user reporting from CMOD

Previous topic - Next topic
Print
Go Down Pages1
User actions

bruce.mchendry

March 24, 2015, 12:33:21 PM
Hi all,
As a part of ongoing maintenance and SOX reporting we need to create user reports. Things like which groups users belong to, what do they have access to and when is their last log on. I know there's a couple of approachs we can take but I'm curious as to what some of you other folks are doing and have found works the best. We are on CMOD 9.0.0.3 on a Windows 2012 server with a remote SQL 2010 database. Thanks in advance.
Cheers,
Bruce

Justin Derrick

#1
March 24, 2015, 04:01:58 PM
Most folks that I've seen do this sort of reporting usually come up with a huge SQL query that generates a massive table showing which users have access to which Application Groups directly, or have access that's inherited through groups.

In terms of last logins, there's a 'last updated' field in the arsuser table, which shows the last time a user changed their password, which is a good indicator of inactivity if you're doing user administration inside CMOD.  Otherwise you have to search the System Logs for their User ID, which can be time consuming, especially if you have a busy server.

Can you share your requirements with us?

-JD.
Call:  +1-866-533-7742  or  eMail:  jd@justinderrick.com
IBM CMOD Wiki:  https://CMOD.wiki/
FREE IBM CMOD Webinars:  https://CMOD.Training/
IBM CMOD Professional Services: https://CMOD.cloud

Interests: #AIX #Linux #Multiplatforms #DB2 #TSM #SP #Performance #Security #Audits #Customizing #Availability #HA #DR

bruce.mchendry

#2
March 24, 2015, 04:16:46 PM
Hi,
Thanks for the reply ! I have asked my developer to look at the SQL route but hoping it won't end up either being a lot of work or generate info. overkill. As far as requirements go at a high level we need to do 3 things. Track users so we know who is actually using the system vs people who aren't, left, moved on etc, etc.
The other 2 would be related to SOX audits. We need to take the user list and show what application groups they have access to and at what level. Then the reverse where we could audit the application groups and show who is in them and what they have access too and the two should match. Key word "match". I know thats the basic requirement right now and I have to admit I do want to keep on top of that too since we seem to get in a position where user requirements change but we don't keep pace on the security side. Does that make sense ?
Cheers,
Bruce

ewirtz

#3
March 25, 2015, 10:58:05 AM
Hi Bruce,
if you activate the needed messages you can get the needed info from syslog. We have structured copy of system log from which logins, searches, retention needs .. can be derived.

regards

Egon

bruce.mchendry

#4
March 25, 2015, 11:37:40 AM
I'll take a look at that this morning, thanks !!
Print
Go Up Pages1
User actions
SMF 2.1.4 © 2023, Simple Machines
ProCurve Theme Made By : TwitchisMental