Administration Guide › User Accounts

User Accounts

This section contains the following topics:

Self-Administration Tasks

Tasks Associated with Roles

How to Configure Accounts with Out-of-the-Box Settings

Create a Global Group

Create a Global User

Assign a Role to a Global User

How to Manage Referenced User Accounts

User Activation Guidelines

Edit a User Account

Reset a User Password

Delete a User Account

Self-Administration Tasks

Users with access to CA User Activity Reporting Module can change their own passwords and unlock a locked user account if the configured user store is the default, the CA User Activity Reporting Module user store.

When the Administrator creates a new user account, a new password is assigned. The user changes that password during the first login session to a new password that conforms to the password policies for whether a password matching the username is permitted, minimum and maximum length, maximum number of repeating characters, and minimum number of numeric characters. It is the user's responsibility to change passwords within the frequency range specified by the password policies related to minimum and maximum password age.

Individual users administer their own accounts in the following ways:

• Change passwords in a manner consistent with password policies
• Unlock user accounts that have been locked, if permitted by the related password policy

Unlock a User Account

You can unlock a locked user account regardless of your role, if permitted by the password policy. When your account becomes locked, another user must unlock it so you can have access to the privileges granted to your role.

Locks and unlocks are controlled by the following two password policies:

• Lock user account after <n> failed logins
• Allow users to unlock passwords

User accounts can become locked if the password policy is set to lock user accounts after a certain number of failed logins and the user logs in with invalid credentials a number of times that exceeds the specified threshold.

Any user can unlock the account of another user if the password policy to allow users to unlock passwords is set. You need the user's password to unlock that user account.

To unlock a user account

1. Click the Administration tab and the User and Access Management subtab.
2. Click Unlock User on the left pane.
3. Enter the user name and password, and then click Unlock.

   The user account is unlocked.

Change Your Password

You can change your own password, regardless of your role. If the password policy for maximum password age is set, you should change your password with a frequency consistent with that policy.

Be sure to change your password as soon as possible in the following cases:

• If you give someone your password for the purpose of unlocking your account
• If you forget your password and the Administrator resets it for you

To change your password

1. Click the Administration tab and the User and Access Management subtab.
2. Click Change Password on the left pane.
3. Enter your old password.
4. Enter your new password twice.
5. Click OK.

Tasks Associated with Roles

Administrators assign roles to users based on the tasks they are to perform. You can assign users the predefined roles of Auditor, Analyst, and Administrator or to custom roles you create. To evaluate the impact of using predefined roles, review the tasks associated with each role.

Auditor Tasks

Internal Auditors can perform tasks such as the following:

• Search for and select a query and view query results
• For a selected query result row, run an event/alert output process that is configured in CA IT PAM
• View current reports
• Schedule reports
• View the scheduled report job list
• View the generated report list
• View and annotate generated reports
• Set filters and profiles

You can assign the low-privileged role of Auditor when you create user accounts for third-party personal. For example, when a scheduled alert runs an event/alert output process at the query level, the alert sends a URL to CA User Activity Reporting Module that is appended to the description. For the third-party personnel to be able to browse to CA User Activity Reporting Module, they need user accounts.

Note: Analysts and Administrators can perform all Auditor tasks and their role-specific tasks.

External Auditors who are given temporary access to the CA User Activity Reporting Module for the period of the site audit can verify compliance to standards in areas such as the following:

• Verify that logs are collected from the expected sources.
• Verify that procedures are in place for preventing data loss. For example, verify that data is backed up frequently enough that nothing is missed.
• Verified that logs are being regularly reviewed to detect security breaches.
• Verify that logs are properly stored in a secure archive.
• Verify that the age of the archived data meets the standards for log retention.
• Verify that the content of the logs includes content mandated for retention.

Analyst Tasks

System analysts monitor the log collection network and then gather and distribute report data.

Administrators assign the Analyst role to users who are responsible for the following tasks:

• Create and edit custom reports and queries

  A report is a graphical or tabular display of event log data that is generated by executing predefined or custom queries with filters. The data can be from hot, warm, and defrosted databases in the event log store of the selected server and, if requested, its federated servers.

• Schedule action alerts

  An action alert is a scheduled query job, which can be used to detect policy violations, usage trends, logon patterns, and other information that can require near-term attention. Alert data can be viewed in the UI or through an RSS Feed. You can send a scheduled alert to email recipients, an SNMP trap destination, or a CA IT PAM event/alert output process. You can run the process once per row or once per query.

