Quest One Privileged Account Management. Auditor Manual. Version 2.4

Transcription

1 Quest One Privileged Account Management Auditor Manual Version 2.4

2 2011 Quest Software, Inc. ALL RIGHTS RESERVED. This guide contains proprietary information protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of Quest Software, Inc. The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document. If you have any questions regarding your potential use of this material, contact: Quest Software World Headquarters LEGAL Dept 5 Polaris Way Aliso Viejo, CA legal@quest.com Refer to our Web site ( for regional and international office information. Trademarks Quest, Quest Software, and the Quest Software logo are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. For a complete list of Quest Software s trademarks, please see Other trademarks and registered trademarks are property of their respective owners. Third Party Contributions Quest One Appliance-Based Privileged Account Management Solutions contain some third party components. Copies of their licenses may be found at 2

3 Table of Contents 1.0 Introduction to TPAM Conventions Used in this Guide Accessing TPAM Getting Help Online User Manuals Help Bubbles Customer Portal Contacting Customer Support TPAM Definitions Terms User Types Access Policies Permission Types Permission Hierarchy Permission Based Home Page Recent Activity Tab Managing Your Own Account User Time Zone Information Application Navigation Tab Format Filter Tab Listing Tab List Systems System Listing Collection Tab System Listing Permissions Tab List Accounts List PSM Accounts (PSM Customers only) List Collections Collection Listing Members Tab Collection Listing Permissions Tab List Groups Group Listing Members Tab Group Listing Permissions Tab List UserIDs User Listing Groups Tab User Listing Permissions Tab Session Management (PSM Customers only) Replaying a Session Log Monitoring a Live Session File Transfers Tab Logs Sys-Admin Activity Log Security Log Firewall Log Database Log Alerts Log Reports Report Time Zone Options Report Layout Options Adjustable Column Widths

4 19.4 Report Export Options Activity Report ISA User Activity Approver User Activity Requestor User Activity PSM Accounts Inventory (PSM Customers Only) Password Aging Inventory File Aging Inventory Release-Reset Reconcile User Entitlement Failed Logins Password Update Activity Password Update Schedule Password Testing Activity Password Test Queue Expired Passwords Passwords Currently In Use Password Requests Auto-Approved Releases Password Release Activity File Release Activity Windows Domain Account Dependencies Auto Approved Sessions (PSM Customers Only) PSM Session Activity (PSM Customers Only) PSM Session Requests (PSM Customers Only) Scheduled Reports Subscribing to Reports Browsing Stored Reports Data Extracts Data Extract Details Tab Data Extracts Data Set Tab Data Extract Log Tab Data Extract Dataset Filenames

5 1.0 Introduction to TPAM Total Privileged Access Management (TPAM) is a robust collection of integrated modular technologies designed specifically to meet the complex and growing compliance and security requirements associated with privileged identity management and privileged access control. The Privileged Password Manager (PPM) module provides secure control of administrative accounts. TPAM is a repository where these account passwords are stored until needed, and released only to authorized persons. Based on configurable parameters, the PPM module will automatically update these passwords. The Privileged Session Manager (PSM) module provides a secure method of connecting to remote systems, while recording all activity that occurs to a session log file that can be replayed at a later time. All connections to remote systems are proxied through Privileged Account Management (PAM) appliance ensuring a secure single access point. The Privileged Account Appliance (PAA) has several methods of access: Configuration interface (HTTPS via direct connection, with network option) Administrative interface (HTTPS via network access) User interface (HTTPS via network access) Admin CLI (SSH via network access) User CLI (SSH via network access) User API (SSH client application via network access) All data stored in TPAM is encrypted in storage and transit. Careful attention has been placed on the security and audit capabilities of, due to the high security implications of the data it contains. To support this high level of security, TPAM is designed to ensure segregation of duties and dual control. The segregation of duties is accomplished through permission based authorization. Dual control is accomplished by optionally requiring multiple pre-defined individuals to be involved in the connection to a system. 2.0 Conventions Used in this Guide Element Bold Italics Text Note! Tip! Alert! Convention Where ever this symbol is displayed it means there is new functionality or an entirely new feature being discussed. Elements that appear in the TPAM interface such as menu options and field names. Used to highlight additional information pertinent to the process being described. Used to provide best practice information. A best practice details the recommended course of action for the best result. Important information about features that can affect performance, security or cause potential problems with your appliance. 5

