Identity Auditing

This chapter provides an introduction to auditing with DirX Identity as the source of audit messages. You don’t need to set up a running DirX Identity installation. Instead, we’ll work with sample data content that was produced by performing a complete run through the DirX Identity tutorial and which we loaded and set up in "Preparing to Use the Tutorial".

The sections in this chapter will take you through a set of common Identity auditing use cases. You need to have a working knowledge of DirX Identity in order to understand this section.

Analyzing a User Self Registration

In the exercises described in the section "User Self Registration" in the DirX Identity Tutorial, the following tasks were performed:

  • Customer self registration of Farfello Nico

  • Assignment to the Customer Newsletter and Hardware Beta Programs services

  • Approval of the user creation request by Klarmann Bruno

  • Approval of the Hardware Beta Programs request by Briner Ruben

This section shows you how to analyze DirX Identity user entries created by the self registration process. It describes how to:

  • Analyze a user creation

  • Analyze user to privilege assignments

In these exercises, we’ll use DirX Audit to answer the questions from an auditor’s point of view: Do we have any new users? When were they created and by whom? What privileges were they assigned and who approved the assignments?

Examining a User Creation

Typically, you perform a user creation in DirX Identity via a request workflow. All data is collected during the workflow steps and kept as orders at the workflow instance. The activity ApplyChange of such a workflow creates the user entry in the Identity Store. The operation AddObject creates a new object (User, Account, Workflow instance) in the LDAP directory.

In this section, we’ll examine a user creation that results from a self registration from the Dashboard and Audit analysis views and see how the new user and its attributes are displayed in the History view.

Examining a User Creation with the Dashboard

First, we’ll examine the user creation for Farfello Nico from the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Add the Total audit events by month and operation component to the Dashboard using the Layout settings.

  • Examine the Total audit events by month and operation component. It contains aggregated data for Add Assignment, Add Object and other operations.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter, select the What Type dimension and then enter User in Value.

  • Click OK. The chart is recalculated.

  • Drill down to audit events of the Add Object operation for September 2022.

  • In the Type column, you will find audit events created on request. The value for Farfello Nico came from the user self registration.

  • Click image2 to return to the Dashboard view.

Although we’ll use the History view later in this section to examine the history data for Farfello Nico, you can access it directly from the Dashboard, too:

  • In the drill-down table you just generated, click image3 to open the Event Details.

  • Expand the What [User : Farfello Nico] row and then click the blue underlined Farfello Nico link. This action takes you directly to the selected history entry, which is Farfello Nico in this case.

Examining a User Creation with the Audit analysis

To analyze the user creation of Farfello Nico with the Audit analysis:

  • Select the Audit analysis tab in the DirX Audit Manager Classic main page.

  • In Source, select DirX Identity.

  • In Type, select on request.

  • In Operation, select Add Object.

  • In What type, select User.

  • Click Search. You will find audit events in the result list. These users were created as new ones in the DirX Identity tutorial. You will find an audit event for Farfello Nico at the end (she was created as the first new user).

Examining a User Creation in the History View

Now we’ll view the new user Farfello Nico and her attributes with the History view:

  • Click the History tab in the DirX Audit Manager Classic main page.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, type Farfello.

  • Click Search. Because only one user with the name Farfello is found, the Attribute tab on the details page for this user is displayed. Here you can view the history of changes for Farfello Nico.

  • Scroll down to the Attributes tab table. You can see the date and time of user creation which is also where the first time point is placed in the timeline. Further down, you can check the user attributes. The user Farfello Nico and her attributes were not changed during the life-cycle. Check the type of user with the employeeType attribute. Farfello Nico is a customer from Mercato Aurum Rome.

  • Click the Roles tab. You can see four roles assigned to the user Farfello Nico. Roles Customer Newsletter and Hardware Beta Programs were assigned by manual selection of the role. Platinum Customer and Silver Customer were assigned based on the rule for the customers.

  • Click the Permissions tab and then click image5 next to the permission name to expand the values in the permission name column. You can see that all permissions are inherited from roles and consistent. None of them requires re-approval. You can check the same items for Group assignments.

  • Click the Accounts tab and then expand the values in the account name column. Farfello Nico has only one active account (in the Extranet Portal) as a customer.

  • Click the Events tab. In From, set 1/9/2022. In To, type or select 31/10/2022. In Search in, choose Who. You can see two (2) audit events caused by a direct action of Nico Farfello, that is two (2) login messages from Web Center. You can also see that these two events originate only after the user creation when Ms. Farfello received a mail with the news that she could log in, which is what she did.

  • Now choose What in Search in. You can see a list of five (5) audit events related to Nico Farfello’s user creation and privilege assignments.

Studying User to Privilege Assignments

Assigning privileges enables the user to access specific resources in connected systems. In this section, we will show several ways to evaluate privilege assignments and how to create a Users by Privilege report.

Studying User Privilege Assignments with the Dashboard

To study user privilege assignments in the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine the Total audit events by month and operation component. It contains aggregated data for Add Assignment, Add JoinFromDXI, Add JoinToDXI, Add Object and other operations.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter, select the What Type dimension and then enter User to Role in Value.

  • Click OK. The chart is recalculated.

  • Drill down to audit events of the Add Assignment operation for September 2022. Change Items per page to 50. Order the table by the When column in ascending order.

  • You will find several audit events on assigning privileges the users Farfello Nico and Teacher Mark. In the What Details column, you can check which roles were assigned.

  • Click image2 to return to the Dashboard view.

Studying User Privilege Assignments with the Audit analysis

To study user privilege assignments with the Audit analysis:

  • Select the Audit analysis tab in the DirX Audit Manager Classic main page.