• Create tags

  A tag is a term or key phrase that is used to identify queries or reports that belong to the same category. To add a new report to a scheduled job configured to select reports with a specific tag, you add the common tag to the new report. A tag can also be a key phrase associated with a query, thus describing the query content and enabling key phrase-based classification and search.

• View RSS (Rich Site Summary) feeds

  An RSS event is an event generated by CA User Activity Reporting Module to convey an Action Alert to third-party products and users. The event is a summary of each Action Alert result and a link to the result file. The duration for a given RSS feed item is configurable.

Analysts can take the following approach as they become familiar with working with CA User Activity Reporting Module:

1. Examine the available predefined reports. (Auditors can also do this.)
2. Design custom reports, create tags for them, schedule, view, and annotate.
3. Schedule reports of interest for regular generation. (Auditors can also do this.)
4. Review generated reports and enter annotations. (Auditors can also do this.)
5. Identify criteria for sending an alert, the format to use, and the recipient. Then, schedule the alert to be generated when the criteria are met.

Administrator Tasks

Users assigned the role of Administrator have unlimited access to functionality available from all CA User Activity Reporting Module tabs. Only users assigned the role of Administrator have full access to the Administration tab. From the Administration tab, Administrators configure and maintain all aspects of log collection, all services, and all user access.

Log Collection Configuration and Customization

Only users with the role of Administrator can configure and maintain features related to log collection. Administrators perform log collection tasks from the Administration tab, Log Collection subtab.

Administrators use the Log Collection Explorer to configure connectors on agents, which is required for log collection. They also apply subscription updates to agents, when applicable.

Working with the event refinement library is optional. The out-of-the-box functionality, which is regularly updated, is designed to meet the needs of most customers.

Administrator tasks involving log collection include the following:

• Configure and manage the installed agents from a CA User Activity Reporting Module server dedicated to collection.
• Query the Archive Catalog on a CA User Activity Reporting Module reporting server.

  The archive catalog is the record of all databases that have ever been on the CA User Activity Reporting Module server. The archive catalog includes recently created databases, databases that have been backed up and moved, and databases that have been deleted before they were backed up, if any.

• Configure CA adapters used by CA Audit.
• Manage the event refinement library.
  • Work with predefined integrations and create new integrations from scratch or based on a copy of a predefined integration.

    Integration is the means by which unclassified events are processed into refined events so that they can be displayed in queries and reports.

  • Create a syslog listener from the predefined listener.
  • Create new parsing files from scratch or based on a copy of a selected predefined file.

    A message parsing file (XMP), associated with a specific event source type, applies parsing rules that break down the raw event into name/value pairs.

  • Create new mapping files from scratch or based on a copy of a selected predefined file.

    Data mapping (DM) files are XML files that use the CA Technologies Common Event Grammar (CEG) to transform events from the source format into one that can be stored for reporting and analysis in the Event Log Store.

  • Create summarization rules from scratch or based on a copy of a selected predefined rule.

    Summarization rules are rules that combine certain native events of a common type into one refined event.

  • Create suppression rules from scratch or based on a copy of a selected predefined rule.

    Suppression rules prevent certain refined events from appearing in your reports.

  • Create event forwarding rules.

    Event forwarding rules specify that selected events are forwarded to third-party products, such as those that correlate events, after being saved in the event log store.

• Create profiles.

  A profile specifies the set of data filters and tags that appear for selection. Data filters limit the data displayed in query or report; tag filters limit the tags displayed in the query tag list and in the report tag list.

Services Configuration and Monitoring

Only users with the role of Administrator can configure and maintain the services accessible from the Administration tab, Services subtab. Configure all services soon after installing CA User Activity Reporting Module.

Administrator tasks involving services include the following:

• Configure global services including the following:
  • Update interval
  • Session timeout
  • Whether authentication is required to view alerts posted to RSS feeds
  • Tags to hide
  • Default profile
• Configure the event log store service.
  • At the global level, configure services that apply to all CA User Activity Reporting Module servers.
  • At the local level, configure auto-archive.

    The event log store on the collection CA User Activity Reporting Module server houses a hot database of new logs. The hot database is compressed into a warm database when it reaches the configured maximum rows.

    • If you configure auto-archive between the collection server and the reporting server, the warm database is copied to the reporting server and then deleted from the collection server.
    • If you configure auto-archive between the reporting server and a remote server that is not a CA User Activity Reporting Module server, warm databases are copied to the remote server on a daily or hourly basis, depending on your auto-archive settings. By default, the reporting server retains the databases until they reach the set disc space or time limits. They are automatically deleted from the reporting server only if you select the Remote ELM Server check box.
    • If you do not configure auto-archive from the reporting server to a remote storage server, manually create a backup of warm databases and move them to long-term storage. The warm database is stored in the event log store of a reporting server (or management/reporting server in a two-server deployment) for the number of days configured as max archive days unless the available space drops below the configured percentage set by archive disk space. In this case, warm databases are deleted, beginning with the oldest.
• Configure the report server service.

