Symantec Access Management

Tech Tip : CA Single Sign-On : Info about Super Users or other Admin User from Admin UI

  • 1.  Tech Tip : CA Single Sign-On : Info about Super Users or other Admin User from Admin UI

    Broadcom Employee
    Posted 06-08-2018 06:22 AM

    Question:

     


    We need to export the admin users and their permissions defined in
    Admin UI daily and automatically for Audit purposes.

    Is there a way to export them (API or directly from the DB)?

    Could you please add the info on how to do that for the API or where
    in the LDAP of the PS (AdminUI uses Policy Store which is a Oracle
    Directory Server) I could find the data?

     

    Answer:

     

    Out of the box, we don't provide a tool to exclusively export the
    Administrator and their rights. We invite you to open a Enhancement
    Request for our product here on the Security Ideation Page :

    1. Go to the CA Security Overview Page :
    https://communities.ca.com/community/ca-security/ca-single-sign-on
    2. Click on the "Actions" drop-down menu and select "Create an
    idea."
    3. Give your idea a title and detailed description to encourage
    voting.
    4. Publish and vote on your idea!

    More, you can the XPSExplorer command that will allow you :

    - Export the Administrators in a XCart, and then the XCart in a file;
    - XPSExport using the XCart produced above to get in a file the
    administrators and their details;

    To get the signification of the MethodAllowed and Flags, go in
    XPSSecurity, navigate to the administrator menu, and show one. Set it
    as you would like to change its value.


    ADMINISTRATOR MENU*****************************************************#3640

    ----------------------------- Metadata ----------------------------
    XID: CA.XPS::Administrator@000aa423-a9db-1808-8516-01017f0090dd(3640)
    In Cache? no
    (1)
    Created: 2016-10-20 11:31:13 GMT
    Last Updated: 2016-11-02 20:48:16 GMT
    By: os:root (via Security)
    -------- Attributes from CA.XPS::Administrator (Base Class) -------
    01: Description
    02: Flags 1(0x1): Disabled
    03: MethodsAllowed 393215(0x5ffff): LocalAPI,RemoteAPI,AdminUI,XPSDDInstall,XPSDictionary,XPSConfig,XPSExplorer,XPSSecurity,XPSRegClient,XPSExport,XPSImport,Audit,Eval,Reports,License,Counter,Sweeper,LegacyAPI
    04: Name "patrick"
    05: UserPath "SM://000929c7-8df5-1655-8df5-01017f0090dd/patrick"
    06: Workspaces
    -------------------------------------------------------------------
    B - Blank out an Attribute

    G - Generate GUID
    V - Validate
    U - Update
    D - Delete
    R - List Rights
    A - List 6 Attributes

    Q - Quit
    -------------------------------------------------------------------
    Enter Option (# or BGVUDRAQ): 03
    -------------------------------------------------------------------
    Attr: MethodsAllowed [CA.XPS::Administrator.MethodsAllowed]
    Description Determines how this administrator can access XPS data?
    Type: Number
    Handling: Bit Flags (enter '?' for setting interactively)
    Character Case: Mixed
    New Value (? for interactive, blank to quit):?
    -------------------------------------------------------------------
    Attr: MethodsAllowed [CA.XPS::Administrator.MethodsAllowed]
    Desc:"Determines how this administrator can access XPS data?"
    Type: Number {1}
    ------------------------------- Bits ------------------------------
    1 X Audit = 0x00000800
    Access allowed from XPSAudit
    2 X AdminUI = 0x00000004
    Access allowed from the Admin UI
    3 X XPSExplorer = 0x00000040
    Access allowed through XPSExplorer
    4 X XPSDictionary = 0x00000010
    Access allowed through XPSDictionary
    5 X Reports = 0x00002000
    Access allowed from EPM Reports
    6 X XPSDDInstall = 0x00000008
    Access allowed through XPSDDInstall
    7 X Sweeper = 0x00010000
    Access allowed from XPSSweeper
    8 X LegacyAPI = 0x00040000
    Access allowed from PM API Emulation
    9 X LocalAPI = 0x00000001
    Access allowed from the local API
    10 X XPSConfig = 0x00000020
    Access allowed through XPSConfig
    11 X XPSRegClient = 0x00000100
    Access allowed through XPSRegClient
    12 X License = 0x00004000
    Access allowed from XPSLicense
    13 X Eval = 0x00001000
    Access allowed from XPSEval
    14 X XPSImport = 0x00000400
    Access allowed from XPSImport
    15 X Counter = 0x00008000
    Access allowed from XPSCounter
    16 X XPSExport = 0x00000200
    Access allowed from XPSExport
    17 X XPSSecurity = 0x00000080
    Access allowed through XPSSecurity
    18 X RemoteAPI = 0x00000002
    Access allowed from the remote API

    -------------------------------------------------------------------
    Enter Option (#, A for All, N for None, or Q to Quit):

    To get the mapping and meaning of the Rights, go in XPSExplorer and
    show the rights of one of the administrator, make as you would modify
    it and request help (?) when setting the value.

    OBJECT MENU************************************************************#3639

    ------------------------- Object Meta Data ------------------------
    XID: CA.SM::Admin@12-000aa423-a9db-1808-8516-01017f0090dd
    Actual Class: CA.SM::Admin
    Base Class: CA.SM::Admin
    In Cache: no 1
    Created: 2016-10-20 11:26:23 GMT
    Last Updated: 2016-10-23 00:22:46 GMT
    By: siteminder (via GUI)
    ------------------- Attributes from CA.SM::Admin ------------------
    01: AuthSchemeLink
    02: Desc
    03:*DirectoryAuth = false
    04: DomainsLink = CA.SM::Domain@03-000e7f6c-51c4-1807-8516-01017f0090dd
    05:*Name = "patrick"
    06: Password = <***>
    07:*Rights = 14(0xe): ManageObjects,ManageUsers,ManageSecurity
    08: UserDirectoryLink
    -------------------------------------------------------------------
    M - Display Meta Data
    J - Display Joined Attribute value
    L - Display Links
    R - Display Related records (3 types)
    P - Polymorph object (2 classes)
    B - Blank out an Attribute

    V - Validate record
    U - Update record
    D - Delete Object
    A - List 8 Attributes

    X - Add to XCart (use Mode: DEFAULT)
    + - Change XCart Mode
    Q - Quit
    -------------------------------------------------------------------
    Enter Option (# or MJLRPBVUDAX+Q): 07
    -------------------------------------------------------------------
    Attr: Rights [CA.SM::Admin.Rights]
    Description (not set)
    Type: Number
    Handling: Bit Flags (enter '?' for setting interactively)
    Character Case: Mixed
    New Value (? for interactive, blank to quit):?
    -------------------------------------------------------------------
    Attr: Rights [CA.SM::Admin.Rights]
    Desc:(not set)Type: Number {1}
    ------------------------------- Bits ------------------------------
    1 - ManageEverything = 0x0000002f
    All bits with the exception of CacheManager.
    2 X ManageSecurity = 0x00000008
    3 X ManageObjects = 0x00000002
    4 X ManageUsers = 0x00000004
    5 - ManageAllDomains = 0x00000001
    6 - CacheManager = 0x00000010
    7 - AccessSharedDB = 0x00000040
    8 - RegisterTrustedHosts = 0x00000020
    9 X None = 0x00000000

    -------------------------------------------------------------------
    Enter Option (#, A for All, N for None, or Q to Quit):

     

    KB : KB000099982