  • In Source, select DirX Identity.

  • In Operation, select Add Assignment.

  • In What, enter Farfello Nico.

  • Click Search. You should receive four (4) audit events in the result list on assigning Farfello Nico to several roles.

Studying User Privilege Assignments with Reports

In this exercise, we’ll create a report set that contains two reports for analyzing user-privilege assignments. First, you’ll create a report that shows the users assigned to specific privileges, and then you’ll create a report that shows the privileges of a specific user.

To create a Users by Privilege report:

  • Click the Reports tab in the DirX Audit Manager Classic main page.

  • Add a new Report set and fill in the report set’s Name and Description.

  • Click image6 to add a new report file.

  • Either browse through the list of available reports or use name completion (start typing a part of the report name) or tag filtering (tag History, User or Privilege) to display the Users by Privilege report. Click on it in the list to select it. The Report scope dialog opens for you to define the parameters of the report.

    Note that the report tag set always includes either History or Events tags indicating the report source data. Events reports are based on the data database and provide an audit trail on performed changes and updates, while history-based reports help the auditor understand and compare different states of inspected history entries in selected points in time.

  • In the When section, select Custom time point and leave the default (current) value in Date.

  • In the Privileges section, define the attribute filter: in the first field (Identifying Attributes) is selected cn, to the Attribute Value field type Customer Newsletter and then click Search. The Found table displays the resulting privileges. Check Customer Newsletter Group, Customer Newsletter Permission and Customer Newsletter Role to select them and then click Add. All of the selected privileges are added to the Selected table.

  • You can use the Preview feature to quickly check whether the filtering criteria you have just configured actually deliver the expected results. Note that the Row limit field restricts the number of results displayed in the Preview report. You can open the preview PDF in the browser or save it for later examination.

  • Click Finish to stop adding new reports to the file.

  • Enter the report file name in File Name and a description of it in Description and then check that PDF is selected in Format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, choose As soon as possible.

  • In the Send to tab, enter your email address in To. You can also fill in the message Subject and Body.

  • Click the checkbox next to Active to activate the report set. The icon in the top right corner changes to image7.

  • Click Save to save your changes to the report set and run the report. You should receive the report as an email attachment. Open it and check the users assigned to the Customer Newsletter group, permissions and role.

You can also create a report that shows all of the privileges assigned to a selected user. Now we’ll add this kind of report to the report set we just created:

  • In the Reports tab, open the report set you just created for editing.

  • Click image6 to add a new report file.

  • In the list of available reports, click on Changes on User to Privilege Assignments by User in the list to select it.

  • In the When section in the report scope dialog, select Any time.

  • In the Users section, select Last Name in the first field (Identifying Attributes) and Farfello in second field (Attribute Value) and then click Search.

  • Check Farfello Nico and then click Add to move this user to the Selected table.

  • Click Finish. Enter the report file name in Name and then click Save. You should receive an email with two report files. In the second report, you can see all of the privileges assigned to Farfello Nico.

Analyzing the Addition of a New User

In the exercises described in the section "Adding a New User" in the DirX Identity Tutorial, the following tasks were performed:

  • The user Teacher Mark was created as a contractor.

  • The user Teacher Mark was manually assigned the Trainer privilege.

  • The user Teacher Mark's password was reset.

  • The user Teacher Mark's privilege assignments were approved.

  • The user Teacher Mark was added to a project.

  • The user Teacher Mark was assigned some privileges based on rules.

  • The user Teacher Mark was assigned the Internal Employee role.

The user Teacher Mark was also assigned the Test Tasks privilege for a limited period of time because of later changes initiated in the DirX Identity tutorial.

This section shows you how to analyze this DirX Identity user entry data. It describes how to:

  • Examine a user creation

  • Analyze a user to privilege assignment

Here, auditors want to answer the same questions as for the previous case concerning new users. They also want to know: Were there any new or modified project assignments and what was their root cause? Were there any password changes and with what outcome?

Examining the User Creation

One way of creating a new user in DirX Identity is with Web Center, which is controlled by a request workflow. All data is collected during the workflow steps and is kept as orders at the workflow instance. The ApplyChange operation of this kind of workflow creates the user entry in the Identity Store. The operation AddObject creates a new object (User, Account, Workflow instance) in the directory or database.

In this section, we’ll investigate the user creation for Teacher Mark with the Dashboard view and Audit analysis and see how the new user and its attributes are displayed in the History view.

Examining the User Creation in the Dashboard

To examine Mark Teacher’s user creation from the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine the Total audit events by month and operation component.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter, select the What Type dimension and then enter User in Value.

  • Click OK. The chart is recalculated.

  • Drill down to audit events of the Add Object operation for September 2022. Order the table by the When column in ascending order. You can see the list of all newly created users. The second one is Teacher Mark (check the column What Details User='Teacher Mark').

  • When you open the details of this event, you can find out in the Who section that it was Taspatch Nik who performed this action. The Context Event section shows that the cause was the Add WorkflowService event.

  • Close the details window and then click image2 to return to the Dashboard view.

Examining the User Creation in the Audit analysis

To analyze Mark Teacher’s user creation with the Audit analysis:

  • Select the Audit analysis tab in the DirX Audit Manage Classic main page.

  • In Source, select DirX Identity.

  • In Type, select on request.

  • In Operation, select Add Object.

  • In What type, select User.

  • Click Search and then order the table by the When column in ascending order. You can see the list of users created on request: the first one is Farfello Nico and the second one is Teacher Mark. The others are users and personas from other tutorial steps and will be explained in the later sections of this tutorial.