6 3.0 Accessing TPAM To access TPAM, point your browser to TPAM s IP address or FQDN followed by /egp or /par. For example, if the IP address for TPAM has been configured as , the URL would be The initial TPAM administrator account is called paradmin and the initial password is provided with your licensing information. Connectivity To communicate with the TPAM appliance and successfully initiate a session your computer will need to be able to pass traffic on ports 443 (HTTPS) and 22 (SSH). If TPAM will be accessed via Microsoft Internet Explorer (IE), there are two important setting changes to verify or change in the IE configuration: Pop-Up Blocker When the /par website is accessed, the initial instance of the browser will be closed and a new window will open without menu or title bars. Browsers that are configured to block popups often interpret this as a pop-up and the page will not be displayed. Be sure to add the URL for TPAM to the list of allowed pop-ups. Tip: Holding the Ctrl key will temporarily allow pop-ups. User Authentication Settings It may also be necessary to modify the User Authentication option of the IE Security Settings. The recommended setting is Prompt for user name and password. A setting of Automatic logon may attempt to pass the username and password from the workstation or domain to TPAM. This will cause logon failures and may lockout the user s TPAM account. 1 For additional information and instruction on the initial configuration of the appliance, see the Quest One Privileged Account Management Configuration and Administration Manual. 6

7 4.0 Getting Help 4.1 Online User Manuals To access online user manuals click the Documents list located in the upper right hand corner of the application. The manuals that are available to you are based on your user type and the permissions assigned to your userid. 4.2 Help Bubbles Throughout the application you will also notice help bubbles ( ) next to many of the fields in the application. If you hover the mouse over the bubble a pop up window provides a brief explanation about what the field is used for. 7

8 4.3 Customer Portal The Quest Software Customer Portal is where you can find product updates, user manuals, WebEx Demos and FAQ s. To access the Portal you will need a username and password from the Quest Software Technical Support group. To login go to Contacting Customer Support Quest Software's world-class support team is dedicated to ensuring successful product installation and use for all Quest Software solutions. SupportLink at support@quest.com You can use SupportLink to create, update, or view support requests 5.0 TPAM Definitions 5.1 Terms System A system is a host computer, network device, or work station for which one or more account passwords will be maintained. It is also referred to as the managed system Collection A collection is a logical association of systems. In v2.4 collections can also include Accounts and Files. Permissions can be granted to a collection. All systems contained in the collection, or added to it, will inherit those permissions. A system can belong to multiple collections. A System cannot be in the same collection as any of its Accounts or Files UserID A UserID is defined as a user of the TPAM appliance. At the time the UserID is created the interface (Web or CLI/API) must be determined and cannot change. There are different types of UserID s (Basic, UserAdmin, Auditor, Administrator and Cache User). See section

9 5.1.4 Group A Group is a logical association of UserIDs. Groups are a mechanism for easing the burden of assigning Access Policies on systems or collections to users. Access Policies that are assigned to a group are inherited by all members in the group. When a user is added to a group, they will immediately receive all permissions assigned to the group, and all permissions received through the group are revoked when a user is removed from the group. Users can be members of multiple groups Managed Account This is the account on the remote system to which a proxied connection can be made and/or whose password is being stored and maintained through the PPM portion of TPAM. For example, root is likely to be a managed account on many of the managed UNIX systems. 5.2 User Types Basic A Basic user type can be assigned permissions for various functions throughout the application, such as requestor, reviewer, etc Administrator The Administrator is the most powerful user type for the TPAM User Interface. This user type can create and delete systems, users, groups, and collections. The administrator user type may also assign access policies to any user including themselves. An administrator may view all reports. It is recommended that this user type be assigned carefully. The Administrator may not delete or disable their user ID Auditor The auditor user type permits the individual to view reports, session logs and system information, but not to make any changes to data or view passwords. The Auditor may not delete or disable his own account. Auditors may also review completed password and session requests User Administrator This user type has the authority to manage Basic user types. User Administrators can disable and enable users, unlock user accounts, and update account information. The User Administrator does not have the ability to add users to groups or manage permissions. CLI/API user accounts cannot be managed by a User Administrator Cache User If your company opted to purchase cache servers along with TPAM you will be setting up cache user types. A cache user can only retrieve passwords through the cache server that they are assigned to. A cache user will not have access to the TPAM interface. 9

10 6.0 Access Policies In v2.4 we have added Access Policies which allow permissions to be assigned at the System and Account level. Access policies allow permissions to be broken down and assigned at a more granular level. For example you have one Access Policy that would allow someone to review password releases, request password releases and request a session which would limit them to two commands. In the past you could only have 1 PPM permission and 1 PSM permission but now with Access Policies this has changed. There are default Access Policies that are created in the v2.4 patch that mimic the old TPAM roles of EGP Requestor, PAR ISA etc, so that existing permission assignments are migrated to the new Access Policy model and so that the default Global Groups can be supported. 6.1 Permission Types Denied This user role was created so that collection permissions could be assigned to a user and then if there are specific entities within this collection that the user should not have access to the Denied permission can be set for these entities. If you are Denied for a System but have access to a specific Account/File on that System you will still be able to access the Account/File, because Account or File holds precedence over System. Information Security Administrator (ISA) The role of ISA is intended to provide the functionality needed for security help desk personnel, and as a way to delegate limited authority to those responsible for resource management. An ISA permission with a Type of Session allows the user to add and update all aspects of PSM Only systems, PSM only accounts, and for PSM supported platforms. An ISA permission with a Type of Password allows the user to add and update systems and accounts for all platforms except those that are PSM only. A user must be assigned an Access Policy with a Type of both Password and Session and permission of ISA to be able to assign access policies to other entities. The ISA permission does not allow the user to delete a system. Approver An Approver can be set up to approve password, session and or file requests. An approver can also be set up to only approve sessions that are requesting specific commands. Requestor A Requestor can be set up to request password, session, and or file requests. A requestor can also be set up to only request sessions that run specific commands. 10

