Question:
We need to export the admin users and their permissions defined in
Admin UI daily and automatically for Audit purposes.
Is there a way to export them (API or directly from the DB)?
Could you please add the info on how to do that for the API or where
in the LDAP of the PS (AdminUI uses Policy Store which is a Oracle
Directory Server) I could find the data?
Answer:
Out of the box, we don't provide a tool to exclusively export the
Administrator and their rights. We invite you to open a Enhancement
Request for our product here on the Security Ideation Page :
1. Go to the CA Security Overview Page :
2. Click on the "Actions" drop-down menu and select "Create an
idea."
3. Give your idea a title and detailed description to encourage
voting.
4. Publish and vote on your idea!
More, you can the XPSExplorer command that will allow you :
- Export the Administrators in a XCart, and then the XCart in a file;
- XPSExport using the XCart produced above to get in a file the
administrators and their details;
To get the signification of the MethodAllowed and Flags, go in
XPSSecurity, navigate to the administrator menu, and show one. Set it
as you would like to change its value.
ADMINISTRATOR MENU*****************************************************#3640
----------------------------- Metadata ----------------------------
XID: CA.XPS::Administrator@000aa423-a9db-1808-8516-01017f0090dd(3640)
In Cache? no
(1)
Created: 2016-10-20 11:31:13 GMT
Last Updated: 2016-11-02 20:48:16 GMT
By: os:root (via Security)
-------- Attributes from CA.XPS::Administrator (Base Class) -------
01: Description
02: Flags 1(0x1): Disabled
03: MethodsAllowed 393215(0x5ffff): LocalAPI,RemoteAPI,AdminUI,XPSDDInstall,XPSDictionary,XPSConfig,XPSExplorer,XPSSecurity,XPSRegClient,XPSExport,XPSImport,Audit,Eval,Reports,License,Counter,Sweeper,LegacyAPI
04: Name "patrick"
05: UserPath "SM://000929c7-8df5-1655-8df5-01017f0090dd/patrick"
06: Workspaces
-------------------------------------------------------------------
B - Blank out an Attribute
G - Generate GUID
V - Validate
U - Update
D - Delete
R - List Rights
A - List 6 Attributes
Q - Quit
-------------------------------------------------------------------
Enter Option (# or BGVUDRAQ): 03
-------------------------------------------------------------------
Attr: MethodsAllowed [CA.XPS::Administrator.MethodsAllowed]
Description Determines how this administrator can access XPS data?
Type: Number
Handling: Bit Flags (enter '?' for setting interactively)
Character Case: Mixed
New Value (? for interactive, blank to quit):?
-------------------------------------------------------------------
Attr: MethodsAllowed [CA.XPS::Administrator.MethodsAllowed]
Desc:"Determines how this administrator can access XPS data?"
Type: Number {1}
------------------------------- Bits ------------------------------
1 X Audit = 0x00000800
Access allowed from XPSAudit
2 X AdminUI = 0x00000004
Access allowed from the Admin UI
3 X XPSExplorer = 0x00000040
Access allowed through XPSExplorer
4 X XPSDictionary = 0x00000010
Access allowed through XPSDictionary
5 X Reports = 0x00002000
Access allowed from EPM Reports
6 X XPSDDInstall = 0x00000008
Access allowed through XPSDDInstall
7 X Sweeper = 0x00010000
Access allowed from XPSSweeper
8 X LegacyAPI = 0x00040000
Access allowed from PM API Emulation
9 X LocalAPI = 0x00000001
Access allowed from the local API
10 X XPSConfig = 0x00000020
Access allowed through XPSConfig
11 X XPSRegClient = 0x00000100
Access allowed through XPSRegClient
12 X License = 0x00004000
Access allowed from XPSLicense
13 X Eval = 0x00001000
Access allowed from XPSEval
14 X XPSImport = 0x00000400
Access allowed from XPSImport
15 X Counter = 0x00008000
Access allowed from XPSCounter
16 X XPSExport = 0x00000200
Access allowed from XPSExport
17 X XPSSecurity = 0x00000080
Access allowed through XPSSecurity
18 X RemoteAPI = 0x00000002
Access allowed from the remote API
-------------------------------------------------------------------
Enter Option (#, A for All, N for None, or Q to Quit):
To get the mapping and meaning of the Rights, go in XPSExplorer and
show the rights of one of the administrator, make as you would modify
it and request help (?) when setting the value.
OBJECT MENU************************************************************#3639
------------------------- Object Meta Data ------------------------
XID: CA.SM::Admin@12-000aa423-a9db-1808-8516-01017f0090dd
Actual Class: CA.SM::Admin
Base Class: CA.SM::Admin
In Cache: no 1
Created: 2016-10-20 11:26:23 GMT
Last Updated: 2016-10-23 00:22:46 GMT
By: siteminder (via GUI)
------------------- Attributes from CA.SM::Admin ------------------
01: AuthSchemeLink
02: Desc
03:*DirectoryAuth = false
04: DomainsLink = CA.SM::Domain@03-000e7f6c-51c4-1807-8516-01017f0090dd
05:*Name = "patrick"
06: Password = <***>
07:*Rights = 14(0xe): ManageObjects,ManageUsers,ManageSecurity
08: UserDirectoryLink
-------------------------------------------------------------------
M - Display Meta Data
J - Display Joined Attribute value
L - Display Links
R - Display Related records (3 types)
P - Polymorph object (2 classes)
B - Blank out an Attribute
V - Validate record
U - Update record
D - Delete Object
A - List 8 Attributes
X - Add to XCart (use Mode: DEFAULT)
+ - Change XCart Mode
Q - Quit
-------------------------------------------------------------------
Enter Option (# or MJLRPBVUDAX+Q): 07
-------------------------------------------------------------------
Attr: Rights [CA.SM::Admin.Rights]
Description (not set)
Type: Number
Handling: Bit Flags (enter '?' for setting interactively)
Character Case: Mixed
New Value (? for interactive, blank to quit):?
-------------------------------------------------------------------
Attr: Rights [CA.SM::Admin.Rights]
Desc:(not set)Type: Number {1}
------------------------------- Bits ------------------------------
1 - ManageEverything = 0x0000002f
All bits with the exception of CacheManager.
2 X ManageSecurity = 0x00000008
3 X ManageObjects = 0x00000002
4 X ManageUsers = 0x00000004
5 - ManageAllDomains = 0x00000001
6 - CacheManager = 0x00000010
7 - AccessSharedDB = 0x00000040
8 - RegisterTrustedHosts = 0x00000020
9 X None = 0x00000000
-------------------------------------------------------------------
Enter Option (#, A for All, N for None, or Q to Quit):
KB : KB000099982