  The report server service handles reports and alerts, including retention policies, the format for printed/emailed reports, and keyed values for reports and alerts. Additionally, it handles integration settings for CA IT PAM processes such as event/alert output and dynamic values and for SNMP trap destinations for alerts.

• Configure subscription updates.

  Subscription updates refer to the binary and non-binary files that are made available by CA Technologies Subscription Server to CA User Activity Reporting Module servers, the CA EEM component on the management server, and agents.

• Manage the federation of CA User Activity Reporting Module servers.

  At the management server, you can set a query to extend to federation children and peers. CA User Activity Reporting Module servers can be federated for two purposes:

  • The collection server auto archives each hot database into a warm database and sends it to the related reporting server. Create a federation between the collection server and the reporting server. When you query the management server with federation selected, you can get results not only from the local warm databases but also the hot database of the collection server.
  • Multiple reporting servers can be created to distribute the storage of warm databases among multiple event log stores. Reporting servers can be federated in a mesh with each collection server federated as a child to its reporting server. A federated query from any of the meshed reporting servers returns data from both its meshed (peer) servers and from all of their child servers.

    Note: If you create a restore point CA User Activity Reporting Module for the purpose of restoring archived databases from long-term storage, it is a good practice to leave such a server out of the federation.

• Monitor and manage the system status.

User and Access Management

Only users with the role of Administrator can configure and maintain user accounts, policies, and other application objects accessible from the Administration tab, User and Access Management subtab. To log on to CA User Activity Reporting Module, users must have a user account configured with a role and credentials for logging in. Predefined roles and policies enable Administrators to set up user access by defining user accounts. Creating custom roles and policies is optional.

Administrator tasks involving users and access include the following:

• Define new global users (if the user store is the default, the CA User Activity Reporting Module user store).

  When you add a new user, you create a global user. Details such as name, location, and telephone number are considered global because they can be shared. A global user is the user account information that excludes application-specific details.

• Retrieve referenced users (if the user store is a referenced user store).

  Global user details are stored in the configured user store, which can be an external directory.

• Assign predefined or custom application groups (roles) to new or referenced users.

  Application details are always stored in the repository of the management server. They are the details loaded in read-only format when you configure an external user store.

• Edit, delete, and view user accounts.
• Create custom application groups (roles) and associated policies.

  Creating user roles begins with defining a new application user group and then creating a policy defining the actions are permitted on specified resources. A user role can be a predefined application user group or a user-defined application group. Custom user roles are needed when the predefined application groups (Administrator, Analyst, and Auditor) are not sufficiently fine-grained to reflect work assignments. Custom user roles require custom access policies and modification of predefined policies to include the new role.

• Edit, delete, and view application groups and associated policies.
• Edit the CALM application access policy.

  The CALM Application Access policy is an access control list type of scoping policy that defines who can access the CA User Activity Reporting Module. By default, the [Group] Administrator, [Group] Analyst and [Group] Auditor are granted access.

• Create, edit, delete, and view access policies.

  An access policy is a rule that grants or denies an identity (user or user group) access rights to an application resource.

• Configure, edit, delete, and view access filters.

  An access filter is a filter that the Administrator can set to control what event data non-Administrator users or groups can view. For example, an access filter can restrict the data specified identities can view in a report. Access filters are automatically converted into obligation policies.

How to Configure Accounts with Out-of-the-Box Settings

If you are setting up a temporary test environment, you can set up user and access management very quickly if you use out-of-the-box settings for User Accounts and configure only required fields. To complete minimal configuration with predefined settings, create user accounts for CA User Activity Reporting Module users as follows:

• If using the default user store, create an account with a user name, assign a predefined application group (Administrator, Analyst, Auditor), and assign a temporary password.
• If referencing an external user store, search for the global user by name, assign a predefined role (Administrator, Analyst, Auditor), and assign a temporary password.

More information:

Assign a Role to a Global User

Create a Global User

How to Manage Referenced User Accounts

Create a Global Group

The ability to create a global group depends on the configuration of the user store. Consider the following:

• If using the default user store, creating global groups is an optional task.
• If referencing an external user store, global groups and user accounts are automatically loaded into the default user store. You can, optionally, create custom policies for these global groups, but you cannot create new global groups.
• If the referenced user store is CA SiteMinder, you can use the global groups defined in this CA Technologies product as is or you can create new global groups from existing group memberships.