11 Note! A user requesting a session that has an interactive proxy type must also have an access policy assigned to them that include password/requestor for that account. Privileged Access (PAC) An individual that must go through the request process for passwords, files, and sessions but once they submit the request it is automatically approved, regardless of the number of approvers required. Note! If you have Session /PAC permissions but do NOT have Password/PAC Permissions on an account, you will only be able to start a session that is configured for one of the automatic proxy connection types, since you do not have permissions to access the password. Reviewer The reviewer role permits the individual to view reports on specific systems to which they have been granted reviewer rights. A Session/Command Reviewer can also replay sessions and review/comment on these sessions. If the user has Password Reviewer permissions they can review a password release that has expired and comment on that password release. 7.0 Permission Hierarchy Because TPAM allows groupings of Users (Groups) and remote systems (Collections), it is possible - even likely, that a user could appear to have multiple conflicting permissions for a particular system, account, and or file. To prevent this, TPAM implements a precedence of permissions. The precedence, in order of decreasing priority is: An Access Policy assigned to a User for an Account/File (most specific) An Access Policy assigned to a User for a System An Access Policy assigned to a User for a Collection containing Accounts or Files An Access Policy assigned to a User for a Collection of Systems An Access Policy assigned to a Group for an Account /File An Access Policy assigned to a Group for a System An Access Policy assigned to a Group for a Collection containing Accounts or Files An Access Policy assigned to a Group for a Collection of Systems (least specific)(*) (*) This category includes Users who are assigned to any of the Global XXX Groups. The Groups grant their respective permissions to an internally-maintained All Systems collection. Note! A single Denied Access Policy assignment at any level overrides all other permissions at that level. 11

12 When any of the permissions are changed, for instance by adding or removing a user from a group, the precedence is recalculated, and if necessary, the permissions for the user are changed to reflect the new level that results. In the scenario shown above, the groups and users have been assigned Access Policies which grant the permissions specified. In this situation, the precedence of permissions will be applied and the effective permissions would be as follows: User A has Approver permission on System C through the Group to System assignment. 12

13 User A has been assigned Reviewer rights on System A, Account B1, and File C1 via Group A to Collection B assignment. These Review rights on File C1 take precedence over the Approve rights on System C because assignment to a Collection containing an Account or File is more specific than a collection containing just the System. User A may still Approve requests to all accounts on System C and all of C s files with the exception of File C1. Users A, C, and D have Request rights on System A, Account B1, and File C1 through Group B. Note that as with above, the Group B to Collection B assignment of Request rights for User A on File C1 override the Approver rights from Group A. Since User A is in both Groups A and B he has both Review and Request rights on all the items in Collection B. Assignments at the same hierarchy level are combined. User B has been Denied access to System B, which includes all Accounts and Files thereon. Even though the Group A to Collection B assignment User B grants Review to Account B1 on System B, User B is still denied access because the User to Collection assignment trumps the Group to Account in a Collection assignment. If User B had instead been assigned the Review permission directly (as opposed to through Group A) to Account B1 that would have replaced the Denied assignment on System B, but only for that one account. User B also has Review rights on all Accounts and Files on System A and File C1 on System C. User C has been granted explicit ISA rights on Account B1. This User to Account assignment supersedes both policies User C received via the Group to Collection assignments, but only for Account B1. User C still has Review and Request permissions to System A and File C1. User D has been granted ISA rights over Collection A. This assignment takes precedence over D s Request permission on System A which is through the Group B to Collection B. D still retains the Request permissions on Account B1 and File C1 from the Group assignment, however that removes D s ISA permissions on Account B1 (although D still has ISA permissions over any other accounts on System B). Where there is more than one permission granted at the same level of the permission hierarchy those permissions are combined, as long as one of those permissions is not Denied. If a User is in 3 different groups (A, B, and C) with policies to the same System (A grants Approver, B grants Reviewer, and C grants Requestor) the user has all three permissions in effect on that system. However, if Group B has Denied permissions instead of Reviewer that takes precedence over all other "Group to System" assignments for that User on that System. 8.0 Permission Based Home Page Your home page is based on the user type and permissions assigned to your user id in the TPAM application. You can return to the home page from anywhere in the TPAM application by clicking the home icon located on the far left side of the menu ribbon. 13

