Preface
Overview
Enterprise Access Management Concepts
EAM Controllers
A Multi-Domain Architecture
Interface general design
Authenticating to EAM Console and Managing Protection Modes
Searching the Directory Tree
Managing administrators
Administration Modes - Presentation
Delegating Administration Roles
Managing Administration Profiles
Transferring an Administration Role
Deleting an Administration Role
Displaying your Administration Role
Modifying the Parent Administrator
Adding/Removing Primary Administrators
Managing Security Profiles
Managing time slices
Managing directory objects
Creating/Modifying Time Slices
Configuring Time Slices
Displaying time slice usage logs
Displaying time slice event logs
Renaming representative objects
Deleting time slices
Managing Password Format Control Policies
Creating/Modifying Password Format Control Policies
Configuring Password Format Control Policy
Displaying PFCP usage logs
Displaying Password Format Control Policy Event Logs
Renaming Password Format Control Policies
Deleting Password Format Control Policies
Managing User Security Profiles
Creating/Modifying User Security Profiles
Configuring User Security Profiles
Managing Access Point Security Profiles
Authentication Tab
Security Tab
SSO and Notes Tab
Cloud Tab
Unlocking Tab (Fast User Switching - FUS)
Self Service Password Request Tab
Biometrics Tab
Session Delegation Tab
Audit Tab
OTP Tab
Mobile Device Tab
Displaying User Security Profile Usage Logs
Displaying User Security Profile Event Logs
Renaming User Security Profiles
Deleting User Security Profiles
Creating/Modifying Access Point Security Profiles
Configuring Access Point Security Profiles
Managing Application Security Profiles
Security Services Tab
Authentication Manager Tab
Enterprise SSO Tab
Multi-User Desktop Tab
Biometrics Tab
Self Service Password Request Tab
Active RFID Tab
Audit Tab
Local Administrators Tab
Displaying Access Point Security Profile Usage Logs
Displaying Access Point Security Profile Event Logs
Renaming Access Point Security Profiles
Deleting Access Point Security Profiles
Managing Password Generation Policies
Defining Security Profiles Default Values
Managing User and Access Point Security Profiles Priorities
Creating/Modifying Password Generation Policies
Configuring the Password Generation Policy
Displaying Password Generation Policy Usage Logs
Displaying Password Generation Policy Event Logs
Renaming Password Generation Policies
Deleting Password Generation Policies
Creating/Modifying Application Security Profiles
Configuring Application Security Profiles
Displaying Application Security Profile Usage Logs
Displaying Application Security Profile Event Logs
Renaming Application Security Profiles
Deleting Application Security Profiles
Managing applications
Importing/Exporting security profiles and directory objects
Managing smart cards
Creating an application
Defining the general properties of an application
Creating the account properties for an application
Defining the Single Sign-On properties of an application (SSO)
Defining external names
Defining the Provisioning Connector
Assigning users to an application
Sharing the administration of an application
Generating/Importing accounts for an application
Assigning access points to an application
Displaying accounts associated with the application
Displaying application event logs
Displaying/Modifying application information
Renaming applications
Deleting applications
Managing users
Displaying general information about the user
Defining user connection parameters
Managing access points
Suspending or limiting temporarily user access
Displaying user authentication information and administering roaming sessions
Predefining a new user's primary password
Managing user Self Service Password Request
Defining an audit identifier
Creating a welcome message
Assigning a user security profile
Declaring a user as administrator
Assigning/forbidding access points to a user
Managing user accounts
Managing the User Self Enrollment
Assigning Administration Rights
Configuring the Dedicated Organizational Units
Configuring Self Enrollment
Sending SSO account passwords to users
Sending primary password expiration notification emails to users
Defining additional security parameters for groups of users
Managing user smart cards
Managing user Mobile Devices
Displaying and deleting user biometrics data
Assigning applications to a user
Displaying delegated sessions
Managing user RFID tokens
Displaying user event logs
Deleting SSO data of disabled user accounts
Adding or removing a user from a group
Displaying general information about the access point
Defining access point configuration parameters
Managing representative objects
Assigning an access point security profile
Managing EAM controller services
Assigning a generic account to an access point
Assigning/forbidding users to an access point
Assigning/forbidding applications to an access point
Adding or removing an access point from a group
Analyzing Errors of a Remote Access Point
Displaying access point event logs
Updating manually an access point
Managing inbound representative objects
