Chat now with support
Chat with Support

Change Auditor 7.0.3 - User Guide

Change Auditor Overview Agent Deployment Change Auditor Client Overview Overview Page Searches Search Results and Event Details Custom Searches and Search Properties Enable Alert Notifications Administration Tasks Agent Configurations Coordinator Configuration Purging and Archiving your Change Auditor Database Disable Private Alerts and Reports Generate and Schedule Reports SQL Reporting Services Configuration Change Auditor User Interface Authorization Client Authentication Integrating with On Demand Audit Enable/Disable Event Auditing Account Exclusion Registry Auditing Service Auditing Agent Statistics and Logs Coordinator Statistics and Logs Change Auditor Commands Change Auditor Email Tags

Introduction

Role-based access control allows you to assign users/groups to roles based on their job functions and grant these roles permissions to perform related tasks. Role-based access control is broken down into the following entities to define ‘who can do what’:

Authorization for using the different features is defined using the Application User Interface Authorization page. From the Administration tab, you can add new task and role definitions or delete user-defined roles and tasks that are no longer required.

By default, the following roles and tasks are defined; therefore, no action is required on your part to start using the client:

During installation, you added user accounts to the Change Auditor security groups (ChangeAuditor Administrators - <InstallationName> and ChangeAuditor Operators - <InstallationName>). These security groups are automatically added as members of the appropriate role (Administrator Role and Operator Role). If applicable, during the web client installation, you may have also added user accounts to the ChangeAuditor Web Shared Overview Users security group. This additional security group is added as a member to the Web Client Shared Overviews role.

Using the AD Protection role and task, administrators can specify who is authorized to view protection definitions for Active Directory and Group Policy objects. Using the Restore Value task, administrators can enable and disable the ability to restore values when viewing events in the Event Details pane. See the Quest Change Auditor for Active Directory User Guide for information on restricting access to specific domains and organizational units and restoring values.

Application User Interface Authorization page

The Application User Interface Authorization page is displayed when Application User Interface is selected from the Configuration task list in the navigation pane of the Administration Tasks tab.

From this page, you can define who is authorized to perform the different operations available in the Change Auditor client, including performing the administrative tasks listed on the Administration Tasks tab and defining search criteria.

The Application User Interface Authorization page contains an expandable view of the role and task definitions which define role-based access. To add a role or task, use the appropriate Add tool bar command: Add | Add Role Definition or Add | Add Task Definition.

Once added, the following information is provided for each definition:

Click the expansion box to the left of a Role Definition to expand this view and display the following details:

Add task definition

A task is a collection of operations and sometimes lower-level tasks that can be performed.

2
Select Application User Interface in the Configuration task list to open the Application User Interface Authorization page.
3
Expand Add and click Add Task Definition.
To add a lower-level task, click Add Task and select a task from the Authorizations: Task Definitions dialog.
To add an operation, click Add Operation and select one or more operations from the Authorizations: Operations dialog.
6
Click OK to save your new task definition and close the Authorizations: Task dialog.

Add role definition

A role definition defines who is authorized to perform specific tasks and/or individual operations in the client. A role usually corresponds to a job function or responsibility and consists of a collection of tasks that a user must be authorized to perform to do their job function.

2
Select Add | Add Role Definition.
To add a role, click Add Role and select a role from the Authorizations: Role Definitions dialog.
To add a task, click Add Task and select a task from the Authorizations: Task Definitions dialog.
To add an operation, click Add Operation and select one or more operations from the Authorizations: Operations dialog.
To add an application group, click Add Application Groupn and select an application group from the Authorizations: Application Groups dialog.
To add a user or group, click Add User or Group, which will display the Select one or more Directory Objects dialog. Use the Browse page or Search page to locate and select the user and/or group accounts to add.
6
Click OK to save your new role definition and close the Authorizations: Role dialog.
Related Documents