14 The first tab that displays is the default message of the day which is configured through paradmin interface. 8.1 Recent Activity Tab The recent activity tab shows all your activity in TPAM for the last 7 days. 9.0 Managing Your Own Account Any user may change their password and update individual account details using the My Info menu option. To reset your own password, select My Info Change Password from the menu. Enter the existing password, the new password desired, and confirm the new password. User passwords are subject to the requirements of the Default Password Rule. 14

15 Other individual account information can also be self managed, such as contact information and full name. Select My Info User Details from the menu to make modifications to your own account information. A user may not modify the UserID, Last Name, or First Name fields. 9.1 User Time Zone Information You can edit your time zone information through the My Info User Details menu option. The TPAM administrator will also be able to edit your time zone. If you are in the same time zone as the server and follow the same Daylight Saving Time (DST) rules the first radio button should be selected. If you are in a different time zone and/or follow different DST rules and do not want to follow server time, the second radio button should be selected, and the appropriate time zone chosen from the list. With this option most dates and times that the user sees in the application or on reports will be converted to your local time. If a date or time still reflects server time it will be noted on the screen. 15

16 Note! It the Sys-Admin has disabled User Time zone changes in the paradmin interface the User Time Zone Information block shown above will be visible only for Administrator users. Example: TPAM appliance is located in New York, NY on Eastern Time. The user is located in Los Angeles, CA, which is on Pacific Time. If the user chooses to set their time zone to Pacific Time, any requests, approvals, etc that they make will be reflected in Pacific Time to them, and they will have the option to view some reports in their local time zone. If the TPAM Administrator is in the Eastern Time zone the admin will see this user s transactions stamped with the Eastern Time. Alert! If you are in Daylight Saving Time (DST) you must remember to check the DST box and uncheck it when it is over. This box does NOT automatically get changed for you. You will be automatically redirected to the User Details page when attempting a new transaction if: The server has undergone a DST transition since your last activity. The time zone on the server has been changed since your last activity. The server has had a patch applied that has rendered your current time zone obsolete according to Microsoft s time zone updates. You will be able to see the server time on the bottom left of your screen and your local GMT offset (if different from the server) in the middle bottom of the screen. You will see the time listed in reference to GMT (Greenwich Mean Time), using notation to indicate the number of hours ahead or behind GMT. So for example US Eastern Standard Time is 5 hours behind GMT, or GMT -05:00, New Delhi, India is 5 ½ hours ahead or GMT +05: Application Navigation This section provides an overview how to navigate through the user interface Tab Format One of the first things the user will notice is that upon selecting an action from the main menu bar the data will be displayed through multiple tabs. 16

17 Once a specific System, Account, Collection, etc is selected all of the details about this entity can be viewed by clicking on the different tabs along the top of the page Filter Tab This tab was developed for companies that are managing a large number of systems, accounts collections and groups. By entering specific criteria on the Filter tab, the user will be able to quickly get to the piece of data that they need to review or edit without searching through thousands of records. 17

18 The Max Rows to Display drop down on the Layout tab allows you to limit the number of records returned even if there are more that meet this criteria. The Default Filter Settings has choices of Clear, Save and No Action. If Save is selected then every time the user selects the menu item they will land on the Listing tab and the same filter will be applied until a new filter is saved or if the filter is cleared. Once your filter criteria have been entered click the Listing tab to get the results of your filter Listing Tab The results from your Filter will be listed in the Listing tab. Once you find the record that you want to work with click on the row once to highlight the row on the screen and then click the tab where you want to go next. You can refresh the Listing tab by clicking on it again List Systems 18

19 Certain data may be exported from TPAM to Microsoft Excel or CSV format. This is a convenient way to provide an offline work sheet. Systems are exported using the Systems List Systems menu selection. Choose the criteria for the list of systems, which can be filtered to produce a specific subset of data, or the full list of systems. System Templates will not be included in the Listing. Use the Filter tab to enter your listing criteria and the Layout tab to select the data set you want exported in your file. Click the or to download your file System Listing Collection Tab Once you select a system from the Listing tab to view the collections the system belongs to click on the Collections tab. 19

20 11.2 System Listing Permissions Tab Select the system from the Listing tab and click on the Permissions tabs. Here you can see who has permission on this system and which access policy is granting them this permission List Accounts Accounts are exported using the Systems List Accounts menu selection. Choose the criteria for the list of accounts, which can be filtered to produce a specific subset of data, or the full list of accounts. In v2.4 we added password review requirement information to the listing. 20

21 Use the Filter tab to enter your listing criteria and the Layout tab to select the data set you want to view List PSM Accounts (PSM Customers only) You have the ability to list PSM accounts. PSM accounts can be exported using the Systems List PSM Accounts menu selection. Choose the criteria for the list of accounts, which can be filtered to produce a specific subset of data, or the full list of accounts. 21

