User access controls toolkit

The user access controls testing analysis robot toolkit is an analytics-as-a-service solution for monitoring user access controls. It compares user lists across Active Directory, HR management systems, and other applications such as SAP, Oracle, and Salesforce.

The toolkit comes as a pre-configured solution that is applicable to most customers. Once deployed, you can update the analysis robot toolkit with new scripts as we release them. You can further customize it by adding custom scripts to refine the toolkit. The imported data can be output to Results or Excel files.

System and subscription requirements

Ensure that you meet the following subscription and system requirements to use the User Access Controls Testing Analysis Robot toolkit.

Requirement	Notes
ACL Robotics Enterprise Edition	Robot toolkits are available as add-ons
On-premise Robots Agent version 15	Verify the version to be installed - Unicode or Non-Unicode
ACL for Windows version 15	Ensure that the installation uses the same encoding as the Robots Agent(Unicode or Non-Unicode). Having a local installation of ACL for Windows can be helpful for troubleshooting purposes or for developing custom scripts.
Data Integration Robot for the source application	Ensure that the Data Integration Robot for the source application has been successfully deployed into your organization and is currently running.

About the toolkit

The toolkit installs several components in Diligent One.

Component	Count	Name
Collection	2	User Access Controls Testing Analysis - Development Mode User Access Controls Testing Analysis - Production Mode
Analysis	2	User Access Controls Testing Analysis (one per Collection)
Robot	1	User Access Controls Testing Analysis
Analytic Tables	10	For more information, see Analytics for User Access Controls Testing.

User access controls testing analysis robot

The user access controls testing analysis robot is automatically created when the toolkit is installed. This robot contains the following:

• Analytic scripts - Contains the core scripts to import and process data.

  Note

  You should not modify the analytic scripts. Modifying the scripts may result in failures while running tasks. Any modifications required should be configured in the User Analytic Configuration file or uploaded as custom analytic scripts.

• (Optional) Custom analytic scripts - Scripts that are manually uploaded to add new customer-specific analytic capabilities to the robot or make a data logic changes. These scripts take precedence over the default analytic scripts and should be thoroughly reviewed.

• Configuration files - All the configuration files listed in the following table are available in the Input/Output tab of the robot.

  File Name	Description	Mode
  UA_Default_ Analytic_Configuration.xlsx	Contains default configurations Note You should not modify this file. Modifying the file may result in failures while running tasks. Any modifications required should be configured in the User Analytic Configuration file or uploaded as custom analytic scripts.	Generated automatically by the robot
  Result_Table_IDs.csv	Contains the destinations for the tables exported to Results, within the respective Development and Production collections.	Generated automatically by the robot
  User Analytic Configuration File	Contains custom configurations that must override configurations provided in the default analytic configuration file. Configurations in this file takes precedence over inputs in the default analytic configuration file. NOTE: If customizations exceed the capabilities of the User Analytic Configuration file, a custom script may be added.	Manually uploaded when implementing the toolkit

• Robot task - Executes the default and custom scripts within the robot and contains the following information.

  Parameter	Description
  Export to HighBond Results?	Specifies whether to export imported data to Results. Options available are as follows: Export to Results - Overwrite - Overwrite the data in results tables each time data is exported. Export to Results - Append - Appends data to the results tables. Do not export - Does not export data to Results.
  Export to Excel?	Specifies whether to export the current results to an Excel file or not. Options available are as follows: Export to Excel Do not export
  HighBond Access Token	Token required to connect to Results. If exporting to Results is disabled, any random value can be provided for this parameter.

Linked tables

The required, shared tables from the Data Integration Robots are linked to the User Access Controls Testing Analysis robot in the Input/Output tab. When the analysis robot task runs, it pulls data from the linked tables and uses it to process the core analytic logic defined.

Analytics for user access controls testing

The analytics for user access controls testing toolkit are listed in the following table.

Error logging

Any errors detected while running the task are logged to the Error Log table for each analytic. If the record count is 0, an error message is written to the Error Log table.

