Clarity

Expand all | Collapse all

Track Admin Right

  • 1.  Track Admin Right

    Posted 02-27-2018 01:21 AM

    If couple of individuals have full Administrative Control rights and if they assign any rights to a user is there a way to know which individual admin has assign that particular rights to the user.

    For example A,B are two user with admin rights and if they assign any OBS/GLOBAL/INSTANCE level right to a user can I know whether it was assigned by A or B?



  • 2.  Re: Track Admin Right

    Posted 02-27-2018 03:23 AM

    To get the rights of a user with  queries is as Dave_3.0  puts it tricky, tricky.

    You could start from

    https://communities.ca.com/message/2290345?commentID=2290345#comment-2290345 

    and add to those the created by and modified by fields.



  • 3.  Re: Track Admin Right

    Posted 02-27-2018 03:40 AM

    The "simple" answer is that its probably the created_by / created_date on the CMN_SEC_ASSGND_RIGHT table.

     

    Why this gets "complicated" is that its quite complex how the rights relate to objects / users / groups and so on.

     

    Also if the rights are gained by group membership, then its often more interesting to look at when (and by whom) the user was added to the group (so table CMN_SEC_USER_GROUPS) since the CMN_SEC_ASSGND_RIGHT holds the rights assigned to the group then rather than to a specific user.



  • 4.  Re: Track Admin Right

    Posted 02-27-2018 04:48 AM

    Thanks urmas for your response and I had gone through that thread and the query is useful to know the current status of the rights, but I was looking for if there is any table which can have audit trail kind of stuff so that at any point of time I should be able to identify what all has been done for a particular user rights.

    I want to capture the rights which were revoked by particular admin user.



  • 5.  Re: Track Admin Right

    Posted 02-27-2018 05:04 AM

    You have changed your question!

     

    As far as I know there is no way to track removed rights, only the limited ability (which we have answered) to look at currently granted rights.



  • 6.  Re: Track Admin Right

    Posted 02-27-2018 10:32 AM

    Ye, that has been discussed before and the consensus is that there is no simple way out of the box to do that.

    Because there is no audit functionality for rights you cannot build supported custom audit to tell who deleted a record.

    You might get closer if you just log what the admins do. In view of GDPR that could even be required.