22 Use the Filter tab to enter your listing criteria and the Layout tab to select the data set you want to view List Collections Go to Collections List Collections to view a list of collections. Enter your listing criteria on the Filter tab. To select which columns will be on your listing click on the Layout tab. To view your listing on the screen click on the Listing tab. 22

23 To view the collection listing in Excel or CSV format click the buttons. To view all the collection members in Excel or CSV format click the or button Collection Listing Members Tab To view all members in the collection, click on a Collection Name in the listing and then click the Members tab. or 23

24 14.2 Collection Listing Permissions Tab To view permissions assigned to the collection, click a Collection Name in the listing and then click the Permissions tab List Groups To view the current permissions for a group, select Groups List Groups from the menu. Enter your search criteria on the Filter tab. Using the Layout tab select the columns you want to appear on your listing. Click the Listing tab to see the results. 24

25 Note! If the System Administrator has disabled Global Groups in the paradmin interface you will not see them in this listing. To view the group listing in Excel or CSV format click the or buttons. To view all of the group members in Excel or CSV format click the or button Group Listing Members Tab To see the users who are members of the group click on the Members tab. 25

26 15.2 Group Listing Permissions Tab To see the permission granted to the group click the Permissions tab List UserIDs To see a list of a UserID s effective permissions on all systems, display the User list, by selecting UserIDs List UserIDs from the menu. Enter the Filter criteria for your listing. Click the Layout tab to select which columns to display on your listing. Click the Listing Tab. The UserIDs that meet your filter criteria will be displayed. User Templates will not be included in the Listing. You have the ability to download the listing into a CSV file format. To download the list in Excel click the button. To download the list in CSV file click the button User Listing Groups Tab To see the groups that each user belongs to select the user name from the Listing tab and click on the Groups tab. 26

27 16.2 User Listing Permissions Tab To view the Permissions the user has select the user name from the Listing and click on the Permissions tab Session Management (PSM Customers only) The session management menu provides access to session logs and the ability to playback previous sessions to systems. This answers the critical question what did they do with respect to auditing access to privileged accounts. All user actions, whether performed via keyboard or mouse are recorded Replaying a Session Log Select Session Mgmt Session Logs from the menu. 27

28 Use the filter criteria to limit the list of session logs to those desired. From the Listing tab select the desired session to replay and click the button. Note! If the session log is stored on an archive server there may be a delay while TPAM retrieves the log from its remote storage location. 28

29 The remote access session will be displayed and played back in real time. The playback session may be paused and resumed, moved ahead or back at increased speed, or continuously played at various speeds. Using the session playback controls To manipulate the playback of a session, the controls at the bottom of the session replay window allow the speed of the playback to be changed, ranging from ½ normal speed to 16 times normal speed. Replay may be paused at any point. The session playback toolbar contains both session information and playback controls: Session system The name of the remote system to which the session was established. Session UserID The name of the remote account used to access the system during the session. Slider control Displays the current position of playback, and when the session is paused allows a new position to be selected. To reposition session replay, pause the session and position the slider control to the 29

30 desired spot. Resume playback using the pause control. The session playback will move at maximum speed to the desired playback position. Note! The session time position is based on network packet timestamps. This means that the playback control slider may appear to move in an uneven fashion depending on the data density of each packet, especially for very short recorded sessions. If for some period time there is a minimal amount of activity followed by a flurry of dialog box openings and keystroke input, this would cause the uneven control slider movement. Longer session files tend to provide a smoother control slider movement. Session time position Shows the time position being displayed in relation to the session length: current position / total session time. Pause control When green the session is playing. When red the session is paused. To pause or resume playback simply click the control. Loop button selecting this button will set the session to replay over and over..5x The session will be played at ½ normal speed. 1x The session will be played at normal speed (real time). 2x The session will be played at 2 times normal speed. 4x The session will be played at 4 times normal speed. 8x The session will be played at 8 times normal speed. 16x The session will be played at 16 times normal speed. If a file was transferred during the session you are replaying you can view information about that file on the File Transfers tab Monitoring a Live Session You have the ability to monitor a session as it is being recorded. The user running the session has no indication that their session is being watched. To monitor a live session select Session Mgmt Session Logs from the menu. Use the filter criteria to limit the list of session logs to those desired. 30

31 Any live sessions will display Connected in the Status column. Select the session you want to view and click the button. Any user that has permission to playback a session log has permission to monitor a session for that account File Transfers Tab If a file was transferred during the session you can view information about that file on the File Transfers tab. Select a session from the Listing tab and then click on the File Transfers tab Logs You have the ability to download the logs into a CSV file format. To download the list in Excel click the button Sys-Admin Activity Log button. To download the list in CSV file click the To see all System Administrator activity go to Logs Sys-Admin Activity Log from the menu.. If you are configured for your local time zone, you now have the filter parameter to view the activity on the log in your local time zone. Enter the Filter criteria for your report. Click the Report Layout tab to select which columns to display on your report. Click the Report tab 31

