Previous Topic: Step 3: Create Win-Admin System Access Policy

Next Topic: Step 5: Log on as Win-Admin User

Step 4: Create Win-Admin Data Access Filter

Step 3 restricts the Win-Admin user to viewing system access reports. This level of access allows the Win-Admin user to view system access reports across all four regions of the ABC company.

Step 4 creates an access filter to limit the data the Win-Admin user can view to the system access reports for the Houston domain controller.

Creating a data access filter begins with specifying its name. The name used in this scenario is Win-Admin Data Access.

Enter the filter name in the Name field.

You specify the identities to which the access filter applies in the Identities area. A filter can apply to users or groups. In this scenario, this access filter applies only to the Win-Admin user.

Since this filter applies to one person, only one identify is selected.

For Access Filters, you define each condition in terms of the value for a CEG column. Values following the LIKE operator can contain either of the following wildcard characters:

The first filter for this scenario takes advantage of the fact that all Windows events are prefixed with NT-. To limit the data to Windows events, you can specify that the event_logname CEG column must have data that includes the string NT-%. To further limit Windows events to those from a specific domain controller, this example specifies that event_source_hostname must have data that includes a string using local conventions. The value ABC-HOU-WDC% is based on a naming convention of a hyphenated name composed of abbreviations for the company, the region, and the prefix for the domain controller type.

The advanced filter example includes two comparisons which both must evaluate to true.

Note: In the absence of event sources with a standardized naming convention, you can create a keyed values list with the desired event_source_hostnames and use the keyed values list name as the value.

When there are only two filters and the logic is AND, parentheses are not required. If you enter a complex expression, such as the following, parentheses are required.

(event_logname like NT-% 
And event_source_hostname=ABC-%) 
Or (event_logname like CALM-% 
And event_source_hostname=XYZ-%)

When you save a data access filter, its name is displayed in the access filter list.

The Access Filter List displays the names of the access filters you create.

A search for policies matching the Win-Admin user name displays the three policies for All Identities plus another three: the CALM Application access policy where Win-Admin was added, the Win-Admin System Access policy created from scratch, and the data policy that is added automatically when you define an access filter. The data policy is listed first in the following. You can also view it under Obligation policies. You never create Obligation policies directly with CA Enterprise Log Manager.

Access policies that apply to the Win-Admin identity are displayed.

More information:

Create an Access Filter