Symantec IGA

 View Only
  • 1.  "View User" like task and possibiity to log its use

    Posted Nov 20, 2020 10:06 AM

    Is it possiible Log a task like "View User" with IM ?
    Let's me explain:
    I created a task like "View User" that give access at some administtator to some sensitive user's attribute.
    The task do not modify the user object so no event are generated (and there is no possibility to do so isn't it?).
    Is there a way to see in View Sumitted Task an activity like this ?
    Or is there the possibility after submitting a task to view some sort of response ? ( For example in the profile screen I could not put the sensitive attribute, but after submitting I could read the attribute with a px and fill a virtual attribute on this hypothetical screen )
     Thanks in advance
     



  • 2.  RE: "View User" like task and possibiity to log its use

    Broadcom Employee
    Posted Nov 20, 2020 11:24 AM
    Hi Marco,

    This is not currently possible.  Please open an enhancement request under Broadcom community.

    Best regards,
    Frank

    ------------------------------
    ------------------------------
    And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.
    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
    ------------------------------



  • 3.  RE: "View User" like task and possibiity to log its use

    Broadcom Employee
    Posted Nov 20, 2020 11:26 AM
    The view user does not change attributes, so you cannot use IM auditing
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/management-console-help/how-to-configure-auditing/audit-settings-file.html

    Further more in 14.3 CP2 we cleaned up this to not produce so much overhead on the VST:
    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/Release-Notes/Fixed-Defects/Identity-Manager-14_3-CP2---Fixed-Defects.html

    31816709
    DE453842
    After upgrading Identity Manager from 12.6 to 14.2, the View User task activity is accumulating a large number of rows in the task tables, thus filling up the database.
    View entries are added to the task tables.
    The fix disables persistence of any task launched via UI or TEWS with action type 
    View
     thereby improving the Task Persistence traffic.
    Database


    ------------------------------
    And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
    ------------------------------



  • 4.  RE: "View User" like task and possibiity to log its use

    Broadcom Employee
    Posted Nov 24, 2020 01:46 AM
    To add to 14.3 CP2 related fix / enhancement, we are able to turn this feature on / off:
    As per https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/14-3/configuring/advanced-settings/business-logic/miscellaneous-properties.html
    AuditViewTask
    The task persistent database records all actions performed on a task by default. To NOT record the view action that is performed on a task, set this user-defined property to true. This will also disable audit events generated for those view tasks. To go back to default behaviour, set this property to false or simply delete it.

    So CP2 did not change this behavior for good, but added the flexibility to turn audit for view activities on and off.

    Hope this helps
    Regards
    Rinat



  • 5.  RE: "View User" like task and possibiity to log its use

    Posted Nov 23, 2020 11:14 AM

    Hey Marco,

    Without going into overtly complex solutions, I have listed a a couple ideas below you could use to potentially achieve what you are looking for.

    View Task in VST:
    I will start by saying, if you are on 14.3 CP2, this solution will not work based on the information that William has provided in his response.

    But if you are not, you should still be able to see those who submit View Tasks via VST.  You will have to be specific in what you are looking for, but you can see these tasks by selecting Show unsubmitted tasks and Where task name equals 'Your Task Name'.

    "View" User Task

    I am making the assumption that this is a task with a single Screen associated with it.  If there are multiple, there would need to be adjustments made.

    You technically don't need to setup a View User task with an Action: View (on Profile Tab).  You can setup these tasks with an Action: Modify, but you will want to consider the following updates:

    1. Set Tab Controller to Sequence Tab Controller
    2. Update the activeTab JS function (click Pencil icon next to Sequence Tab Controller) to hide any screen buttons (Submit, Cancel, etc.).  You will need to be a bit familiar with the the IM SDK, but this is pretty straight forward.
    3. View Only checked on each Tab
    4. For each Screen fields set Style: String and Permission: Read Only.  This is precautionary, but I would suggest it.

    With your task setup this way you should be able to view the Task in VST the same way mentioned above (Show unsubmitted tasks and Where task name equals 'Your Task Name').  I would also think this should allow you to "get around" the enhancement William had mentioned for VST, but that may be something he can confirm.

    Hopefully this helps.

    Thanks,
    Pete