Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Applying an audit filter to audit records

Applying an audit filter to audit records

Subject

To adapt to your needs the list of audit events displayed in the report, you can use audit filters.

Before starting

To perform the task described in this section, you must have the following administration role:

  • In classic administration mode: "Security object administrator".
  • In advanced administration mode, your role must contain the following administration rights: "Audit: Visualization".

NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the Audit panel, click Advanced Filter.
    • The filter window appears.
  2. Do one of the following operations:
  3. In the Audit Database Search Filter window, click the Apply.
    • The filter is instantly taken into account.
  1. Click Close to display in the Audit panel the audit records corresponding to the selected filter.

    To interpret audit events, see Section Interpreting audit events.

 

Applying an audit filter to specific objects

Subject

You can apply an audit filter to the following objects upon the generation of events:

  • Administration role.
  • User security profile.
  • Access point security profile.
  • Application.
Before starting

To perform the task described in this section, you must have the following administration role:

  • In classic administration mode: "Auditor".
  • In advanced administration mode, your role must contain the following administration rights: "Application: Audit filter assignment" and/or "Access Point profile: Audit filter assignment" and/or "User profile: Audit filter assignment" and/or "Administration profile: Audit filter assignment".

For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the Directory panel, select the object for which you want to apply a filter.
  2. Access the Audit area as follows:
    • For the administration role of a user, click the Administration tab containing the Audit area.
    • For the user security profile, click the Audit tab.
    • For the access point security profile, click the Audit tab.
    • For the application, click the Configuration tab and then the General tab.
  3. Assign an audit filter as explained in the following Audit filter area - description Section.
Audit filter area - description

  • All events

    To audit all the events related to the object.

  • No events

    To audit no events related to the object.

  • Events matching filter

    To audit only the events corresponding to an audit filter.

    The Select button allows you to select an existing audit filter or to create a new one.

 

Interface Element

Description

Audit filter

List of available audit filters.

Remove button

To delete an audit filter.

Edit button

To edit the filter selected in the list.

New button

To add a new audit filter.

Audit filter edition window

The audit filter edition window displays the following information:

 

Interface Element

Description

Name

Audit filter name.

Description

Audit filter description.

Free composition that allows you to describe more precisely the content of the audit filter

Category

Event category:

Admin: events related to the administration.

SSO: events concerning user accounts.

Authentication: event related to user authentication on access points and on applications.

System: action automatically performed by the system.

Audit successes

Select this check box to audit only successful events.

Audit failures

Select this check box to audit only failed events.

Events not audited

List of non-audited events.

Audited events

List of audited events within the filter.

New button

To add the selected event to the list of audited events.

Remove button

To remove the selected event from the list of audited events.

Interpreting audit events

This section covers the description of the audit main window, and of the event detail window.

In this section:

The audit main window

The audit main window

Window example

NOTE: The Advanced Filter button allows you to filter audit records (see Section Applying an audit filter).
The Export button allows you to export audit events to a formatted file (see Section Exporting audit events).
Description

The Audit main window displays the following information:

Column title

Description

Timestamp

Date and time of the event.
The color of the icon that the event reports:

(green icon) : operation success

(red icon) : operation failure

Category

Category of the event, which can be:

Admin: administration events.

SSO: events concerning user accounts.

Authentication: events concerning user authentication on access points and applications.

System: action automatically performed by the system.

Event

The event is built using the following values:

Type of the audited object.

Operation performed on this object.

Note: For a complete description on the generation of administration audit events, see Section Detailed information on the audit administration events

Audit ID

Identifier of the user who has created the event.

Application

Name of the application object associated with the event (blank if the application is not concerned).

Access point

Name of the access point associated with the event.

Distinguished Name of object

(Administration events only).

Distinguished Name of the object associated with the Admin event:

For modification, renaming and deletion operations, the DN displayed is the DN of the object.

For creation operations, the DN displayed is the object parent DN.

Related Documents