User access controls toolkit

The user access controls testing analysis robot toolkit is an analytics-as-a-service solution for monitoring user access controls. It compares user lists across Active Directory, HR management systems, and other applications such as SAP, Oracle, and Salesforce.

The toolkit comes as a pre-configured solution that is applicable to most customers. Once deployed, you can update the analysis robot toolkit with new scripts as we release them. You can further customize it by adding custom scripts to refine the toolkit. The imported data can be output to Results or Excel files.

Note

The user access controls testing analysis robot does not support the following:

  • Analytics Exchange (AX)
  • Robots Cloud Agent for production purposes
  • Custom analytics and data sources
  • Any reporting other than Excel/Results outputs

System and subscription requirements

Ensure that you meet the following subscription and system requirements to use the User Access Controls Testing Analysis Robot toolkit.

Requirement Notes
ACL Robotics Enterprise Edition Robot toolkits are available as add-ons

On-premise Robots Agent version 15

Verify the version to be installed - Unicode or Non-Unicode

ACL for Windows version 15
  • Ensure that the installation uses the same encoding as the Robots Agent(Unicode or Non-Unicode).
  • Having a local installation of ACL for Windows can be helpful for troubleshooting purposes or for developing custom scripts.
Data Integration Robot for the source application Ensure that the Data Integration Robot for the source application has been successfully deployed into your organization and is currently running.

About the toolkit

The toolkit installs several components in Diligent One.

Component Count Name
Collection 2

User Access Controls Testing Analysis - Development Mode

User Access Controls Testing Analysis - Production Mode

Analysis

2

User Access Controls Testing Analysis (one per Collection)
Robot 1 User Access Controls Testing Analysis
Analytic Tables 10 For more information, see Analytics for User Access Controls Testing.

User access controls testing analysis robot

The user access controls testing analysis robot is automatically created when the toolkit is installed. This robot contains the following:

  • Analytic scripts - Contains the core scripts to import and process data.

    Note

    You should not modify the analytic scripts. Modifying the scripts may result in failures while running tasks. Any modifications required should be configured in the User Analytic Configuration file or uploaded as custom analytic scripts.

  • (Optional) Custom analytic scripts - Scripts that are manually uploaded to add new customer-specific analytic capabilities to the robot or make a data logic changes. These scripts take precedence over the default analytic scripts and should be thoroughly reviewed.

  • Configuration files - All the configuration files listed in the following table are available in the Input/Output tab of the robot.

    File Name Description Mode
    UA_Default_
    Analytic_Configuration.xlsx

    Contains default configurations

    Note

    You should not modify this file. Modifying the file may result in failures while running tasks. Any modifications required should be configured in the User Analytic Configuration file or uploaded as custom analytic scripts.

    Generated automatically by the robot
    Result_Table_IDs.csv Contains the destinations for the tables exported to Results, within the respective Development and Production collections.

    Generated automatically by the robot

    User Analytic Configuration File

    Contains custom configurations that must override configurations provided in the default analytic configuration file.

    Configurations in this file takes precedence over inputs in the default analytic configuration file.

    NOTE: If customizations exceed the capabilities of the User Analytic Configuration file, a custom script may be added.

    Manually uploaded when implementing the toolkit
  • Robot task - Executes the default and custom scripts within the robot and contains the following information.

    Parameter Description
    Export to HighBond Results?

    Specifies whether to export imported data to Results. Options available are as follows:

    • Export to Results - Overwrite - Overwrite the data in results tables each time data is exported.
    • Export to Results - Append - Appends data to the results tables.
    • Do not export - Does not export data to Results.
    Export to Excel?

    Specifies whether to export the current results to an Excel file or not. Options available are as follows:

    • Export to Excel
    • Do not export
    HighBond Access Token

    Token required to connect to Results. If exporting to Results is disabled, any random value can be provided for this parameter.

Linked tables

The required, shared tables from the Data Integration Robots are linked to the User Access Controls Testing Analysis robot in the Input/Output tab. When the analysis robot task runs, it pulls data from the linked tables and uses it to process the core analytic logic defined.

Note

You can create multiple analysis robots and link only the required tables to segregate the robots for specialized tasks or set of tasks.

Analytics for user access controls testing

The analytics for user access controls testing toolkit are listed in the following table.

Error logging

Any errors detected while running the task are logged to the Error Log table for each analytic. If the record count is 0, an error message is written to the Error Log table.

Tip

Review the error log after the task runs, even if the analytic returned no exceptions to ensure that the table was not flagged as having 0 records. For example, user input parameters from the User Analytic Configuration file can be ignored if the file is not formatted properly.

What each analytic does

Analytic Name Description
UA01AD_No_
Expiry_Passwords

This analytic reports Active Directory accounts with passwords that are set to not expire. Such accounts are identified by specific values in the UserAccountControl field. The results includes both enabled and disabled accounts.

The default values for the UserAccountControl field are maintained as a parameter in the Default Analytic Configuration File. If you add further reporting fields to the analytic, the data preparation and analysis scripts that carry forward the Member field may generate record length errors, especially when used with UNICODE robot agents.

v_no_expiry is a default parameter available for this analytic in the Default_Config_Params worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File. You can use a space-delimited format without any quotes around each individual value, and enclose the full string in double-quotes.

The result table for this analytic is R_UA01AD_No_Expiry_Passwords.

UA02AD_Active_
Default_Accounts

This analytic matches a list of user-defined default accounts with the User table in Active Directory and reports those users with default accounts that appear to be active (enabled). The default accounts to be analyzed are typically pre-defined accounts associated with privileged access.