32 18.2 Security Log The security alert log displays events such as invalid logon attempts. Only failed events will be displayed to conserve resources Firewall Log To see all events logged by the firewall go to Logs Firewall Log from the menu. The firewall is configured to log all denied traffic. Enter the Filter criteria for your report. Click the Report Layout tab to select which columns to display on your report. Click the Report tab. 32

33 18.4 Database Log The Database log shows logged activity from the SQL Server database. 33

34 18.5 Alerts Log The alerts log will report on any of the alerts you can subscribe to Reports TPAM includes a number of pre-defined reports to aid in system administration, track changes to objects, and provide a thorough audit trail for managed systems. All reports are accessed via the Reports menu. The reports can be filtered by criteria that are specific to each report type. 34

35 Note! Access to different reports is based on the user s permissions. Only TPAM Administrators and Auditors have access to all reports Report Time Zone Options There are time zone filter parameters on most of the reports so that the user can choose to view the report data in their local time zone or the server time zone. These filter parameters will only be visible if the user is configured with a local time zone. This filter affects not only the data reported but also the filter dates used to pull the data. For example, the server is at GMT time and the user is in Athens, Greece (GMT +2). When the user enters a date range of 9/16/2009-9/17/2009 with the local time zone option, the report will pull transactions that happened on the server between 9/15/ :00 through 9/17/ :59. All reports that use the local time zone filter now have an extra column indicating the GMT offset that was used to generate the report. This value will either be the current GMT offset of the server or the user. This column will also appear in reports that are exported using excel or csv Report Layout Options The user can select which columns they want to display on the report by clicking on the Report Layout tab. Also the user can decide which column they want the report sorted by clicking the radio button in the Sort Column. 35

36 Also note the Max Rows to Display list. This limits the number of rows that are returned on the report even if there are more rows that meet this filter criteria Adjustable Column Widths The user can adjust the column size of any column on a report by hovering their mouse over the column edge and holding down the left mouse button and dragging the mouse to adjust the column width Report Export Options In addition to exporting the report to an Excel formatted file, the user can also export the file in a CSV (comma separated value) file format. Alert! If you expect your report results to be over 64,000 rows you must use the CSV export option. The Export to Excel option will only export a maximum of 64,000 rows! 19.5 Activity Report The activity report contains a detailed history of all changes made to TPAM. 36

37 19.6 ISA User Activity The ISA user activity report shows an audit-trail report containing detailed records of all activities performed by users with ISA permissions Approver User Activity The approver activity report shows an audit-trail report containing detailed records of all activities performed by users with Approver permissions. If a user has both requestor and approver activity this report will only show the approver activity Requestor User Activity The requestor activity report shows an audit-trail report containing detailed records of all activities performed by users with Requestor permissions. If a user has both requestor and approver activity, this report will only show the requestor activity PSM Accounts Inventory (PSM Customers Only) The PSM accounts inventory report will show a list of all accounts that are PSM enabled. 37

38 19.10 Password Aging Inventory The password inventory report will display a list of all managed systems, and all accounts on those systems that are managed by PPM File Aging Inventory Similar to the password inventory report, the file inventory report will display a list of secure stored files and the systems for which they are managed. 38

39 19.12 Release-Reset Reconcile The purpose of the Release-Reset Reconciliation report is to provide auditable evidence that passwords have been reset appropriately after being released. The report can be filtered by date or date range, and sorted by system name, RequestID, or first release date User Entitlement In v2.4 we merged the Password, EGP and File User Entitlement reports all into one User Entitlement report, with additional filters. This report provides a mechanism to review and audit individual users permissions for systems, accounts, commands and files on an enterprise scale. Based upon selected filter criteria, the report will show each user and their permissions to each system, whether based upon Collection, Group, or individual assignment. To reduce the size of the report for large organizations where numerous systems belong to collections, use the filters provided such as Show Only Effective Permissions. 39

40 Turning on the checkboxes or radio buttons for the options will have the following effects on the report: Expand Collections to show all Systems, Accounts, & Files? When checked the report will expand any retrieved Collection-level permissions to show all the Systems, Accounts, and Files in the collection. Permissions are indicated as being at the Collection level by the presence of the Collection Name as well as the Permission Source column. When not checked only the Collection itself is shown. Expand Groups to show all Users? When checked the report will expand any retrieved Group to show all users within this group. Permissions are indicated as being at the Group level by the presence of a Group name as well as the Permission Source column. When not checked only the Group itself is shown. Expand Access Policies to show policy permissions details? When checked this will expand the Access Policy for each row to show the Permission Type (Password, Session, etc.) and Permission Name (Requestor, Approver, etc.) for all detail rows for each Access Policy. When not checked only the Access Policy Name is displayed. Show All Permissions When this radio button is selected the report will show all possible policies for each assignee (User or Group) to each entity (System, Account, File, or Collection) with the effective permission indicated. Show Only Effective Permissions When this radio button is selected the report will show only the effective permission for each assignee to each entity. 40