  • Click the context event icon image8 for one of the events. You can see a chain of messages connected to the customer self registration process. The list of contextually related events can be also accessed from a dashboard drilldown list of events we explored in the previous exercise.

Examining the User Creation in the History View

To view the new user Teacher Mark and his attributes in the History view:

  • Click the History tab in the DirX Audit Manager Classic main page.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, type Teacher Mark.

  • Click Search. Because only one user with the name Teacher Mark is found, the Attribute tab on the details page for this user is opened. You can see the history of changes for this user. Because Teacher Mark changed from the Contractor role to the Internal Employee role, you can see the attribute changes marked in the timeline (if you see only one timeline with cumulative information you must zoom in to the day level) and in the attributes table below.

  • Double-click in the timeline near 18 October to add another comparison time point marker.

  • Check Show changes only.

  • Browse the Roles, Permissions, Groups and Accounts tabs and explore the changes described in the section "Adding a New User" in the DirX Identity Tutorial.

  • On the Events tab, set From to 1/9/2022 and To to 31/10/2022 and then examine the events messages for Teacher Mark.

Examining the User Creation with Reports

Now we’ll examine Teacher Mark’s user creation events by creating some reports:

  • Click the Reports tab in the DirX Audit Manager Classic main page.

  • Add a new Report set and fill in the report set’s Name and Description.

  • Click image6 to add a new report file.

  • Either browse through the list of available reports or use name completion (start typing a part of the report name) or tag filtering (tag History) to display the Users in Organizational Unit report. Click on it in the list to select it. The Report scope dialog opens to define the parameters of the report.

  • The report is created for one date. Select the current date by selecting Custom time point in the When section.

  • In the Organizational Units section, is selected ou in the first field (Identifying Attributes), type Professional Services to the second field (Attribute Value). Click Search.

  • Select Professional Services and click Add. The name is added to the Selected table.

  • Click Finish to stop adding new reports to the file. Enter the report file name in File name and select the format (PDF is preferred).

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set its schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then save it.

Open the report attachment in the email you received. It shows all of the users from the Professional Services business unit. You can check their roles, permissions and accounts. The state is taken from the date set in the When section. For this example, it was the state of the last synchronization.

You can also run the report with its date set to a point in the past to view the user status and assignments that correspond to that time point in the history:

  • Go back to the Reports tab.

  • Click image1 in the display of the report set you just created to open it for editing.

  • Click image1 in the Users in Organizational Unit row to edit this report’s scope.

  • In When, select Custom time point and change the date to 4/10/2022.

  • Click OK and then click Save.

Once you receive the second report, you can check the report date in the header section and examine the assignments of Teacher Mark. The FS Professional Services and Software Tests groups are now missing because they were only assigned later - on 4/10/2022 and 11/10/2022 respectively. This report now presents all users and their assignments as they were on the selected date 4/10/2022.

If you want to see all created users and the data related to their creation, use the Contextually Related Changes for the Selected Causing Operation and Type report:

  • In the Reports tab, add a new report set and fill in the report set’s Name and Description.

  • Click image6 to add a new report file.

  • Click on Contextually Related Changes for the Selected Causing Operation and Type in the list of available reports.

  • In the When section, select Custom time and then set the interval From to 1/9/2022 01:00 AM and To to 27/9/2022 01:00 AM.

  • In the Operation section, select Add Object

  • In the Type section, select User.

  • Click Finish to stop adding new reports to the file. Enter the report file name in File name and then select the format (PDF is preferred).

  • Click OK. The report file is inserted into the report set and it is displayed in the file list.

  • In the Schedule tab, set the report set schedule to run As soon as possible, check No end time then and enter your email address in the Send to tab.

  • Activate the report set and then save it.

You should receive an email with the report file. Open the attachment. You can see the user creations for Teacher Mark and Farfello Nico and related events. The filter Add Object + User is applied to the initial and related events so that’s why the chain starts with the workflow event (which is the initial event).

Note that if you don’t restrict the date and create the report using Any time, you’ll obtain the overview of all users created during the DirX Identity tutorial run.

Analyzing User to Privilege Assignments

Assigning privileges enables a user to access specific resources in connected systems. In this section, you’ll learn several ways to evaluate privilege assignments and learn how to create reports to analyze the privilege assignments made with the "Adding a New User" DirX Identity tutorial.

Analyzing User Privilege Assignments with the Dashboard

To analyze user privilege assignments from the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if it’s not already selected.

  • Examine the Total audit events by month and operation component.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter, select the What Type dimension and then enter User to Role in Value.

  • Click OK. The chart is recalculated.

  • Drill down to audit events of the Add Assignment operation for September 2022. Change Items per page to 50. Order the table by the When column in ascending order.

  • You will find several audit events on assigning privileges to the users Farfello Nico and Teacher Mark. You can view the details of these audit events with the image3 and image8 icons. In the What Details column, you can see which role was assigned.

  • Click image2 to return to the Dashboard view.

Analyzing User Privilege Assignments with the Audit analysis

To analyze user privilege assignments with the Audit analysis:

  • Select the Audit analysis tab in the DirX Audit Manager Classic main page.

  • In Source, select DirX Identity.

  • In Operation, select Add Assignment.

  • In What, enter Teacher Mark.

  • Click Search. You should receive seven (7) audit events in the result list on assigning Mark Teacher to several privileges.

Analyzing User Privilege Assignments with Reports

Now you’ll examine the user privilege assignments from the Reports view:

  • In the Reports tab, choose and then open one of the report sets you created in other exercises for editing.

  • Click image6 to add a new report file.

