Managing Audit Roles

By default, each installation automatically has a Master Auditor role that has access to all audit data.The Master Auditor can read, replay, update review status, and delete all audit sessions in the installation. You cannot delete or change the permissions for the Master Auditor role itself. You can change the users or groups who are assigned to the Master Auditor role and the permissions granted to each role member, but you cannot make any other changes to this role. You can, however, create your own custom audit roles for the installation.

Creating Custom Audit Roles

Audit roles allow specific auditors to search and replay specific sessions, review specific events, or generate reports using the Audit Analyzer console based on the criteria you define. Each role specifies the criteria to use, the users and groups that are assigned to the role, and the specific permissions those users and groups have been granted.

For example, you might specify the criteria for filtering sessions to be only the session activity recorded on a particular audited computer or all UNIX sessions recorded after a specific date and time.

The collection of auditors is identified by specifying either explicit auditors, or an Active Directory group of auditors. Using Active Directory groups is recommended because this puts all of a user's privileges under the common Active Directory infrastructure.

For each audit role, you can also configure the specific permissions granted to each member of the role. For example, some audit roles might permit auditors to read and replay sessions but not update the status, add review comments, or delete the sessions to which they have access.

To create and assign audit roles:

  1. Open Audit Manager and expand the audit installation to which you are connected.

  2. Select Audit Roles, right-click, then select Add Audit Role.

  3. Type a name and, optionally, a description of the audit role, then click Next.

  4. Select the type of sessions—UNIX sessions, Windows sessions, or both UNIX and Windows sessions—to include for auditors assigned to this audit role, then click Add to specify filtering criteria for the role.

  5. Select an attribute for filtering information from the list of Attributes.

    For example, you can match sessions based on the period of time in which they were active, based on a specific state, or based on Active Directory group membership. You can also match sessions based on the specific activity that took place during the session. For example, you can find sessions where specific UNIX commands or Windows applications were used.

  6. Select the appropriate criteria for the attribute you have selected, then click OK.

    The specific selections you can make depend on the attribute selected. For example, if the attribute is Review Status, you can choose between “Equals” and “Not equals” and the specific review status you want to find, such as “To be Reviewed.” If you select the attribute Comment, you can specify “Contains any of” and type the text string that you want to find any part of. If you select the attribute Group, you can select “Is (exactly)” and the user principal name (UPN) of an Active Directory group, such as adm-sf@acme.com.

    You can specify multiple attributes, by clicking Add and selecting additional attributes and criteria. You can test the filtering criteria you have added by clicking Execute Query and examining the results. When you have finished adding filters, click Next.

  7. Select the privileges for the audit role, then click Next.

  8. Review your settings for the audit role, click Next, then click Finish.

    You can assign users and groups to the audit role immediately by running the Assign users and Groups wizard or at a later time by right-clicking on the role name.

  9. Type all or part of name to search for and select Active Directory users and groups to assign to the audit role.

Changing Audit Role Properties

After creating an audit role, you can modify its properties.

To change properties for an audit role:

  1. Open Audit Manager and expand the audit installation to which you are connected.

  2. Expand Audit Roles, select an audit role name and right-click, then select Properties.

  3. Click the General tab to change the name or description of an audit role.

  4. Click the Access tab to change the filtering attributes and criteria an audit role.

  5. Click the Privilege tab to change what members of the audit role can do with the sessions matching the criteria you specify.

  6. Click the Security tab to change permissions for the audit role itself.

    For example, you allow another user or group to change role membership for an audit role, you would click Security, then click Add to search for and select a user or group, the select the Change Role Membership permission to allow the selected user or group to modify the membership of the audit role.

Granting Permissions to Manage Audit Roles

Anyone you assign the Manage Audit Roles permission on an installation has full control over all of the audit roles for that installation. After you grant users or groups the Manage Audit Roles permission, they can create and remove roles, change the filtering criteria, modify audit role permissions for other users and group, and select the users or groups who are assigned to the role.

The following examples illustrate how users or groups granted the Manage Audit Roles permission might modify the audit roles for an installation:

  • Assign the Master Auditor role to other users and groups.
  • Create a UNIX Session Viewer role for UNIX auditors that allows them to view (read) UNIX sessions—but not replay, update, or delete—all UNIX sessions in the installation.
  • Create a Finance Managers role that includes both UNIX and Windows sessions filtered by the Active Directory group Finance Operators, so that users assigned to the Finance Managers audit role can read, replay, update, and delete all of the session activity generated by members of the Finance Operators group, but no other groups.
  • Create an audit role that enables investigators who are assigned to the role to read and replay only the activity captured when a specific command or application is used.

These are only a few examples of how you can use the Manage Audit Roles permission to define filtering criteria and privileges that control what different users or groups who are assigned to audit roles can see and do.