41 Alert! If you select any of the Expand options you must fill in at least one of the text filters with a non-wildcard value. For very large data sources the expansion of Collections, Groups, and/or Access Policies can very easily create a report beyond the retrieval and display capabilities of a web browser. For large datasets (10 s of thousands of accounts or thousands of large collections to expand) it is recommended to rely on the Data Extracts for unfiltered versions of the Entitlement Report Failed Logins Failed login attempts to TPAM are recorded and these events are available for review using the Failed Logins report. Note! Data shown for failed logins may be up to 15 minutes old. The data for the report is refreshed every 15 minutes Password Update Activity The password update report shows an audit-trail report containing detailed records of all password modifications to all systems managed by PPM. 41

42 19.16 Password Update Schedule The password update schedule report will show all currently scheduled password changes and the reason for the change such as a change due to default change settings or in response to a password release, etc Password Testing Activity The password testing activity report shows the results of automated testing of each managed account s password Password Test Queue The password test queue report will list all accounts currently queued for password tests. This is a useful report to view when troubleshooting performance related issues. A high number of queued password tests can impact system response time if the check agent is running. This report does not provide a mechanism for exporting data but does provide for deleting passwords from the test queue. So if there is some known reason why a large group of password tests will fail such as a network outage, that group can be filtered out in the report and then deleted. An alternative would be to just stop the check agent. 42

43 19.19 Expired Passwords This report allows you to report on currently expired passwords, or passwords that are going to expire within a certain date range. You can also filter based on whether the system/account has password management enabled or set to manual. In v2.4 we added a Reason Code column to the report Passwords Currently In Use This report defines In Use as passwords that: Have been retrieved by the ISA/CLI/API that have not yet been reset Passwords that have been requested and retrieved, but not yet reset If password has been manually reset from the account details or password management pages but not yet reset by PPM. If the password has been manually entered on the Account Details page but not reset by PPM. If the account is created either from the TPAM interface or as a result of Batch Import Accounts and is assigned a password by the user (as opposed to allowing the system to generate a random password). Passwords manually changed prior to TPAM will not show as IN USE 43

44 19.21 Password Requests This report allows you to view all password requests within a specified time period and view details relating to the request. Selecting a row in the report, and clicking on the Responses, Reviews and Releases tab will give you additional details on the request. In v2.4 we added a Reason Code column to the report Auto-Approved Releases Password and stored file releases made by requestors that did not require dualcontrol approval (auto-approved requests) may be reviewed in the Auto Approved Releases and Auto Approved File Releases reports. 44

45 19.23 Password Release Activity The password release activity report displays a history of password releases, based upon filter criteria selected for the report. The reason text and ticket system information is also provided in the report. column to the report. In v2.4 we added a Reason Code File Release Activity The file release report is essentially identical to a password release report, but will show the release activity associated with stored files. Reason Code column to the report. In v2.4 we added a Windows Domain Account Dependencies This report shows which managed domain accounts have dependencies on other systems Auto Approved Sessions (PSM Customers Only) This report lists all sessions that were auto approved because the account had no approvals required for session requests. 45

46 19.27 PSM Session Activity (PSM Customers Only) This report shows the details on any sessions that occurred within a specified time period or for a specific system/account. column to the report. In v2.4 we added a Reason Code PSM Session Requests (PSM Customers Only) This report allows you to view all session requests within a specified time period and view details relating to the request. Selecting a row in the report, and clicking on the Responses, Reviews and Releases tab will give you additional details on the request. In v we added a Reviews Required column to this report. In v2.4 we added a Reason Code column to the report Scheduled Reports To see the scheduled reports options from the menu go to Reports Scheduled Reports. Alert! The upgrade to v2.4 will DISABLE all of the PSM, PPM, and File User Entitlement Reports in the Scheduled Reports page. These reports are all very resource intensive and with the new Account-level permissions are capable of causing severe performance degradation for on-line users during the daily report cycle. If you plan on using the information on a daily basis we strongly recommend that you enable the reports one at a time and only generate the versions that are needed. HTML output may be usable on smaller installations. However it is very common for the reports to be over 1 million rows, and most customers find that CSV files are more manageable Subscribing to Reports Because TPAM automatically produces and stores batch reports, these reports are available for subscription to administrator and auditor users. To subscribe to any of 46