  • Click on Changes on User to Privilege Assignments by Privilege in the list of available reports to select it.

  • In the When section, select Any time.

  • In the Privileges section, select Name in the first field (Identifying Attributes) and type Test Tasks in the second field (Attribute Value). Click Search.

  • Check the Test Tasks permission and role and then click Add to copy them to the Selected table.

  • Now type Sales Tasks in the second field (Attribute Value). Click Search.

  • Check both the Sales Tasks permission and role and then click Add to copy them to the Selected table.

  • Click Finish, enter the report name in File name, select the format and then click Save.

When you receive the report, you’ll see an overview of all users to whom the Test Tasks and Sales Tasks privileges were assigned.

Checking Imported Users

In the exercises described in the sections "Importing Identities" and "Changing the Workflow Configuration" in the DirX Identity Tutorial, the following tasks were performed:

  • Importing nine users from the New-HR domain (Gross Berta, Dyson Mark, Hoegeli Michel, Huber Fritz, Binder Horst, Banzoi Miriam, Bader Hans, Karrer Antonie, Berchtold Max)

  • Adding these users to the Product Testing organizational unit

  • Assigning Internal Employee and Test Tasks roles

  • Assigning the Signature Level 1 permission by the rule

  • Assigning Intranet Portal, MVS, Signatures and Windows Domain Europe target systems groups

  • Creating accounts in the Intranet Portal, MVS and Windows Domain Europe target systems

  • Changing the Description and Manager attributes for users imported from New-HR

This section shows you how to analyze the DirX Identity data created by these tasks. It describes how to:

  • Examine a role with Audit analysis

  • View the attributes changes of a user with the History view

  • View accounts with the Dashboard

  • View the accounts created in target systems with reports

In this case, an auditor might be curious about the following items: What users were imported from the connected system and which privileges were they assigned afterwards? You can see that the first password setting was assisted after the initial insertion of Teacher. The second audit event was initiated from a self-service password change.

Examining a Role

You can check which of the audited events relate to a specific role. Let’s see what happened with the Test Tasks role. First, we’ll analyze it with Audit analysis:

  • In the DirX Audit Manager Classic main page, click the Audit analysis tab.

  • In Source, select DirX Identity.

  • In What Detail, enter Test Tasks (or %Test Tasks% if you have not enabled full text search in the Configuration Wizard).

  • Click Search. You can see the list of users assigned to the Test Tasks role. You can change Items per page to 50 to view all of them at once.

  • To see the complete chain of user creation and assignment to the role, click image8 on one of the imported users to view the related events; for example, Gross Berta.

  • Check the message Add Object, User = 'Gross Berta'. You can see that this user was created on schedule (Type column), which means that an automatic procedure created the user. In our case, it was the import workflow for New-HR.

Reviewing User Attribute Changes

Now we’ll use the History view to analyze the user attributes changes:

  • In the DirX Audit Manager Classic main page, click the History tab.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, enter one of the New-HR users; for example, Banzoi Miriam.

  • Click Search. Because only one user with the name Banzoi was found, the details page for this user is displayed with the Attributes tab table open by default. Now you can see the history of changes for this user.

  • Check Show changes only to display only those attributes where a change has occurred in the displayed time range. You can see that the Manager and four (4) risk attributes were changed.

  • To identify the New-HR source, uncheck Show changes only and look at the dxmOprMaster attribute. You can use the search field in the Attribute Name column to find this parameter quickly.

  • Click the Switch to search form button to return to the Search page. Now check the other New-HR users, like Karrer Antonie, Binder Horst and so on.

Exploring the Accounts

Users can use a Dashboard component to analyze the accounts creation in the target systems. In this step, you’ll create a new Dashboard component. Later on in this session, you’ll use this component as a template, change the Fact table and save it under a new name to assign it to a report.

  • In the DirX Audit Manager Classic main page, select the Dashboard tab.

  • Click image1 in the Total audit events by month and operation component toolbar to open the Edit component dialog.

  • Click the Data tab if it is not already selected.

  • In When, select Custom time and then set From to 1/9/2022 and To to 30/9/2022.

  • In Fact Table, select Memberships.

  • Set Facts to Succeeded.

  • Set Dimensions to Day and Target System.

  • Check the Dimension filter, select Operation in Name and enter Add Assignment in Value.

  • Click Save as ….

  • In the pop-up window, enter the Component title as Accounts to group by target system created in September 2022. In Component name, enter accounts_to_group_by_target_system.

  • Uncheck Public to prevent others from using your component and leave Add to dashboard checked with instead of existing selected.

  • Click Save. The saved chart and modified Dashboard component are displayed. You can see how many accounts were created and in which target system. Drill down individual parts of the bar to see details about the accounts.

Examining the Account-Group Memberships

Now we’ll analyze the account-group memberships for the imported users with reports.

First, we’ll create a report that provides an overview of the accounts created in the target systems:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Add a new report set, name it Accounts by Target Systems and add a description for it.

  • Add a new report file and select Changes on Account to Group Memberships by Target System.

  • The Report scope dialog opens for you to define the parameters of the report. In the When section, select Custom time and set From to 1/9/2022 and To to 30/9/2022.

  • In the Target Systems section, you can define the sources that act as filtering elements for the events for which you want to see data. In the first field (Identifying Attributes) is Target System selected, click Search.

  • All of the available target systems are displayed in two pages. On each page, click image9 to select all of the available target systems and then click Add to move them to the Selected table. Navigate to the next page and then repeat this step.

  • Make sure you change the default Record limit value from 100 to 0 (indicating there is no limit) to include all memberships in the report. Leaving the default value means that you will receive an incomplete/limited report.

  • Click Finish to stop adding new reports to the file. Name the report file Accounts in target systems for September 2022 and leave PDF selected as the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set the report set schedule to run As soon as possible, check No end time and then enter your email address in the Send to tab.

  • Activate the report and then click Save.

Open the report attachment in the email you receive. You’ll see a list with the newly created accounts sorted by target systems.

You can enhance this report by adding the Accounts by target system created in September 2022 component to the end of the report. We’ll perform this task next:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Click image1 to edit the Accounts by Target Systems report set.

  • Add a report to the report file with the name Accounts in target systems state for September 2022 by clicking image10 next to the report name.

  • The report selection dialog opens. Select Generate dashboard chart from the list.

  • In the Data source tab select accounts_to_group_by_target_system.

  • Click Finish. Remember that having two reports in one file is allowed only for report files in PDF format. Click Save.

  • Open the report attachment you received in the latest email. First, there is a list of accounts in the target systems as in the previous example and at the end, you can find the chart with the overview of accounts by days in September 2022.

Analyzing Imported Accounts

In the exercises described in the section "Setting up a New Target System" in the DirX Identity Tutorial, the following tasks were performed:

  • Loading the accounts and groups from the New-LDAP target system to the Identity Store

  • Creating a new Firmware Tests permission

  • Creating a new Firmware Tests role

  • Assigning the Firmware Tests role

  • Deleting the unassigned accounts (Derksen Konrad)

This exercise shows you how to analyze the DirX Identity accounts, permissions and roles created by performing these tasks. It describes how to:

  • Check the imported account-to-group memberships with a target system report

  • Examine a permission creation with the Audit analysis and the Dashboard

  • Examine a role creation with the Audit analysis and the Dashboard

  • Study users assigned to a role with the Dashboard and the History view

  • Explore a specific connected system’s provisioning activities

These steps will help to answer the following auditor’s questions: What provisioning activities were performed in the new target system? Are there any new imported accounts in any of the monitored target systems? What was changed for the Firmware Tests permission and role? To which users was the Firmware Tests role assigned?

Examining Permission Creation

In this part of the exercise, we’ll examine the permission creation events associated with the imported accounts.

First, we’ll do it with Audit analysis:

  • In the DirX Audit Manager Classic main page, select the Audit analysis tab.

  • In Source, select DirX Identity.

  • In What, enter Firmware Tests.

  • Click Search.

  • Change Items per page to 20. Order the table by the When column in ascending order.

You can see audit events with the Add Assignment operation for three (3) users from the New-LDAP target system. You can also see the Add Assignments User to Role operation for the same three of these users. You can also see the Delete Assignment Account to Group operation for two users (Derksen Konrad and Zeller Andreas) and several Firmware Tests group updates.

Next, we’ll do it with the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine the DirX Identity total history entries by month and entry type component. This component provides an overview of all history entries sorted by entry types and their total numbers changing over time.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter.

  • In Name, select Entry type.

  • In Value, enter Permission.

  • Click OK. The chart is recalculated.

  • You can now see the number of permissions for individual months. You can also drill down to the permission list to view all permissions active in the given time period, including the new ones.

  • Click image2 to return to the Dashboard view.

Examining a Role Creation

During the DirX Identity tutorial, a validation workflow from the New-LDAP target system is started that imports the Firmware Tests group. Later on, a permission and a role are created and the group is linked to the permission. Let’s view these actions in Audit analysis.

First, we’ll use Audit analysis to analyze the privilege hierarchy:

  • In the DirX Audit Manager Classic main page, select the Audit analysis tab.

  • In Source, select DirX Identity.

  • In What, enter Firmware Tests.

  • In What Type, enter Role.

  • Click Search.

You can see just one Firmware Test role which was created manually.

Now let’s examine the role creation with the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab.

  • Examine the DirX Identity total history entries by month and entry type component.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter.

  • In Name, select Entry type.

  • In Value, enter Role.

  • Click OK. The chart is recalculated.

  • You can now see the number of roles for individual months and their increase in October 2022. Drill down to October 2022 and look at the end of the list. Here you can see the Firmware Test role created on 5/10/2022.

  • Click image2 to return to the Dashboard view.

Studying the Users Assigned to a Role

In this part of the exercise, we’ll examine the users assigned to the Firmware Test role.

First, we’ll examine it with the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab if not already selected.

  • Examine the DirX Identity user to privilege assignment total audit events by month and activity component.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Change first field Dimensions to Day.

  • Change the second field Dimensions to What-Type.

  • Check Dimension filter.

  • In Name, select Operation.

  • In Value, enter Add Assignment.

  • Click OK. The chart is recalculated.

  • Drill down to the User to Role assignments on 5/10/2022. You can see three (3) users assigned to the Firmware Tests role. Drill down to the User to Role assignments on 11/10/2022 and there is one user assigned to the Manager role.

Now let’s analyze all users assigned to the Firmware Tests role with Audit analysis from where we will move to the History view, directly to the Firmware Tests entry details view:

  • In the DirX Audit Manager Classic main page, select the Audit analysis tab.

  • In Source, select DirX Identity.

  • In What, enter Firmware Tests.

  • In What Type, enter User to Role.

  • Click Search. We can see three Add Assignment events for the users Binder, Dyson and Karrer. This view gives us the opportunity to see the details of the assignment operations and move directly to the History view.

  • Open the details of any one of the three events.

  • Expand the What [Role : Firmware Tests] by clicking the gray bar in the details pop-up.

  • Click the underlined link Firmware Tests.

  • The History tab with the Attribute tab table opens for the Firmware Tests role. In the data area, click the Users tab. You can see the list of assigned users and their assignment validity.

