Chat now with support
Chat with Support

Change Auditor 7.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Certificate authentication for client coordinator communication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Introduction

Role-based access control allows you to assign users/groups to roles based on their job functions and grant these roles permissions to perform related tasks. Role-based access control is broken down into the following entities to define ‘who can do what’:
Operation: a single action that users need to be granted rights to perform
Task: a collection of logically related operations
Role: a logical group of users and the tasks they are allowed to perform

Authorization for using the different features is defined using the Application User Interface Authorization page. From the Administration tab, you can add new task and role definitions or delete user-defined roles and tasks that are no longer required.

By default, the following roles and tasks are defined; therefore, no action is required on your part to start using the client:
AD Protection Role - has access to view Active Directory and Group Policy protection
Administrator Role - has full administrator privileges with access to all aspects of the client, web client and deployment of agents
Operator Role - has only operator privileges with limited access to the client (e.g. these users can define and run searches, but they cannot access the Administration, Statistics or Deployment pages) and access to perform all tasks except the administration functions in the web client
Web Client Shared Overviews Role - has view access to the web client shared overviews; while restricting access to only what has been shared
AD Protection Task - grants access to Active Directory and Group Policy protection tasks
Administrator Task - grants full administrator access
Operator Task - grants operator access only
Restore Value Task - allow use of the Restore Value button in the Event Details pane.
Web Client Shared Overviews Task - grants view access to web client’s shared overviews

During installation, you added user accounts to the Change Auditor security groups (ChangeAuditor Administrators - <InstallationName> and ChangeAuditor Operators - <InstallationName>). These security groups are automatically added as members of the appropriate role (Administrator Role and Operator Role). If applicable, during the web client installation, you may have also added user accounts to the ChangeAuditor Web Shared Overview Users security group. This additional security group is added as a member to the Web Client Shared Overviews role.

* 
NOTE: The Administrator, Operator and Web Client Shared Overviews roles and tasks cannot be removed, renamed or edited.

Using the AD Protection role and task, administrators can specify who is authorized to view protection definitions for Active Directory and Group Policy objects. Using the Restore Value task, administrators can enable and disable the ability to restore values when viewing events in the Event Details pane. See the Quest Change Auditor for Active Directory User Guide for information on restricting access to specific domains and organizational units and restoring values.

Application User Interface Authorization page

The Application User Interface Authorization page is displayed when Application User Interface is selected from the Configuration task list in the navigation pane of the Administration Tasks tab.

From this page, you can define who is authorized to perform the different operations available in the Change Auditor client, including performing the administrative tasks listed on the Administration Tasks tab and defining search criteria.

The Application User Interface Authorization page contains an expandable view of the role and task definitions which define role-based access. To add a role or task, use the appropriate Add tool bar command: Add | Add Role Definition or Add | Add Task Definition.

Once added, the following information is provided for each definition:

Name
Displays the name assigned to the role or task definition when it was created.
Type
Indicates the type of definition:
Role
Task
Description
Displays the description entered when the role or task definition was created.
 

Click the expansion box to the left of a Role Definition to expand this view and display the following details:

Member
Displays the user and group accounts that are assigned as members of the selected role.
Type
Indicates the type of account in the selected role:
Group
User
Application Group
Description
Displays the description from the Members tab of the Authorization Role dialog when the role was created.
* 
NOTE: The cells directly under the main heading rows are used for filtering data. That is, as you enter characters into these cells, the client will redisplay the roles or tasks that meet the search criteria (i.e., comparison operator and characters entered). For more details about using the data filtering function provided throughout the Change Auditor client, see Filter data.

Add task definition

A task is a collection of operations and sometimes lower-level tasks that can be performed.

1
Open the Administration Tasks tab and click Configuration.
2
Select Application User Interface in the Configuration task list to open the Application User Interface Authorization page.
3
Expand Add and click Add Task Definition.
4
On the Task page of the Authorizations: Task dialog, enter the following information:
Name: Enter a name for the task
Description: Enter a brief description of the task
5
Open the Definition tab and add the operations and lower-level tasks that can be performed:
To add a lower-level task, click Add Task and select a task from the Authorizations: Task Definitions dialog.
To add an operation, click Add Operation and select one or more operations from the Authorizations: Operations dialog.
6
Click OK to save your new task definition and close the Authorizations: Task dialog.
This task will now be included in the task list on the Authorizations: Task Definitions dialog and can be included in a role definition.
Task definitions are also listed on the Application User Interface Authorization page.

Add role definition

A role definition defines who is authorized to perform specific tasks and/or individual operations in the client. A role usually corresponds to a job function or responsibility and consists of a collection of tasks that a user must be authorized to perform to do their job function.

1
Open the Application User Interface Authorization page.
2
Select Add | Add Role Definition.
3
On the Authorizations: Role dialog, enter the following on the Role tab:
Name: Enter a name for the role
Description: Enter a brief description of the role
4
Open the Definition tab to add a role, task or operation to this role:
To add a role, click Add Role and select a role from the Authorizations: Role Definitions dialog.
To add a task, click Add Task and select a task from the Authorizations: Task Definitions dialog.
To add an operation, click Add Operation and select one or more operations from the Authorizations: Operations dialog.
5
Open the Members tab to add a user, group or application group to this role.
To add an application group, click Add Application Groupn and select an application group from the Authorizations: Application Groups dialog.
To add a user or group, click Add User or Group, which will display the Select one or more Directory Objects dialog. Use the Browse page or Search page to locate and select the user and/or group accounts to add.
* 
NOTE: If a user or group account is added to multiple access roles, the account will have the authority to perform the operations defined in the more authoritative role.
6
Click OK to save your new role definition and close the Authorizations: Role dialog.
Role definitions are displayed on the Application User Interface Authorization page.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating