Recently, IT System Integrator forums and YouTube channels have been all a-twitter because it appeared that a UniFi user ID and network connection were required to use any of the UniFiOS hosted controllers introduced with along with UniFiOS. After hearing Tom Lawrence and Willie Howe rant about the issue, I decided to experiment a little to see if their complaint was true of my deployment.
I wrote the previous post reporting my experience trying to log in to my controller host while divorced from the Internet. As expected, it smoked so I opened a ticket.
The various Internet communities can be helpful when I’ve overlooked something or misinterpreted something that is common product knowledge. When something appears to be a design issue, only the designers can help. So I ticketed my experience.
Ubiquity Support has responded with what appears to be the solution to my concern raised in the ticket, that local service should be possible during an Internet fade. Read on for the fix.
I wish there were a reference but apparently, Ubiquity is still writing a UniFiOS administrator guide and UniFi v6 Controller guide. All UniFiOS does is handle login and launch UI applications. It don’t need no stinkin admin guide, right. Well almost.
- UniFi Dream Machne Pro Quick Start Guide retrieved 3/31/2021.
- UniFi Controller v6 User Guide — to be written
- UniFiOS Administrator’s Guide — to be written
Scope of this article
Not being a professional, this article is based on my experiences with my home deployment. As a result, I will limit the discussion to a single UniFiOS instance and a single site, Dismal Manor. Pros supporting multiple sites will have to wait for the Ubiquity documentation. Hopefully it is coming when Talk is released.
UniFiOS Local User Credentials
UniFiOS adds a pair of new user attributes to each user.
- Local user name
- Local password
These permit direct login to the UniFiOS session manager without use of the Internet to perform an OAUTH authentication with unifi.ui.com. So each user has a UniFi user name and a local user name along with a role that establishes post-login access rights.
Here you see the new local credentials portion of the user form. Note that I’ve logged in as owner, opened the UniFiOS Users manager appication, and have picked my Owner login for editing. The Profile view is open and the clip shows the new field. I’ve already added my local user name.
My gripe was that an Internet connection was required for any interaction with UniFiOS. That is just not so. The addition of local credentials for each user eliminates my problem. UniFiOS and the controllers function normally while divorced from the Internet.
Local credentials may be used with or without an active internet connection.
The System Integrator Gripe
System integrators were reacting to the apparent need to have an Internet connection and UniFi account to commission a new installation. I’ve not tested that use case as this gear has been running for 4 years and we rolled over from the legacy UI to the new UniFiOS UI.
There may be a chicken and egg problem here. To create my local credentials required me to log in using my older UniFi SDN credential that carried forward to the new system. With the hint “try to log in as a local user” from Support, I went looking at the user management views to see if there was a way to create a local user and found the views shown above. I added my local users after initial commissioning.
If I understand the SI gripes expressed by Willie and Tom, SIs desire to skip the UniFi account bit, create the local credentials initially, and use just the local credentials forever more.
What’s Missing from the Manuals?
In looking at the new user dialogs, the first user created becomes the owner. Once there is an owner, the owner may create and invite super admin users. The Owner and Super Admins may create and invite Limited Admins that have access to one or more of the controllers.
User Creation Workflow
There is no user guidance for creation of groups and users so I’ll take a stab at a workflow for setting up a new site.
Create Groups First
The scheme I’ve adopted here is that I have a group for the controller, a group for the Owner, a group for the super admins, and a group for the users.
Create the Admins
Create the system and local administrator user accounts next. Assign these users to groups and create local credentials for them. Acci
Each User needs an E-mail address
To allow the possibility of remote access, each user needs a unique Email address. A Gmail technique for creating Email addresses is given below. This technique works both with free public accounts and with G-Suite Gmail accounts. Other providers may have similar conventions for directing Email to a group member.
The Owner Role
The owner is the first user created so think carefully about user one. Don’t just make stuff up. If the owner is an institution, the user name should be a role at that institution and the E-mail should be associated with the owner role rather than the person holding that role. The organization is free to forward the owner Email to an actual employee Email.
Be sure to create local credentials for the Owner. Otherwise, you’re up the creek during an Internet fade.
Once created, most of the owner attributes are immutable. You’d have to factory reset and reconfigure to change it so be careful here.
The Super Admin Role
The Owner creates the first Super Admin. Super Admins can create and edit Locations, Controllers, and Users. These are normally the site admins. The super admins are usually the site senior administrators. The Super Admin role has access to all installed controllers.
The Limited Admin Role
The Limited Admin can read location and users and can edit controllers. A site uses this role to manage telephones, view surveillance footage, and set up network drops. The user support folk usually hold the Limited Admin role. The Limited Admin Role has access to selected controllers. Limited Admins may be restricted to a subset of the installed UniFi services.
The User Role
Users have no access to controllers. Users can have resources but in my deployment, there are none to assign. I suspect the resources UniFi has in mind are Access keys and Talk telephones but neither of these controllers are installed here. I suspect Users are restricted to managing voice mail, call forwarding, etc.
UniFi User Email addresses @Home
Each UniFi user is expected to have a unique Email address. The easiest way for Gmail subscribers to provision Email is to take advantage of a Gmail feature designed for families. If the Simpsons have address email@example.com, Maggie’s address could be firstname.lastname@example.org. Google terminates the account name at the plus-sign. The text following the plus-sign is passed along for recipient internal mail forwarding. Here at home I’ve used this feature to make up the Email addresses for my various UniFi users.