Exploring Connected System Provisioning

In this part of the exercise, you’ll inspect all of the provisioning activities that have occurred on a specific connected system; in this case, the New-LDAP target system:

  • First, you’ll examine the target system from the Dashboard view

  • Next, you’ll examine the accounts created in the target system from the Reports view

Exploring the Connected System from the Dashboard

First, you will check a specific connected or target system with the Dashboard.

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine the DirX Identity total audit events on accounts by month and operation component. It contains aggregated data from different operations.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Check Dimension filter.

  • In Name, select Target System.

  • In Value, enter New-LDAP.

  • Click OK. The chart is recalculated.

  • You can see the overview of operations performed on the New-LDAP connected system. Drill down to the Add Object section and you can see the list of accounts imported from the connected system.

  • Click image2 to return to the Dashboard view.

Exploring the Target System Accounts with Reports

Now we’ll generate a report that shows the accounts that were created in the New-LDAP target system:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Add a new report set and give it a name (in Name) and a description (in Description).

  • Add a new report file and select State of Accounts by Target System from the list of available reports.

  • The Report scope dialog opens for you to define the parameters of the report. In the When section, select Custom time point and leave the default date.

  • In the Target Systems section, you can define the sources that act as filtering elements for the events for which you want to see data. In the first field (Identifying Attributes), choose cn and then click Search. All available target systems are displayed. Check New-LDAP to select it and then click Add. The target system is added to the Selected table.

  • Click Finish to stop adding new reports to the file. Name the report file and select the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

Open the report attachment in the email you receive. You can see all of the accounts that have been imported to the New-LDAP target system with all of their status changes shown as individual entries.

Auditing SoD Violations

In the exercises described in the section "Applying SoD Policies" in the DirX Identity Tutorial, the following tasks were performed:

  • SoD checking was activated.

  • A SoD policy was activated.

  • A conflicting privilege was assigned to the user Pitton Lavina.

This exercise shows you how to analyze a breach of a SoD policy and how to audit the assignment of SoD violations in DirX Identity. It describes how to:

  • Check the SoD violation with the Dashboard view

  • Use the Reports view to create a SoD violation overview report

This exercise answers the following auditor questions: Did any user assignment break the configured Segregation of Duties rules? Which report can provide a regular overview of SoD violations?

Analyzing a SoD Violation with the Dashboard View

Let’s first examine the SoD violation with the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine the DirX Identity total history SoD violation entries by month component. This component is based on history data.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Click OK. The chart is recalculated. You can see an SoD exception that occurred in October 2022.

  • Drill down to October 2022. In the Name column, you’ll find the name Pitton Lavina as the user who has incurred an SoD violation. In dn, you can see the rule that was violated: the user was assigned both the Contractor and Manager roles, which is against the SoD policies defined in the My-Company scenario.

Analyzing SoD Violations with Reports

Next, we’ll use a context report to set up and generate an overview of SoD violations. A context report allows you to filter the events and their context and display just the filtered operations. To create the context report with the appropriate filter settings for generating the SoD exception overview:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Add a new report set and then name it and describe it in Name and Description.

  • Add a new report file and then select Risk Users by Simple Risk from the list of available reports.

  • The Report scope dialog opens for you to define the report’s parameters. In the When section, select End of Previous Day.

  • In the Risk factor section, select SoD violations

  • Leave the Attribute fields as they are.

  • Uncheck Create short report.

  • Set Record limit to 0.

  • Click Finish to stop adding new reports to the file. Name the report file and select the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

In the email attachment you receive, check the overview of all users based on their SoD violations risk level. In the DirX Identity tutorial exercise, only one rule was broken. In the report, you can check the initiator (author) of the exception and the rule (this information is taken from context).

Exploring Certification Campaigns

In the exercises described in the sections "Certifying a Role" and "Certifying a User" in the DirX Identity Tutorial, the following tasks were performed:

  • Creating and running a role certification on the Trainer role

  • Creating and running a user certification on two specific users

This section shows you how to analyze a certification campaign for re-approving a privilege or a user. It describes how to:

  • Analyze the certification campaign status in the Dashboard view

  • Set up and run one of the reports that identify available certification campaigns

In this exercise, the auditor will inspect the audited certifications and ask: How many certification campaigns took place? With what results? Who were the approvers? Are there still any unfinished certification campaigns?

Exploring Certification Campaign Status with the Dashboard

First, you’ll use the Dashboard view to examine certification campaign status:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine two components: the DirX Identity total history certification campaign entries by month and state and DirX Identity total history certification campaign entries by month and lifecycle state.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Click OK. The chart is recalculated. Both certification campaigns are now displayed according to their statuses.

  • Drill down to the chart bar for October 2022 in both charts. You can see that the drill down results are the same.

  • Click the Tutorial Privilege Certification link and study the History details page with the campaign data.

  • Then return to the Dashboard tab and click the Tutorial User Certification link.

  • The certification campaign’s history details page is displayed with the Overview tab table open by default, where you can view the details for the campaign. You can check the privileges' names, the certification campaigns end and start dates and the certification result - results are displayed in the Tutorial User Certification history details page.

Examining Certification Campaigns with Reports

Now we’ll set up and run a report that identifies certification campaigns:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Add a new report set and then name it and describe it in Name and Description.

  • Add a new report file and then select Certification Campaigns from the list of available reports.

  • The Report scope dialog opens for you to define the report’s parameters. In the When section, select Any time. Choose the empty selection option in both the Type and State selection boxes to take all certification campaigns into account.

