User access controls toolkit
The user access controls testing analysis robot toolkit is an analytics-as-a-service solution for monitoring user access controls. It compares user lists across Active Directory, HR management systems, and other applications such as SAP, Oracle, and Salesforce.
The toolkit comes as a pre-configured solution that is applicable to most customers. Once deployed, you can update the analysis robot toolkit with new scripts as we release them. You can further customize it by adding custom scripts to refine the toolkit. The imported data can be output to Results or Excel files.
Note
The user access controls testing analysis robot does not support the following:
- Analytics Exchange (AX)
- Robots Cloud Agent for production purposes
- Custom analytics and data sources
- Any reporting other than Excel/Results outputs
System and subscription requirements
Ensure that you meet the following subscription and system requirements to use the User Access Controls Testing Analysis Robot toolkit.
Requirement | Notes |
---|---|
ACL Robotics Enterprise Edition | Robot toolkits are available as add-ons |
On-premise Robots Agent version 15 |
Verify the version to be installed - Unicode or Non-Unicode |
ACL for Windows version 15 |
|
Data Integration Robot for the source application | Ensure that the Data Integration Robot for the source application has been successfully deployed into your organization and is currently running. |
About the toolkit
The toolkit installs several components in Diligent One.
Component | Count | Name |
---|---|---|
Collection | 2 |
User Access Controls Testing Analysis - Development Mode User Access Controls Testing Analysis - Production Mode |
Analysis |
2 |
User Access Controls Testing Analysis (one per Collection) |
Robot | 1 | User Access Controls Testing Analysis |
Analytic Tables | 10 | For more information, see Analytics for User Access Controls Testing. |
User access controls testing analysis robot
The user access controls testing analysis robot is automatically created when the toolkit is installed. This robot contains the following:
-
Analytic scripts - Contains the core scripts to import and process data.
Note
You should not modify the analytic scripts. Modifying the scripts may result in failures while running tasks. Any modifications required should be configured in the User Analytic Configuration file or uploaded as custom analytic scripts.
-
(Optional) Custom analytic scripts - Scripts that are manually uploaded to add new customer-specific analytic capabilities to the robot or make a data logic changes. These scripts take precedence over the default analytic scripts and should be thoroughly reviewed.
-
Configuration files - All the configuration files listed in the following table are available in the Input/Output tab of the robot.
File Name Description Mode UA_Default_
Analytic_Configuration.xlsxContains default configurations
Note
You should not modify this file. Modifying the file may result in failures while running tasks. Any modifications required should be configured in the User Analytic Configuration file or uploaded as custom analytic scripts.
Generated automatically by the robot Result_Table_IDs.csv Contains the destinations for the tables exported to Results, within the respective Development and Production collections. Generated automatically by the robot
User Analytic Configuration File Contains custom configurations that must override configurations provided in the default analytic configuration file.
Configurations in this file takes precedence over inputs in the default analytic configuration file.
NOTE: If customizations exceed the capabilities of the User Analytic Configuration file, a custom script may be added.
Manually uploaded when implementing the toolkit -
Robot task - Executes the default and custom scripts within the robot and contains the following information.
Parameter Description Export to HighBond Results? Specifies whether to export imported data to Results. Options available are as follows:
- Export to Results - Overwrite - Overwrite the data in results tables each time data is exported.
- Export to Results - Append - Appends data to the results tables.
- Do not export - Does not export data to Results.
Export to Excel? Specifies whether to export the current results to an Excel file or not. Options available are as follows:
- Export to Excel
- Do not export
HighBond Access Token Token required to connect to Results. If exporting to Results is disabled, any random value can be provided for this parameter.
Linked tables
The required, shared tables from the Data Integration Robots are linked to the User Access Controls Testing Analysis robot in the Input/Output tab. When the analysis robot task runs, it pulls data from the linked tables and uses it to process the core analytic logic defined.
Note
You can create multiple analysis robots and link only the required tables to segregate the robots for specialized tasks or set of tasks.
Analytics for user access controls testing
The analytics for user access controls testing toolkit are listed in the following table.
Error logging
Any errors detected while running the task are logged to the Error Log table for each analytic. If the record count is 0, an error message is written to the Error Log table.
Tip
Review the error log after the task runs, even if the analytic returned no exceptions to ensure that the table was not flagged as having 0 records. For example, user input parameters from the User Analytic Configuration file can be ignored if the file is not formatted properly.