To create a global group

1. Click the Administration tab and then click the User and Access Management subtab.
2. Click Groups on the left pane.

   The Search Groups and User Groups panes appear.

3. Click the New Global Group button next the Global Groups folder.

   The New Global user Group pane appears.

4. Enter a name and, optionally, a description.
5. If this global group is to contain other global groups, do the following:
   1. Enter search criteria to display a group and click Search.
   2. Move the group you want to include to the Selected Global User Groups list.
   3. Repeat until the list contains all of the groups you want to select.
6. Click Save.

   A confirmation appears.

More information:

User Role Planning

Create a Global User

You can create new users only if the user store is configured as the CA User Activity Reporting Module user store, the default. Only Administrators can create new user accounts.

If referencing an external user store, user accounts are automatically loaded into the default user store as read-only records. If you need to create a new user, you must do so in the external user store. The new record is automatically loaded.

To use the CA User Activity Reporting Module product, a user must have a global user account. The account must be active at the time of login. Accounts can become inactive if suspended by the Administrator, locked due to violation of a password policy, or disabled due to the enabled account time having elapsed.

To create a new global user account

1. Click the Administration tab and the User and Access Management subtab.
2. Click the Users button.
3. Verify that the account you plan to create does not exist. Select Global Users and click Go. If the name does not appear in the results, proceed.
4. Click the New User button to the left of the Users tree.

   The New User page appears.

5. Enter the name of the user in the Name entry field.
6. (Optional) Assign an application user group.
   1. Click Add Application User Details.
   2. Select one or more available user groups and click the move button to move the selection to the Selected User Groups box.

      Note: If you do not do this now, you can edit the account of a global user later to assign an application user group.

7. Enter the General information for Global User Details.
8. (Optional) Assign a global user group.
9. Complete Authentication information:
   1. To set a threshold for the number of incorrect logins to accept before locking the account, enter a number for Incorrect Login Count. Configuring a count of 0 means there is no limit.
   2. Accept the cleared check box for Override Password Policy unless you want to permit this user to have passwords that do not conform to the password policy.
   3. Repeat your entry in the Confirm Password box.
   4. Select the Change Password at Next Login to permit the user to change the password.
   5. Leave Suspended clear when creating a new account.
   6. Enter a new password for New Password and Confirm Password.
   7. If this user is to have access only temporarily, enter a date range for enabling and disabling the user account.
   8. To defer the enabling of the user account to a later date, enter the date to enable the account.
10. Click Save.
11. Click Close.

Assign a Role to a Global User

You can search for an existing user account and assign the application user group for the role you want the individual to perform. If you reference an external user store, the search returns global records loaded from that user store. If your configured user store is the CA User Activity Reporting Module user store, the search returns records created for users in CA User Activity Reporting Module.

Only Administrators can edit user accounts.

To assign a role, or application user group, to an existing user

1. Click the Administration tab and the User and Access Management subtab.
2. Click Users on the left pane.

   The Search Users and Users panes appear.

3. Select Global Users, enter search criteria, and click Go.

   If the search is for loaded user accounts, the Users pane shows the path and the path labels reflect the referenced external directory.

   Important! Always enter criteria when searching to avoid displaying all entries in an external user store.

4. Select a Global User that has no membership in a CA User Activity Reporting Module application group.

   The User page displays with the folder name, global user details, and, if applicable, global group membership.

5. Click Add Application User Details.

   The "CAELM" User Details pane expands.

6. Select the desired group from Available User Groups and click the right arrow.

   The selected group appears in the Selected User Groups box.

7. Click Save.
8. Verify the addition.
   1. On the Search Users pane, click Application User Details and click Go.
   2. Verify that the name of the new application user appears in the displayed results.
9. Click Close.

How to Manage Referenced User Accounts

You can use global user account information when you reference an external user store. Although you cannot update the user record in the external user store from CA User Activity Reporting Module, you can assign application-level details.

Consider the following approaches to managing access for users with accounts stored in an external user store.

• Add a predefined application user group, or role, to the user account.
• Add the global group to the predefined policies that provide the access you want the user to have.
• Create custom roles and associated policies and add the custom role to the user account.

