Safeguard Authentication Services 5.0.2

Table 30: Access & Privileges reports
Report	Description
Access & Privileges by Host	Identifies all users with log-on access to hosts and the commands the users can run on the hosts. This report includes the following information: Total number of users that can log on to the host The users that can log on to the host The commands users can run on the host The runas aliases for which the user can run commands on the host The commands the runas alias can run on the host Browse to select a host. Optionally, select the Show detailed report option. NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.
Access & Privileges by User	Identifies the users with logon access to hosts, the commands that user can run on each host, and the "runas aliases" information for that user. This report includes the following information: Total number of hosts where the user can log on The hosts where the user can log on The commands the user can run on each host The runas aliases for which the user can run commands on each host The commands the runas alias can run on each host Use the following report parameters to specify the user to include in the report: A local user (default) An AD user Browse to select a user. Optionally select the Show detailed report option. NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.
Commands Executed	Provides details about the commands executed by users on hosts joined to a policy group, based on their privileges and recorded as events or captured in keystroke logs by Privilege Manager. This report allows you to search for commands that have been recorded as part of events or keystroke logs for a policy group and includes the following information: Command name User who executed the command Date and time the command was executed Host where the command was executed Use the following report parameters to define details in the report: Policy Group Command Host Log status Date NOTE: You can use wildcards in the text string you enter in the Command box, such as * and ?. NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.
Console Access and Permissions	Lists users who have access to the management console based on membership in a console role and the permissions assigned to that role. This report includes the following information: List of roles List of permissions assigned to each role List and number of members assigned to each role NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Console Access role. However, when you access this report as supervisor, the management consolerequires that you authenticate to Active Directory.
Logon Policy for AD User	Identifies the hosts where Active Directory users have been granted logon permission. This report includes the following information for hosts joined to an Active Directory domain: Total number of hosts where the AD user has access List of hosts where the AD user has access Specify the Active Directory users to include in the report: All AD users (default) Select AD user Browse to search Active Directory to locate and select an Active Directory user. NOTE: The report may show both the Active Directory login name and local user names in the Login Name column for a selected AD user account because an Active Directory user account can have one or more local user accounts mapped to it. NOTE: Only hosts joined to an Active Directory domain with a Safeguard Authentication Services 4.x agent are included in this report. NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Logon Policy for Unix Host	Identifies the Active Directory users that have been explicitly granted log-on permissions for one or more Unix computers. This report includes the following information for hosts joined to an Active Directory domain: Host Name, DNS Name, or IP Address of the host selected for the report Users that have been granted permission to log on Specify the managed hosts to include in the report: All profiled hosts (default) Select host Browse to locate and select a managed host that is joined to Active Directory. NOTE: This report only includes hosts joined to an Active Directory domain with a Safeguard Authentication Services 4.x agent. NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role.
Policy Changes	Provides details of changes made to a policy for a Privilege Manager policy group. This report includes the following information: Name of the user that made changes to the policy Version number for the changes Time and date the changes were saved and actively used to enforce policy Changes made to the policy based on version Select a policy group. Select to: Show all changes to the policy Show only changes for a specific pmpolicy file (not available for sudo-based policy) Show changes to the policy for changes for one or more revisions NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group.

Product licenses usage report

Getting started with Safeguard Authentication Services > Learning the basics > Running reports > Product licenses usage report

The following report provides product licensing information.

Table 31: Product licenses usage reports
Report	Description
Product License Usage	Provides a summary of all licensing information. This report includes the following information for hosts managed by the console: Product Purchased licenses Used licenses

Use Safeguard Authentication Services PowerShell

Getting started with Safeguard Authentication Services > Learning the basics > Use Safeguard Authentication Services PowerShell

Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.

You can perform the following tasks using PowerShell cmdlets:

Unix-enable Active Directory users and groups
Unix-disable Active Directory users and groups
Manage Unix attributes on Active Directory users and groups
Search for and report on Unix-enabled users and groups in Active Directory
Install product license files
Manage Safeguard Authentication Services global configuration settings
Find Group Policy objects with Unix/macOS settings configured

Using the Safeguard Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.

Unix-enabling a user and user group (PowerShell Console)

Getting started with Safeguard Authentication Services > Learning the basics > Use Safeguard Authentication Services PowerShell > Unix-enabling a user and user group (PowerShell Console)

The following procedure explains how to Unix-enable a user and user group using the Authentication Services PowerShell Console.

To Unix-enable a user and user group

From the Control Center, navigate to Tools | Safeguard Authentication Services.
Click Safeguard Authentication Services PowerShell Console.

Note: The first time you launch the PowerShell Console, it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this, you will never be asked this question again on this machine.

At the PowerShell prompt, enter the following:

Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567

Note: You created the UNIXusers group in a previous exercise. See Adding an Active Directory group account.

Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:

ObjectClass              : group
DistinguishedName        : CN=UNIXusers,CN=Users,DC=example,DC=com
ObjectGuid               : 71aaa88-d164-43e4-a72a-459365e84a25
GroupName                : UNIXusers
UnixEnabled              : True
GidNumber                : 1234567
AdsPath                  : LDAP://windows.example.com/CN=UNIXusers,CN=Users,
                           DC=example,DC=com
CommonName               : UNIXusers

At the PowerShell prompt, to Unix-enable an Active Directory user using the default Unix attribute values, enter:

Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567

The Unix properties of the user display:

ObjectClass              : user
DistinguishedName        : CN=ADuser,CN=Users,DC=example,DC=com
ObjectGuid               : 5f83687c-e29d-448f-9795-54d272cf9f25
UserName                 : ADuser
UnixEnabled              : True
UidNumber                : 80791532
PrimaryGidNumber         : 1234567
Gecos                    :
HomeDirectory            : /home/ADuser
LoginShell               : /bin/sh
AdsPath                  : LDAP://windows.example.com/CN=ADuser,CN=Users,
                           DC=example,DC=com
CommonName               : ADuser

To disable the ADuser user for Unix login, at the PowerShell prompt enter:
```
Disable-QasUnixUser ADuser
```
Note: To clear all Unix attribute information, enter:
```
Clear-QasUnixUser ADuser
```
Now that you have Unix-disabled the user, that user can no longer log in to systems running the Safeguard Authentication Services agent.
From the Control Center, under Login to remote host, enter:
- Host name: The Unix host name.
- User name: The Active Directory user name, ADuser.
Click Login to log in to the Unix host with your Active Directory user account.

A PuTTY window displays.

Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.
Enter the password for the Active Directory user account.
You will receive a message that says Access denied.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación

Seleccione su producto:

Con el fin de ofrecerle un mejor servicio, complete el campo Motivo del chat:

Soluciones recomendadas para su problema

Safeguard Authentication Services 5.0.2 - Installation Guide

Access & Privileges reports

Product licenses usage report

Use Safeguard Authentication Services PowerShell

Unix-enabling a user and user group (PowerShell Console)