The following reports provide user access information.
NOTE: The Access & Privileges reports do not report on users and groups from a NIS domain.
Report | Description |
---|---|
Access & Privileges by Host |
Identifies all users with log-on access to hosts and the commands the users can run on the hosts. This report includes the following information:
Browse to select a host. Optionally, select the Show detailed report option. NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group. |
Access & Privileges by User |
Identifies the users with logon access to hosts, the commands that user can run on each host, and the "runas aliases" information for that user. This report includes the following information:
Use the following report parameters to specify the user to include in the report:
Browse to select a user. Optionally select the Show detailed report option. NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group. |
Commands Executed |
Provides details about the commands executed by users on hosts joined to a policy group, based on their privileges and recorded as events or captured in keystroke logs by Privilege Manager. This report allows you to search for commands that have been recorded as part of events or keystroke logs for a policy group and includes the following information:
Use the following report parameters to define details in the report:
NOTE: You can use wildcards in the text string you enter in the Command box, such as * and ?. NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group. |
Console Access and Permissions |
Lists users who have access to the management console based on membership in a console role and the permissions assigned to that role. This report includes the following information:
NOTE: This report is available when you are logged on as the supervisor or an Active Directory account in the Manage Console Access role. However, when you access this report as supervisor, the management consolerequires that you authenticate to Active Directory. |
Logon Policy for AD User |
Identifies the hosts where Active Directory users have been granted logon permission. This report includes the following information for hosts joined to an Active Directory domain:
Specify the Active Directory users to include in the report:
Browse to search Active Directory to locate and select an Active Directory user. NOTE: The report may show both the Active Directory login name and local user names in the Login Name column for a selected AD user account because an Active Directory user account can have one or more local user accounts mapped to it. NOTE: Only hosts joined to an Active Directory domain with a Safeguard Authentication Services 4.x agent are included in this report. NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role. |
Logon Policy for Unix Host |
Identifies the Active Directory users that have been explicitly granted log-on permissions for one or more Unix computers. This report includes the following information for hosts joined to an Active Directory domain:
Specify the managed hosts to include in the report:
Browse to locate and select a managed host that is joined to Active Directory. NOTE: This report only includes hosts joined to an Active Directory domain with a Safeguard Authentication Services 4.x agent. NOTE: This report is available when you are logged on as an Active Directory account in the Manage Hosts role. |
Policy Changes |
Provides details of changes made to a policy for a Privilege Manager policy group. This report includes the following information:
Select a policy group. Select to:
NOTE: This report is available when you are logged on as the supervisor or as an Active Directory account in the Manage Sudo Policy, Manage PM Policy, Audit Sudo Policy, or Audit PM Policy roles. You must have an active policy group for Privilege Manager to run this report; you can only include hosts that are joined to a policy group. |
The following report provides product licensing information.
Report | Description |
---|---|
Product License Usage |
Provides a summary of all licensing information. This report includes the following information for hosts managed by the console:
|
Safeguard Authentication Services includes PowerShell modules that provide a "scriptable" interface to many Safeguard Authentication Services management tasks. You can access a customized PowerShell console from the Control Center Tools navigation link.
You can perform the following tasks using PowerShell cmdlets:
Using the Safeguard Authentication Services PowerShell modules, it is possible to script the import of Unix account information into Active Directory.
The following procedure explains how to Unix-enable a user and user group using the Authentication Services PowerShell Console.
To Unix-enable a user and user group
Note: The first time you launch the PowerShell Console, it asks you if you want to run software from this untrusted publisher. Enter A at the PowerShell prompt to import the digital certificate to your system as a trusted entity. Once you have done this, you will never be asked this question again on this machine.
Enable-QasUnixGroup UNIXusers | Set-QasUnixGroup -GidNumber 1234567
Note: You created the UNIXusers group in a previous exercise. See Adding an Active Directory group account.
Unix attributes are generated automatically based on the Default Unix Attributes settings that were configured earlier and look similar to the following:
ObjectClass : group DistinguishedName : CN=UNIXusers,CN=Users,DC=example,DC=com ObjectGuid : 71aaa88-d164-43e4-a72a-459365e84a25 GroupName : UNIXusers UnixEnabled : True GidNumber : 1234567 AdsPath : LDAP://windows.example.com/CN=UNIXusers,CN=Users, DC=example,DC=com CommonName : UNIXusers
Enable-QasUnixUser ADuser | Seet-QasUnixUser -PrimaryGidNumber 1234567
The Unix properties of the user display:
ObjectClass : user DistinguishedName : CN=ADuser,CN=Users,DC=example,DC=com ObjectGuid : 5f83687c-e29d-448f-9795-54d272cf9f25 UserName : ADuser UnixEnabled : True UidNumber : 80791532 PrimaryGidNumber : 1234567 Gecos : HomeDirectory : /home/ADuser LoginShell : /bin/sh AdsPath : LDAP://windows.example.com/CN=ADuser,CN=Users, DC=example,DC=com CommonName : ADuser
Disable-QasUnixUser ADuser
Note: To clear all Unix attribute information, enter:
Clear-QasUnixUser ADuser
Now that you have Unix-disabled the user, that user can no longer log in to systems running the Safeguard Authentication Services agent.
Click Login to log in to the Unix host with your Active Directory user account.
A PuTTY window displays.
Note: PuTTY attempts to log in using Kerberos, but will fail over to password authentication if Kerberos is not enabled or properly configured for the remote SSH service.
You will receive a message that says Access denied.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center