So, been getting repeated ongoing asks from our Compliance Team, and this is their ask: for a specific Managed Account, produce a report of every user that can access that credential? Anyone ever been able to pull that off? Using Analytics would be fine, just have not been able to find a report like that.
Question
Thinking I may need a DB Query.....
You can make use of the Analytics reporting → Password and Session Activity and select the appropriate Smart Group and filter based on the Account Name Contains which would be your specific Managed Account you’re trying to find.
If you want to know who CAN access an account, you can also run the BeyondInsight Entitlement by Group. Then you will need to cross reference each group with each account maybe? I’d have to look and see if there is a report for that but what I would do is, have the auditor pick a group and I’d show them what accounts belong to the group. I also use a naming convention to simplify it.
Group Name: 03-Map-AD-XXXXX-Service-Accounts>>Clearpass for instance.
I took a deeper look into this and yes, you can provide all of the smart groups tied to an account and who has access to them. Run the Entitlement by Group report. For the group, you should have an idea of who has access to the account so you can get the group. If your naming convention is solid, this will be easy.
For my clearpass example, I am looking for the Clearpass group. I name local groups after the smart rule to make it real easy.
Now I can see which members of the group has access to the accounts in the smart rule and at what level. The two users here have both credentials manager and requestor.
To show the auditors if some other smart rule can be mapped to get these creds, I would show them the smart rules listed on the account and explain them all and I would run a report for all of the custom rules to show them as unassigned.
This should be enough to satisfy just about any auditor.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.