User Activation Guidelines

Consider the following guidelines when using account activation features:

• When you create a number of user accounts at once, you can use Enable Date to specify a future date on which to activate all or selected accounts. This lets you stage your roll-out of access rights to coordinate with any training you plan to provide your new users.
• When you create temporary accounts for external auditors, you can use the Enable Date and Disable Date settings to specify a given time interval.
• When you encounter suspicious behavior by any user, you can immediately mark the corresponding account as suspended and, thereby, prevent that user from successfully logging in to any CA User Activity Reporting Module server.
• When a user leaves the company, you can delete the entire user record, mark it suspended, or enter an expiration date to put it into disabled status.

More information:

Create a Global User

Delete a User Account

Edit a User Account

Edit a User Account

Only Administrators can create and edit user accounts. You can search for a user and display the selected user account information for any of the following reasons:

• To assign a CA User Activity Reporting Module role, that is, application group membership, to a global user, where account information was loaded from a referenced user store
• To update global user details for an account in the local user store
• To suspend the user account
• To reset the password for a user account either because the password was forgotten or the account is locked and the password policy does not allow users to unlock user accounts
• To disable a user account or reset the duration for the enabled account

Important! Make no entry in the Incorrect Login Count field in the Authentication area. The value displayed in this field is updated by the system.

To edit a user account

1. Click the Administration tab and the User and Access Management subtab.
2. Click Users on the left pane.

   The Search Users pane appears.

3. Specify search criteria on the Search Users pane in one of the following ways:
   • To add application details for global user, select Global Users, enter search criteria, and click Go.
   • To edit the account of a user with an existing CA User Activity Reporting Module role, select Application User Details, enter search criteria, and click Go.

   Note: For search criteria, use the operator LIKE when you specify a wildcard as the value and use the operator EQUAL when you specify the complete string. Examples follow:

   • Group Membership LIKE Aud*
   • Group Membership EQUALS Auditor

   The names of users meeting the search criteria appear in the Users pane.

4. Click the user name of the account to edit.

   The selected account appears in the right pane.

5. To add a role, click Add Application User Details, select the appropriate role from Available User Groups, and move it to Selected User Groups.
6. To update global user details, replace existing details with the new details in the Global User Details section.

   Note: You can update details only if the using the default user store.

7. To update authentication configuration, do any of the following:
   • Select Override Password Policy to exclude this user from checks performed by all password policies.
   • Select Suspended to prevent this user from logging in to any CA User Activity Reporting Module server.
   • Clear Suspended to activate this account so the user can log in.
   • If your password policy is set to disallow users to unlock passwords and this user has a locked password, select Reset Password, enter the new password twice, and select Change Password at Next Login.

     Note: The Incorrect Login Count field is automatically incremented for a failed login attempt and reset to 0 with a successful login attempt. A user account becomes locked if the incremented value reaches or exceeds the password policy value set for lock user account after the specified number of failed logins.

   • Set a duration for when this account is to be enabled by clicking Enable Date and setting a start date and then clicking Disable Date and setting an end date. Users have access from the beginning of day on the start date to the end of the day on the end date. To allow access for one day, specify the same date as start and end.
8. Click Save.

   Updates to the user account are saved and in force.

Reset a User Password

You can reset the password for users that forget their password. If a user gets locked out for exceeding the configured number of attempted logins that fail because of a forgotten password, you can reset the password and then the user can unlock the account, if allowed by the corresponding password policy.

To reset a user password

1. Click the Administration tab and the User and Access Management subtab.
2. Click the Users button.
3. Search for the user account to edit.
   1. Select Application User Details.
   2. Enter the user name in the Value field, where Attribute is set to User Name and Operator is set to LIKE.
   3. Click Go.
4. Click the user name under the Users tree.

   The selected User account details appear.

5. In the Authentication pane, select Reset Password.

   The New Password and Confirm Password fields appear.

6. Enter the new password in the New Password and Confirm Password fields.
7. Click Save and then click Close.

Delete a User Account

You can delete any global user account that was created in CA User Activity Reporting Module.

You can inactivate a user account without deleting it in either of the following ways:

• You can set a disable date to disable an account as of the specified date.
• You can suspend an account so the associated user cannot access the CA User Activity Reporting Module interface.

To delete a global user

1. Click the Administration tab, the User and Access management subtab, and the Users button.

   The Search Users and Users panes appear.

2. Select either Global Users or Application User Details, specify search criteria, and click Go.
3. Select the user to delete from the list of existing users.

   The record for the selected user appears in the right pane.

4. Click Delete.

   A confirmation to delete this user appears.

5. Click OK.

   The confirmation message: Global User deleted successfully appears.

   Note: If you click Go again in the Search Users pane, the displayed list does not contain the name of the deleted user.