Security Manager.
  2. VIGI Security Manager hides/grays out advanced settings (e.g. disable events, set resolution...) if logged in to a camera with restricted ONVIF user (e.g. user level user).


//////////////////////////////////
 

VIGI Camera ONVIF users:

A possible use case scenario:
We have a VIGI camera and want to let someone else (neighbor, employee... etc.) we don't fully trust (not an admin) watch the camera's RTSP stream. RTSP stream is a marketed feature (supported protocol) of the VIGI cameras, just like the ONVIF API. We tell them for example to use VLC Player (it does support RTSP), yet we have to give them a username/password combination. Which one? Giving the admin username/password is not an option (they can log in to the camera by installing and using VIGI Security Manager, change the password and the password reset email and lock us out; or they can disable ONVIF event detections used somewhere else in a more complex ONVIF surveillance system using third-party cameras, NVRs... etc... Note: Assume we don't want to use very complex and expensive firewall systems, IP based restrictions, that are not secure anyway or other workarounds to prevent this...)! We need to for example create an operator or rather a simple, user level user (as described by the ONVIF standards, see links to PDFs below) and delete it later (e.g. we don't trust the neighbor anymore, employee leaves our company... etc.). Let us create the user "peter" with the password "password12345" and with the ONVIF user level "user" (example) on the VIGI camera. But how? I have found no solutions for this scenario using VIGI Security Manager.

My experiments:
I have tried to make this work by using ONVIF Device Manager, I managed to add, modify and delete users on the VIGI camera (C300HP), but the RTSP stream was not working with those users in VLC (again: no way to try this in VIGI Security Manager). As long as operator and user level ONVIF users also existed on the camera, various interesting bugs showed up (stream unaccessible in VLC, even with admin password, stream encryption somehow automatically got enabled in VIGI Security Manager), after reverting to the original state of only one user named admin with admin rights, everything worked as intended. Maybe I was not trying hard enough and thought it is a feature not fully implemented yet, so I might try again in the future. So it is possible, that it's working like a charm, but I've somehow failed to set something correctly...

For more info, see ONVIF specifications:

ONVIF Core Spec - Ver. 19.12 (supported by my camera): "5.12.2 User-based account control".

ONVIF Core Spec - Ver. 21.12 (current specifications): "5.9.2 User-based access control".
 

My personal opinion and thoughts as a VIGI user (related to ONVIF accounts on the camera):

 

  • Is/was this planned to be supported by the VIGI cameras? I'd say yes. If you use ONVIF Device Manager (e.g. version 2.2.250), you have access to the ONVIF user management on the VIGI camera. VIGI cameras are marketed with ONVIF support and ONVIF as a standard API. The ONVIF user management looks like as it should on the VIGI NVR, so the VIGI Development Team is obviously aware of this standard. To me it seems like we just need one final step to make this thing work on the cameras as well.

 

  • Is this working in the case of other, comparable products from other manufacturers? Yes, see: https://community.tp-link.com/en/business/forum/topic/513948
    This user had to add a separate ONVIF user on the Dahua camera to make the system work. It was easy. How should we do the same on the VIGI camera?
    Are we supposed to use third-party tools (e.g. ONVIF Device Manager)? If yes, are there recommended and regularly tested ones?
    I have found user manuals from different camera manufacturers, where this is considered to be a normal settings panel of the cameras, just like in the case of the VIGI NVR.
     
  • Is this an issue for customers if non-admin usernames are not working for VIGI cameras? I'd say for business users (the ones targeted by the VIGI product line): yes. This is why I've selected some posts from other threads to see, that many VIGI users/TP-Link customers actually want very similar things, just sometimes they formulate it differently or mention it in a different context.
     

Summary in a nutshell: 
I guess many users would like to have good and useful remote management (NVR, Camera, we live in the era of home office and IT/surveillance outsourcing) with the ability to do so without giving everyone the admin password and admin rights (remember: VIGI devices are business-class security/surveillance products).

#3
Options

Information

Helpful: 0

Views: 174

Replies: 2

Voters 0

No one has voted for it yet.