What each analytic does
Analytic Name | Description |
---|---|
UA01AD_No_ Expiry_Passwords |
This analytic reports Active Directory accounts with passwords that are set to not expire. Such accounts are identified by specific values in the UserAccountControl field. The results includes both enabled and disabled accounts. The default values for the UserAccountControl field are maintained as a parameter in the Default Analytic Configuration File. If you add further reporting fields to the analytic, the data preparation and analysis scripts that carry forward the Member field may generate record length errors, especially when used with UNICODE robot agents. v_no_expiry is a default parameter available for this analytic in the Default_Config_Params worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. You can use a space-delimited format without any quotes around each individual value, and enclose the full string in double-quotes. The result table for this analytic is R_UA01AD_No_Expiry_Passwords. |
UA02AD_Active_ Default_Accounts |
This analytic matches a list of user-defined default accounts with the User table in Active Directory and reports those users with default accounts that appear to be active (enabled). The default accounts to be analyzed are typically pre-defined accounts associated with privileged access. The date when the password was last set and the number of days since the last password reset are shown in the results. Only enabled accounts are included in the analysis, based on the value in the UserAccountControl field. Account_List is a default parameter available for this analytic in the PARAM_AD_Default_Accounts worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. Note The RDN field is stripped of CN= or other prefixes for the join between the Active Directory User table and the default accounts. Therefore, the default account names in the parameter table must be provided without the CN= or other prefixes (for example, provide the value as Administrator instead of CN=Administrator). The result table for this analytic is R_UA02_AD_Active_Default_Accounts. |
UA02UNIX_Active_ Default_Accounts |
This analytic matches a list of user-defined default accounts with the User_Name field in the /etc/Passwd file and reports those accounts that appear to be active (enabled). The default accounts to be analyzed are typically pre-defined accounts associated with privileged access. The date when the password was last set and the number of days since the last reset are shown in the results. Only active (enabled) accounts are reported in the results. Any inactive (disabled) accounts flagged by the analytic are excluded in the results. Note This analytic requires the file /etc/shadow. If this file is not present in the version of UNIX in use, you may need to add a custom analytic script to test the status of the enabled account. A custom script may be required if the etc/shadow exists, but its encoding for disabled or locked password differs. Account_List is a default parameter available for this analytic in the PARAM_UNIX_Default_Accounts worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. The result table for this analytic is R_UA02UNIX_Active_Default_Accounts. |
UA03ORCL_Oracle_ AD_Mismatch |
This analytic identifies instances where active Oracle ERP user accounts cannot be matched to an active Active Directory user account. It excludes Oracle user accounts where the email address is nobody@localhost. The result table for this analytic is R_UA03ORCL_Oracle_AD_Mismatch. |
UA03SAP_SAP_AD_ Mismatch |
This analytic identifies instances where active SAP ERP user accounts cannot be matched to an active Active Directory user account. The SAP ERP Data Integration Robot filters the source table USR02 on User Type ‘A' (Dialog) or 'C’ (Communication). The result table for this analytic is R_UA03SAP_SAP_AD_Mismatch. |
UA03SF_SF_AD_ Mismatch |
This analytic identifies instances where active Salesforce CRM user accounts cannot be matched to an active Active Directory user account. Active Salesforce user accounts are identified by the value T in field IsActive. The result table for this analytic is R_UA03SF_SF_AD_Mismatch. |
UA04AD_NonAdmin_ Privilege |
This analytic compares the members of critical Active Directory groups associated with administrative privileges to a user-maintained parameter table containing user accounts authorized to have such access. Members of these critical groups that are not listed as authorized administrative users are reported in the results. Currently, nested groups are supported and the analytic analyzes only the Member field in table Group. Administrative user accounts listed in the parameter table PARAM_AD_Auth_Admin_Users are considered to be authorized for all privileged groups listed in PARAM_AD_Critical_Groups. Testing for access to a specific group is not currently supported by this analytic. The Active Directory import process sets a limit on the maximum number of characters to be imported. The length of some member lists may exceed this character limit and may get truncated. The Error_Log table lists the groups impacted by this limitation. Two default parameters are available for this analytic in the PARAM_AD_Critical_Groups and PARAM_AD_Auth_Admin_Users worksheets of the Default Analytic Configuration File. If the default parameters do not apply, or are incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File.
The result table for this analytic is R_UA04AD_NonAdmin_Privilege. |
UA04UNIX_NonAdmin_ Privilege |
This analytic compares active UNIX user accounts with access to critical security groups to a user-maintained parameter table containing user accounts authorized to have such access. Members of these critical groups that are not listed as authorized administrative users are reported in the results. Note The parameter table may contain fictitious user accounts to create exceptions when run in sample data mode. It is recommended to review the default parameter table results to verify the data. Only active (enabled) accounts are reported in the results. Any inactive (disabled) accounts flagged by the analytic are excluded from the results. Accounts, of which the status cannot be determined are listed as Undetermined in the results. Two default parameters are available for this analytic in the PARAM_UNIX_Auth_Admin_Users worksheet of the Default Analytic Configuration File. If the default parameters do not apply, or are incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File.
The result table for this analytic is R_UA04AD_NonAdmin_Privilege. |
UA05AD_Multiple_ Accounts |
This analytic reports Active Directory users with multiple active accounts. While administrative users may have separate accounts for administrative operations, regular users may not have multiple accounts. You can use the output of this analytic to verify that unintended users do not have multiple active accounts, such as test accounts created during system implementations, default system accounts, or inherited accounts. The results of this analytic can further be used to verify that administrative users have separate active accounts for their administrative and day-to-day operations. The result table for this analytic is R_UA05AD_Multiple_Accounts. |
UA06UNIX_Root_ Privileges |
This analytic reports users with root (Super User) privileges in a UNIX environment. It consists of two parts, combined into a single result table:
The result table for this analytic is R_UA06UNIX_Root_Privileges. |