The date when the password was last set and the number of days since the last password reset are shown in the results. Only enabled accounts are included in the analysis, based on the value in the UserAccountControl field.

Account_List is a default parameter available for this analytic in the PARAM_AD_Default_Accounts worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File.

Note

The RDN field is stripped of CN= or other prefixes for the join between the Active Directory User table and the default accounts. Therefore, the default account names in the parameter table must be provided without the CN= or other prefixes (for example, provide the value as Administrator instead of CN=Administrator).

The result table for this analytic is R_UA02_AD_Active_Default_Accounts.

UA02UNIX_Active_
Default_Accounts

This analytic matches a list of user-defined default accounts with the User_Name field in the /etc/Passwd file and reports those accounts that appear to be active (enabled). The default accounts to be analyzed are typically pre-defined accounts associated with privileged access.

The date when the password was last set and the number of days since the last reset are shown in the results. Only active (enabled) accounts are reported in the results. Any inactive (disabled) accounts flagged by the analytic are excluded in the results.

Note

This analytic requires the file /etc/shadow. If this file is not present in the version of UNIX in use, you may need to add a custom analytic script to test the status of the enabled account. A custom script may be required if the etc/shadow exists, but its encoding for disabled or locked password differs.

Account_List is a default parameter available for this analytic in the PARAM_UNIX_Default_Accounts worksheet of the Default Analytic Configuration File. If the default parameter does not apply, or is incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File.

The result table for this analytic is R_UA02UNIX_Active_Default_Accounts.

UA03ORCL_Oracle_
AD_Mismatch

This analytic identifies instances where active Oracle ERP user accounts cannot be matched to an active Active Directory user account. It excludes Oracle user accounts where the email address is nobody@localhost.

The result table for this analytic is R_UA03ORCL_Oracle_AD_Mismatch.

UA03SAP_SAP_AD_
Mismatch

This analytic identifies instances where active SAP ERP user accounts cannot be matched to an active Active Directory user account. The SAP ERP Data Integration Robot filters the source table USR02 on User Type ‘A' (Dialog) or 'C’ (Communication).

The result table for this analytic is R_UA03SAP_SAP_AD_Mismatch.

UA03SF_SF_AD_
Mismatch

This analytic identifies instances where active Salesforce CRM user accounts cannot be matched to an active Active Directory user account. Active Salesforce user accounts are identified by the value T in field IsActive.

The result table for this analytic is R_UA03SF_SF_AD_Mismatch.

UA04AD_NonAdmin_
Privilege

This analytic compares the members of critical Active Directory groups associated with administrative privileges to a user-maintained parameter table containing user accounts authorized to have such access. Members of these critical groups that are not listed as authorized administrative users are reported in the results.

Currently, nested groups are supported and the analytic analyzes only the Member field in table Group.

Administrative user accounts listed in the parameter table PARAM_AD_Auth_Admin_Users are considered to be authorized for all privileged groups listed in PARAM_AD_Critical_Groups. Testing for access to a specific group is not currently supported by this analytic.

The Active Directory import process sets a limit on the maximum number of characters to be imported. The length of some member lists may exceed this character limit and may get truncated. The Error_Log table lists the groups impacted by this limitation.

Two default parameters are available for this analytic in the PARAM_AD_Critical_Groups and PARAM_AD_Auth_Admin_Users worksheets of the Default Analytic Configuration File. If the default parameters do not apply, or are incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File.

  • Group_List, NonAdmin_Privilege - You can add the sAMAccountName of all applicable privileged groups, even if they are already listed in the default table.

  • RDN - Add the RDN of all authorized administrative user accounts.

The result table for this analytic is R_UA04AD_NonAdmin_Privilege.

UA04UNIX_NonAdmin_
Privilege

This analytic compares active UNIX user accounts with access to critical security groups to a user-maintained parameter table containing user accounts authorized to have such access. Members of these critical groups that are not listed as authorized administrative users are reported in the results.

Note

The parameter table may contain fictitious user accounts to create exceptions when run in sample data mode. It is recommended to review the default parameter table results to verify the data.

Only active (enabled) accounts are reported in the results. Any inactive (disabled) accounts flagged by the analytic are excluded from the results. Accounts, of which the status cannot be determined are listed as Undetermined in the results.

Two default parameters are available for this analytic in the PARAM_UNIX_Auth_Admin_Users worksheet of the Default Analytic Configuration File. If the default parameters do not apply, or are incomplete, you can declare the required values in the User Analytic Configuration File. Ensure that you follow the format and naming conventions as is from the Default Analytic Configuration File.

  • Source_System - You can leave this field blank if a single system is being analyzed.

  • Account_Group - Add the RDN of all authorized administrative user accounts.

The result table for this analytic is R_UA04AD_NonAdmin_Privilege.

UA05AD_Multiple_
Accounts

This analytic reports Active Directory users with multiple active accounts. While administrative users may have separate accounts for administrative operations, regular users may not have multiple accounts. You can use the output of this analytic to verify that unintended users do not have multiple active accounts, such as test accounts created during system implementations, default system accounts, or inherited accounts.

The results of this analytic can further be used to verify that administrative users have separate active accounts for their administrative and day-to-day operations.

The result table for this analytic is R_UA05AD_Multiple_Accounts.

UA06UNIX_Root_
Privileges

This analytic reports users with root (Super User) privileges in a UNIX environment. It consists of two parts, combined into a single result table:

  • For UID testing - Identifies all user names with a UID of 0

  • For GID testing - Identifies all user names with a GID of 0

The result table for this analytic is R_UA06UNIX_Root_Privileges.