47 these reports, select Reports Scheduled Reports Report Subscriptions from the menu. In v2.4 we added the System DPA Affinity Batch Report, to display Affinity assignments for all systems. Note! The start time for these reports is controlled by the Daily Maintenance start time that is configured by the System Administrator in the paradmin interface. Check the option box for each report desired, selecting either HTML or CSV format (or both, if desired) and click the button. When the batch reports are created (generally at 00:30 hrs), the selected reports will be sent to each subscriber via attachment. You have the ability to disable specific batch reports (HTML, CSV, or both). Use the list in the Status column to set your preference and click the button. The settings you have saved in the Subscribed column will not be affected by what you select in the Status column. If a report is disabled, then the subscribers will not receive it until it is enabled again. Report subscriptions are dependent upon the TPAM Mail Agent and a valid address for the subscribing user. You have the option to add additional recipients to the Batch Reports. Select the report you want to add recipients to and then click the Additional Recipients tab. 47

48 To add a recipient, enter the recipients address. You can separate multiple e- mail addresses with a coma. Select the how you want the report sent from the list. Click the the click the button. To remove recipients from the batch report click button. To modify a recipient s address, make the change and button Browsing Stored Reports All Batch reports are generated daily by TPAM and stored internally. These reports are available for viewing by any administrator or auditor user. Stored reports are retained for a period of time specified in the Online Batch Reports retention period of the administrative Global Settings of TPAM (see TPAM Configuration and System Administrator Manual). To view the stored reports, select Reports Scheduled Reports Browse Stored Reports from the menu. Note! The date and timestamp on the stored reports is server time. Note! Even if no one has subscribed to a report it will still be generated and stored in the PARReports folder. Setting a report to HTML Only or CSV Only will generate and store only that version of the report Select the desired date by clicking the hyperlink, formatted yyyymmdd. The individual reports available for that date will be displayed in the browser window. 48

49 Each report is available in either HTML format or comma separated value (CSV) format. Simply click the desired hyperlink for the report to view it. You have the ability to resubmit a run of batch reports for a prior date. To resubmit a batch report to run for a prior date log into the paradmin interface. Select System Status/Setting Resubmit Batch Reports from the menu. Enter the date the date you want to run the reports for. Log back into TPAM and go to Reports Scheduled Reports Browse Stored Reports to find the report you resubmitted. Now that we provide for batch reports to be resubmitted from the PARADMIN interface, the user may see a much longer folder name for batch reports. When the batch is resubmitted then the directory name starts with the resubmit date followed with _rundate_time. So if the 10/1/07 reports were rerun on 11/13/07 at 1pm there would be a directory named _ _ Data Extracts Certain data may be extracted from TPAM and automatically transferred to a pre-configured Archive Server (see the TPAM Configuration and Administration Manual for more information on archive servers). Extracted data is supplied as a *.CSV file and is easily viewed with MS Excel or any text editor. Information that may be extracted includes lists of systems, accounts, users, etc. and many logs of user activity and entitlement. The extracted files are compressed (ZIP file format) and named with a date and time stamp. 49

50 Data extracts are configured much in the same way as TPAM system backups. The extracts can be set to occur based upon various interval criteria, and the time the process runs may also be specified. To configure data extracts, select Reports Scheduled Reports Data Extract Schedules from the main menu bar. To configure an extract click one of the Schedule Names and click the Details tab. 50

51 21.1 Data Extract Details Tab Schedule Name: The schedule name can be changed and saved to whatever the user wants Enabled: The Enabled option is used to turn on or off the automatic data extracts Zip Files: If the Zip option is checked then the files that are extracted will be saved in a zip file format Delimiter: If you want the file formatted differently than tab delimited, enter the other format type in this field Schedule Time: To have the extract run daily, select this radio button and set the start time. To have the extract run weekly, select this radio button and select the day of the week and start time. To have the extract run monthly select this radio button and select one of the day of the month options and the start time Transfer the data extract to this Archive Server: The archive server to which the extract will be transferred is selected from a drop-down list of available servers configured by the TPAM System Administrator. Select the desired archive server Send / Results To: Optionally specify an address to receive extract results. Choices are: All or Failed Data Extracts Data Set Tab This tab is used to indicate which specific data sets will be extracted. In v2.4 we added two new data extracts, Password Release Activity and Password Update Activity. 51

52 Enabled: Check the Enabled? box to select this data set as part of the scheduled extract Column Headings: Check the Column Headings? Box if you would like the data extract file to have column headings. Click the extract. button to save and changed to a scheduled data 21.3 Data Extract Log Tab The data extract log tab will display the logged results of each scheduled extraction. You can use the Filter tab to narrow the results of your search, and then click the Data Extract Log tab. 52

53 If you click the button the data extract will immediately initiate. If you click the button all the history in the data extract log will be cleared.. If a specific Extract Schedule is selected then only log data for that job will be deleted otherwise all data extract log data will be deleted Data Extract Dataset Filenames You can customize the file name for each data extract. Click the Dataset Filenames tab and adjust the file names. You cannot specify different file names for different schedules. 53

54 Put your cursor in the Filename field and rename the file to your specification. Click the button. 54