Previous Topic: Policy AdministrationNext Topic: Control

Viewing Security Object Data in the InvestigatorSecurity EventsMiscellaneous Administration

Miscellaneous Administration

The Investigator displays the following searchable miscellaneous administration event records. For example, for CA Top Secret you can see a record based on an ADDTO command for a Field Descriptor Table (FDT) ACID. For CA ACF2, you can see a record for a DELETE command for Infostorage records, except against user profile and resource or database rules.

Successful Other Administration

Includes a record for each time a miscellaneous entity is modified. This record is only generated for entities which are not objects, user accounts, or policies.

Event Code: 51

Other Administration Violation

Includes a record for each time a user tries to modify a miscellaneous entity but is denied. This record is generated only for entities which are not objects, user accounts, or policies.

Event Code: 52

Note: For a comprehensive list of security events and the event triggers, see the security events chapter in your external security manager documentation.

Example: Identify why a new user has access to an RDT in CA Top Secret

All new employees are given limited security system access until they complete mandatory training. One of your new administrators tells you that they were allowed to change the resource descriptor table (RDT). The RDT is a reserved ACID that contains predefined resources classes, such as VOLUME, DATASET, and TERMINAL, and user-defined resource classes. You want to know who gave the new employee this level of access, when, and why. If the company protocol remains the same as you understand, this access must be revoked, but you want to research the details first.

  1. Add the Investigator module to your dashboard, and click Start New Investigation.
  2. Select Security from the drop-down list.
  3. Select Events, Misc Administration from the folder list.
  4. Click View Filter (magnifying glass icon).
  5. Filter the data:
    1. Select Event Category Description from the first drop-down list from the center pane.
    2. Select contains from the second drop-down, and type Successful Other Administration.
    3. Click the plus icon.
    4. Select AND from the first drop-down list.
    5. Select Event System ID from the second drop-down list from the center pane.
    6. Select contains from the third drop-down list, and type the system ID.
    7. Specify a start and end date and time from the present until the first day for the employee.
    8. Click Search.

    All successful events appear. Use the actions pane to drill further into each record to determine who granted the access and when.