  • Click Finish to stop adding new reports to the file. Name the report file and select the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

Open the report attachment in the email you receive. You can see both available certification campaigns overview and you can check the accepted and rejected users of the respective privileges.

Investigating an Assignment of Physical Access

In the exercise described in the section "Using Manual Provisioning" in the DirX Identity Tutorial, the physical access to Munich-Archive was assigned to the user Sedran Bill. This section shows you how to analyze physical access assignment. It describes how to:

  • Analyze a manual privilege to user assignment in the History view

  • Set up and run a report on user-to-privilege assignment

In this exercise, the auditor is curious about: What privileges were assigned to Sedran Bill and when? What was the reason for the assignment? To which users was the Munich – Archive role assigned?

Investigating the Physical Access Assignment with the History View

First, we’ll look at the manual privilege-to-user assignment in the History view:

  • In the DirX Audit Manager Classic main page, click the History tab.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, enter Sedran Bill.

  • Click Search. There are two results available. Choose the first one, not the functional user entry.

  • The details page with the Attributes tab table opens for Sedran Bill.

  • On the Accounts tab, you can see that the Physical Access account for Sedran Bill was created.

  • Click the Roles tab and check that the Munich – Archive role was assigned manually.

  • Now click image11 next to the Munich – Archive role name to find the reason for the manual assignment. This action opens the Assignment cause tab, which displays audit events that caused the selected privilege.

  • The Assignment cause tab shows that the Request Add assignment was the causing event. Click image5 next to it to expand the related events to view the entire chain of events leading to the assignment of the privilege. You can also view other privileges causes, but the events for other privileges are not a part of the sample data set so you will not see any causing messages for other privileges of Sedran Bill.

  • Click the Events tab next to the Risks tab. Set From to 1/9/2022 and To to 31/10/2022.

  • You can see one event: Add Assignment of Sedran Bill to the role.

  • We can also view all events triggered by Sedran Bill. To do this step, switch the Search in selection box to Who.

  • Now you can see six events where Sedran Bill is the requester (initiator).

Investigating the Physical Access Assignment with Reports

Now we’ll set up and generate a report that shows the user-to-privilege assignment:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Add a new report set and gives it a name (in Name) and a description (in Description).

  • Add a new report file and select Changes on User to Privilege Assignments by Privilege from the list of available reports.

  • The Report scope dialog opens for you to define the parameters of the report. In the When section, select Any time.

  • In the Privileges section, select Name in the first field (Identifying Attributes), insert Munich - Archive in the second field (Attribute Value) and then click Search. Check Munich - Archive and then click Add to move the attribute to the Selected table.

  • Click Finish to stop adding new reports to the file. Name the report file and select the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

Open the report attachment in the email you receive. You can see the list of users assigned to the selected privilege. In our example, only Sedran Bill is assigned. You can also check when the assignment was created, its outcome and the type of assignment.

Auditing Tickets

In the exercise described in the section "Working with Internal Tickets" in the DirX Identity Tutorial, a ticket for user attributes changes was created. The following change was processed:

  • Changing the Title attribute for Leo Kubalke with an internal ticket.

In this section, you’ll learn how to use DirX Audit Manager Classic to examine these tickets, including how to:

  • View audit events for a ticket in Audit analysis

  • Check the user modifications generated by the ticket in the History view

In this exercise, the auditor will want to know: What changes were triggered by tickets and when?

Auditing Tickets with the Audit analysis

To analyze the tickets with the Audit analysis:

  • In the DirX Audit Manager Classic main page, select the Audit analysis tab.

  • In Source, select DirX Identity.

  • In What Detail, enter Ticket (or %Ticket% if you have not enabled full text search in the Configuration Wizard).

  • Click Search. You can see two ticket audit events for Leo Kubalke. However, even when you click Show detail, you can’t identify the attribute change that was made by the ticket. To obtain this data, we’ll continue the analysis of these attribute changes with the History view.

Auditing Ticket-Generated Attribute Changes with the History View

Now we’ll use the History view to look at the user modifications made as a result of the ticket initiation:

  • In the DirX Audit Manager Classic main page, click the History tab. Alternatively, we could have used the link in the ticket event details to directly open the History details page of the user Kubalke.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, enter Kubalke.

  • Click Search. Because only one user with the name Kubalke was found, the details page for this user is opened and the Attributes tab table is displayed.

  • Change the comparison time point marker associated with the first column of data: click on the date in the column header marked as image12. Now change the date to 25/10/2022 12:00 AM.

  • Check Show changes only to display only those attributes that changed in the time range you selected. You can see, apart from several changed risk attributes, also the line where the Title attribute changed from empty to Dr.

Analyzing Personas and Functional Users

In the exercises described in the sections "Managing Personas" and "Managing Functional Users" in the DirX Identity Tutorial, the following tasks were performed:

  • A new user Smith John was created.

  • Two personas for Smith John were created with the suffix Psn and EN-7716 P by the user Taspatch Nik.

  • A new functional user Trainee for the Human Resources department was created for the user Berner Hans.

In this section, you’ll use DirX Audit Manager Classic’s History view to examine these changes. You’ll learn how to:

  • Analyze a persona with the History view

  • Analyze a functional user with the History view

This exercise will answer the auditor questions: What is the status of the persona created for Smith John? What properties does the functional user Trainee for the Human Resources department have?

Analyzing Personas with the History View

DirX Audit Manager Classic displays a persona as a user with specific attributes. To search the History database for the personas created for the user Smith John:

  • In the DirX Audit Manager Classic main page, click the History tab. Alternatively, you can click Switch to search form to return to the Search page if you are proceeding directly from the previous exercise with the History view.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, select Smith.