Managing clusters of access points
Creating/Modifying an inbound representative object
Defining the set of users to represent
Assigning a user security profile to the inbound representative object
Selecting access points available to the representative
Managing outbound representative objects
Creating/Modifying an outbound representative object
Defining the set of access points to represent
Selecting applications available to the representative
Displaying representative event logs
Renaming representative objects
Deleting representative objects
Creating and configuring a cluster of access points
Managing user permissions on clusters
Selecting a domain controller
Authorizing users to access the workstations of the cluster
Displaying the cluster composed by authorized users
Displaying cluster event logs
Renaming clusters
Deleting cluster
Configuring smart card parameters of use
Managing SA server devices
Managing RFID tokens
Managing smart card configuration profiles
Managing smart card certificates
Assigning smart cards (except loan cards)
Creating/Modifying configuration profiles
Renaming a configuration profile
Deleting a configuration profile
Modifying authentication parameters of an assigned smart card
Managing batches of smart cards
Assigning smart cards
Assigning a smart card managed by an external CMS
Smart card self enrollment
Formatting an assigned smart card
Managing loan cards
Unlocking smart cards
Setting administrator's contact information
Unlocking to Forcing PIN
Unlocking by secret code
Unlocking by SSPR
Unlocking by extending the validity duration
Formatting a blacklisted card
Managing lost or theft smart cards
Formatting smart cards
Displaying information
Exporting Generated Reports
Assigning an RFID token
Locking and unlocking an RFID token
Managing biometrics
Locking and unlocking an RFID token from the Directory panel
Locking and unlocking an RFID token from the RFID panel
Resetting the PIN of an RFID badge
Blacklisting and deleting an RFID token
Blacklisting and deleting an RFID token from the Directory panel
Blacklisting and deleting an RFID token from the RFID panel
Modifying the detection areas and the grace period
Exporting a list of RFID tokens
Defining the biometric enrollment policy
Defining the workstation biometric parameters
Managing the user enrollment
Displaying and exporting the biometric enrollment report
Managing Mobile Devices
Enabling the public key authentication method
Configuring user and access point security profiles to support the PKA authentication method
Activating the PKA authentication method and defining the set of authorized certification authorities
Managing Emergency Accesses
Managing audit events
Activating the PKA authentication method
Configuring the set of authorized certification authorities
Configuring the automatic update of the revocation information
Displaying audit events
Defining an audit population
Managing and assigning audit filters
Interpreting audit events
Managing reports
The audit main window
The "Event details" window
Detailed information on the audit administration events
Exporting audit events
Archiving audit records
Retrieving user identifier from audit identifier
Retrieving audit events
Generating PDF reports
Generating On-screen reports
Customizing configuration files
Creating scripts
Basic syntax of regular expressions
Listing audit events and error codes
Correspondence between profiles and administration rights
Report Models and Parameters List
Custom Group Files Format
Configuration
In this section:
Configuring the Reporting Module
Before starting
To configure the PDF reports module, you must own the following right: Reporting: Administration: to manage the configuration of the report generation requests.
|
|
NOTE: For more information on administration roles, see Section Managing administrators. |
- In the File menu, click Configuration.
- The Configuration window appears.
- Click the Reporting tab.
- Fill-in the tab using the instructions given in section "Reporting" Tab - Description hereunder.
- Click OK.
- The reporting module is configured.
"Reporting" Tab - Description
General configuration area
- Delete reports older than x days: select this check box and set the number of days after which the reports are automatically deleted from the controller.
By default, the reports are never deleted. - Check for report generation every x minutes: set the periodicity check of the periodic reports to generate.
Example: if you set the periodicity to 60, then the EAM controller will check every 60 minutes if periodic reports must be generated. If a periodic report should have been generated within these 60 minutes, then the console will execute the generation of this report.IMPORTANT: The default value is 0, however this value is equivalent to an automatic check every 10 minutes.
- Mail notifier configuration area
- SMTP: enter the SMTP server name to send emails.
The format of the server name must be <SMTPServerName>[:<PortNumber>], where PortNumber is optional. - user and password: name and password of the user to enter to connect to the email server, if necessary.