What each analytic does

Analytic Name	Description
UA01AD_No_ Expiry_Passwords	This analytic reports Active Directory accounts with passwords that are set to not expire. Such accounts are identified by specific values in the UserAccountControl field. The results includes both enabled and disabled accounts. The default values for the UserAccountControl field are maintained as a parameter in the Default Analytic Configuration File. If you add further reporting fields to the analytic, the data preparation and analysis scripts that carry forward the Member field may generate record length errors, especially when used with UNICODE robot agents. v_no_expiry is a default parameter available for this analytic in the Default_Config_Params worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. You can use a space-delimited format without any quotes around each individual value, and enclose the full string in double-quotes. The result table for this analytic is R_UA01AD_No_Expiry_Passwords.
UA02AD_Active_ Default_Accounts	This analytic matches a list of user-defined default accounts with the User table in Active Directory and reports those users with default accounts that appear to be active (enabled). The default accounts to be analyzed are typically pre-defined accounts associated with privileged access. The date when the password was last set and the number of days since the last password reset are shown in the results. Only enabled accounts are included in the analysis, based on the value in the UserAccountControl field. Account_List is a default parameter available for this analytic in the PARAM_AD_Default_Accounts worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. Note The RDN field is stripped of CN= or other prefixes for the join between the Active Directory User table and the default accounts. Therefore, the default account names in the parameter table must be provided without the CN= or other prefixes (for example, provide the value as Administrator instead of CN=Administrator). The result table for this analytic is R_UA02_AD_Active_Default_Accounts.
UA02UNIX_Active_ Default_Accounts	This analytic matches a list of user-defined default accounts with the User_Name field in the /etc/Passwd file and reports those accounts that appear to be active (enabled). The default accounts to be analyzed are typically pre-defined accounts associated with privileged access. The date when the password was last set and the number of days since the last reset are shown in the results. Only active (enabled) accounts are reported in the results. Any inactive (disabled) accounts flagged by the analytic are excluded in the results. Note This analytic requires the file /etc/shadow. If this file is not present in the version of UNIX in use, you may need to add a custom analytic script to test the status of the enabled account. A custom script may be required if the etc/shadow exists, but its encoding for disabled or locked password differs. Account_List is a default parameter available for this analytic in the PARAM_UNIX_Default_Accounts worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. The result table for this analytic is R_UA02UNIX_Active_Default_Accounts.
UA03ORCL_Oracle_ AD_Mismatch	This analytic identifies instances where active Oracle ERP user accounts cannot be matched to an active Active Directory user account. It excludes Oracle user accounts where the email address is nobody@localhost. The result table for this analytic is R_UA03ORCL_Oracle_AD_Mismatch.
UA03SAP_SAP_AD_ Mismatch	This analytic identifies instances where active SAP ERP user accounts cannot be matched to an active Active Directory user account. The SAP ERP Data Integration Robot filters the source table USR02 on User Type ‘A' (Dialog) or 'C’ (Communication). The result table for this analytic is R_UA03SAP_SAP_AD_Mismatch.
UA03SF_SF_AD_ Mismatch	This analytic identifies instances where active Salesforce CRM user accounts cannot be matched to an active Active Directory user account. Active Salesforce user accounts are identified by the value T in field IsActive. The result table for this analytic is R_UA03SF_SF_AD_Mismatch.
UA04AD_NonAdmin_ Privilege	This analytic compares the members of critical Active Directory groups associated with administrative privileges to a user-maintained parameter table containing user accounts authorized to have such access. Members of these critical groups that are not listed as authorized administrative users are reported in the results. Currently, nested groups are supported and the analytic analyzes only the Member field in table Group. Administrative user accounts listed in the parameter table PARAM_AD_Auth_Admin_Users are considered to be authorized for all privileged groups listed in PARAM_AD_Critical_Groups. Testing for access to a specific group is not currently supported by this analytic. The Active Directory import process sets a limit on the maximum number of characters to be imported. The length of some member lists may exceed this character limit and may get truncated. The Error_Log table lists the groups impacted by this limitation. Two default parameters are available for this analytic in the PARAM_AD_Critical_Groups and PARAM_AD_Auth_Admin_Users worksheets of the Default Analytic Configuration File. If the default parameters do not apply, or are incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. Group_List, NonAdmin_Privilege - You can add the sAMAccountName of all applicable privileged groups, even if they are already listed in the default table. RDN - Add the RDN of all authorized administrative user accounts. The result table for this analytic is R_UA04AD_NonAdmin_Privilege.
UA04UNIX_NonAdmin_ Privilege	This analytic compares active UNIX user accounts with access to critical security groups to a user-maintained parameter table containing user accounts authorized to have such access. Members of these critical groups that are not listed as authorized administrative users are reported in the results. Note The parameter table may contain fictitious user accounts to create exceptions when run in sample data mode. It is recommended to review the default parameter table results to verify the data. Only active (enabled) accounts are reported in the results. Any inactive (disabled) accounts flagged by the analytic are excluded from the results. Accounts, of which the status cannot be determined are listed as Undetermined in the results. Two default parameters are available for this analytic in the PARAM_UNIX_Auth_Admin_Users worksheet of the Default Analytic Configuration File. If the default parameters do not apply, or are incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. Source_System - You can leave this field blank if a single system is being analyzed. Account_Group - Add the RDN of all authorized administrative user accounts. The result table for this analytic is R_UA04AD_NonAdmin_Privilege.
UA05AD_Multiple_ Accounts	This analytic reports Active Directory users with multiple active accounts. While administrative users may have separate accounts for administrative operations, regular users may not have multiple accounts. You can use the output of this analytic to verify that unintended users do not have multiple active accounts, such as test accounts created during system implementations, default system accounts, or inherited accounts. The results of this analytic can further be used to verify that administrative users have separate active accounts for their administrative and day-to-day operations. The result table for this analytic is R_UA05AD_Multiple_Accounts.
UA06UNIX_Root_ Privileges	This analytic reports users with root (Super User) privileges in a UNIX environment. It consists of two parts, combined into a single result table: For UID testing - Identifies all user names with a UID of 0 For GID testing - Identifies all user names with a GID of 0 The result table for this analytic is R_UA06UNIX_Root_Privileges.