  • Click Search. Four users are found with the name Smith. The users marked as Psn, EN-7716 P and EN-7716 Administrator P are personas. These suffixes were defined when the personas were created as part of the DirX Identity tutorial exercise.

  • Click image13to open the details page for Smith John Psn.

  • In the Attributes tab, navigate to the second page of the attributes table. Here you can identify the persona object by the objectClass attribute value dxrPersona. The user for whom the persona was created is displayed as the value of the owner attribute.

Assessing Functional Users with the History View

You can analyze a functional user in the History view in much the same way as you did it for a persona:

  • In the DirX Audit Manager Classic main page, click the History tab. Alternatively, you can click Switch to search form to return to the Search page if you are proceeding directly from the previous exercise with the History view.

  • In Type, select User.

  • Click the Advanced Search icon image4.

  • In Name, select Trainee.

  • Click Search. Four users are found with the name Trainee. All of them are functional users.

  • To verify your finding, click image13to open the details page for one of these users.

  • In the Attributes tab, you can identify the functional user object by the objectClass attribute value dxrFunctionalUser.

Observing Web Center Logins

During the course of following the DirX Identity tutorial exercises, several different users logged in and out of the DirX Identity Web Center application. These events are logged and stored in the DirX Audit database.

This exercise demonstrates how to use DirX Audit to audit these logins. You’ll learn how to:

  • View login activity with the Dashboard view and with Audit analysis

  • Set up and run reports that show information about separate login actions and an overview of succeeded and failed logins

In this exercise, the auditor will want to know: How many logins into the audited DirX Identity Web Center application were there? Who logged in and when? How many login failures were there? Do users mostly log out manually or are they logged out due to the session timeout? What authentication types are used for logging in?

Observing Login Activity with the Dashboard View

To view the logins and logouts overview in the Dashboard view:

  • In the DirX Audit Manager Classic main page, select the Dashboard tab, if not already selected.

  • Examine the Authentication succeeded and failed audit events by month component.

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • In When, select Any time.

  • Click OK. The chart is recalculated. You can see aggregation logins per month and divided into succeeded and failed.

Next, change the component’s dimensions to view the data aggregated by day and show only the failed logins:

  • Click image1 to open the Edit component dialog.

  • Click the Data tab if it’s not already selected.

  • Change Facts to Failed and change Dimensions to Day.

  • Click OK. The chart is recalculated.

Now drill down into the data so that you can see the user name and the What details column:

  • Drill down to the Failed logins for 24/10/2022. There is a list of two (2) failed logins where the What detail column contains the text The user credentials could not be validated by DirX Identity. These messages originated from the situation when the authentication server was not online.

  • Click image2 to return to the Dashboard view.

Observing Login Activity with the Audit analysis

Both the Dashboard component and the Audit analysis provide overviews of both login and logout events. We can also use the Audit analysis to analyze authentication events:

  • In the DirX Audit Manager Classic main page, select the Audit analysis tab.

  • In Source, select DirX Identity.

  • In Operation, select Login.

  • Click Search. You can see login events from various users, both successful and failed.

  • In Operation, select Logout and then click Search. In the list, you can see all recorded logout actions, all of which were successful. All the sample logouts originate from manually logging out when performing the DirX Identity tutorial exercises.

You can also use Audit analysis to view both login and logout operations together:

  • In Operation, you must click on the Switch to text input button next to the Operation and then type Log and ignore the Login and Logout suggestions.

  • Click Search. You now have the complete list of all login and logout actions.

  • Change Items per page to 20 to get more events into one page.

  • You can order the events according to When, Operation, Outcome or Who by clicking the respective column header.

Observing Login Activity with Reports

We’ll use two different reports to view the Identity Web Center application login activity generated by running the DirX Identity tutorial exercises. The first report with the Failed only option can provide a regular overview of login failures.

First, we’ll set up and run the logins report:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Add a new report set and then name it and describe it in Name and Description.

  • Add a new report file and then select Total Sum of Logins from the list of available reports.

  • The Report scope dialog opens for you to define the report’s parameters. In the When section, select Any time.

  • In the Source section, the Name is selected in the first field (Identifying Attributes), click Search. Check DirX Identity and then click Add to copy it to the Selected table.

  • Leave the default Failed only option checked.

  • Click Finish to stop adding new reports to the file. Name the report file and select the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.:

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time.

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

Open the report attachment in the email you receive. You can see a list of failed logins grouped by users since we left the default Failed only option checked.

Now we’ll set up and run the Total Sum of Logins by Date and Authentication Type report:

  • In the DirX Audit Manager Classic main page, click the Reports tab.

  • Either edit the report set you just created or create a new one.

  • Add a new report file and then select Total Sum of Logins by Date and Authentication Type from the list of available reports.

  • The Report scope dialog opens for you to define the report’s parameters. In the When section, select Any time.

  • In the Source section, the Name is selected in the first field (Identifying Attributes), click Search. Check DirX Identity and then click Add to copy it to the Selected section.

  • Click Finish to stop adding new reports to the file. Name the report file and select the format.

  • Click OK. The report file is inserted into the report set and is displayed in the file list.

  • In the Schedule tab, set the report set’s schedule to run As soon as possible and check No end time

  • In the Send to tab, enter your email address.

  • Activate the report and then click Save.

Open the report attachment in the email you receive. You can see a list of logins grouped by days. There are only manual logins originating from Identity Web Center. At the end of the report, there is a chart with a graphical representation of logins per day and the respective authentication type.

You can also try other login reports; for example, Total sum of logins by authentication method and Total sum of logins by authentication method type both in the "by day" and "by month" version.