- Sender's (and reply to) address: email address of the sender.
- Sender's display name: self-explanatory.
- Configure button: click this button to configure the email content.
Available keywords that can be inserted in the subject and body of the email:
- %REPORT.NAME% : report name as defined by the person who request the report generation.
- %REPORT.FILE.NAME% : full path of the file containing the generated report.
- %REPORT.FROM.MAIL% : email address of the originator if the email.
- %REPORT.FROM.NAME% : displayable name of the originator of the email.
- %REPORT.DATE.BEGIN% : begin date of the report generation start.
- %REPORT.DATE.END% : end date of the report generation stop.
- %REPORT.DATE.GENERATION% : date of the report generation.
- %REPORT.SERVER% : name of the controller that originated the email.
Tags also enable you to specify conditional text: the text specified within these tags will be conditioned to the presence of the begin and end dates parameters upon a report generation request. If the dates are present, the text is displayed, otherwise it is hidden. These tags are:
- %COND.START%
- %COND.END%
- SMTP: enter the SMTP server name to send emails.
|
|
NOTE: These keywords are case insensitive. |
Example:
Managing Report Models
Subject
Depending on your needs, you can import report models (see Importing a report model hereunder) to diversify your available report types or just update your existing reports.
You can also delete report models (see Deleting a report model hereunder).
Description
The report models are divided into 4 categories:
- Activity: reports that help supervise the solution.
- Snapshot: reports that resume the current policy.
- Risk: reports that detect possible anomalies.
- Surveillance: reports that display the activity of the users, applications or workstations.
To view the list of report models provided by One Identity as well as their parameters, see Report Models and Parameters List.
Before starting
- To manage the PDF reports models, you must own the following rights:
- Reporting: Administration: to manage the configuration of the report generation requests.
- Reporting: Model import: to authorize the administrators to import new report models or to update the existing ones.
- Reporting: Model deletion: to authorize the administrators to delete the report models.
NOTE: For more information on administration roles, see Section Managing administrators.
- You have placed the new report models or the updates provided by the One Identity Expertise Center in the directory dedicated to its category under C:\Program Files\Common Files\One Identity\IAR\exports\models\archives\<DBTYPE>\UAS\<Category>, where DBTYPE is the database type used by the controller and Category the name of the model category to import.
For example, to update the report model on the mobile devices of the Snapshot category, you must place the archive containing the Mobiles.zip model in the C:\Program Files\Common Files\One Identity\IAR\exports\models\archives\MySQL\UAS\Snapshot directory if the database used is MySQL.
Procedure
- In the Report menu, click Import report models.
- The controller selection window appears.
- Select a controller where the reporting service is installed and click OK.
- The Select report model to import window appears and displays all the models to import.
- The Select report model to import window appears and displays all the models to import.
- Select a display language then select a report model.
- Select the Show unknown model only check box to display only the models that have not been imported yet.
- Click Import.
- The Import options window appears.
- The Import options window appears.
- Select the import mode of the report model:
- Delete if exists then create: deletes the model if it already exists and recreates it.
- Update the report model: only updates the files depending on the graphic model or the property files.
- Do nothing if the report model exists: does not create a new model if it already exists.
- Select the language(s) in which the report model can be generated and click Import.
- The report is imported and available for on-demand or periodic PDF report generation.
|
|
NOTE:
|
Procedure
- In the Report menu, click Delete report models.
- The Select report model to delete window appears and displays all the models imported in the Reporting module.
- Select a report model
NOTE: If you only want to delete one of the display languages of a report, select the report and the language to delete. - Click Delete.
- The report model is deleted.
Managing Permissions
Subject
You can manage permissions by adding/deleting users and adding/removing the following permissions:
- Reader: the user can only download the reports.
- Full control: the user can download reports and if he is an administrator, he can also add/modify/remove users and their rights.
Before starting
To manage the permissions, you must own the following right:
Reporting: Administration: to manage the configuration of the report generation requests.
Procedure
- In the Reporting panel > PDF reports tab, click Permissions.
- The Report permissions window appears.
- The Report permissions window appears.
- To:
- Add a user and his permission: click Add.
- Modify the permission of a user: click Change right.
- Remove a user and his permission: click Remove.
- Once you have made the modifications, click OK.