8.3. User rights audit

This chapter looks at the User rights audit report page and the information that can be found on the page. The following topics are included in this chapter:

8.3.1. User rights audit report

The User rights audit report indicates user activity by displaying the usage of tasks and tools. It shows which users have performed which action, and also helps easily identify the profiles that contain tasks and tools that have not been used.

To view the User rights audit report, click User rights audit in the left-hand menu.

The User rights audit report is broken down into the following tabs.

8.3.1.1. Summary tab

The Summary tab provides an overview of the User engagement breakdown, Tasks in profiles and Tools in profiles.

Webui User Rights Audit Summary tab

The following information is presented in the pie charts:

Key Description
Full usage Full usage The total number of users that have logged onto the PxM Client, run tasks and made device connections.
Device connections only Device connections only The number of users that have made device connections only.
Tasks only Tasks only The number of users that have only run tasks.
DC session only Desktop Client session only The number of users that have logged onto the PxM Client.
Never used Osirium Never used PxM The number of users that have never logged onto the PxM Client.
Used Used The number of users that have used tasks/tools.
Unused Unused The number of users that have not used tasks/tools.

8.3.1.2. User engagement

The User engagement tab gives you a view of users and helps you analyse their activity. The User activity table mirrors the Gantt chart opposite.

Webui User Rights Audit User Engagement tab

User activity

The information presented on this page is as follows:

Heading Description
User Name of the PxM user.
Enabled Indicates if the user is able to connect to the PxM Client (Enabled) or if the user account has been disabled.
PxM Client sessions The number of times a user has logged onto the PxM Client.
Tasks The number of times a user has run a task.
Device connections The number of times a user has connected to a tool.

You can use this table to determine low user usage and investigate the reason why a user may not be using PxM to manage devices and run tasks.


8.3.1.3. Task and Tools

The Tasks and tools tab can help you reassess user access over privileges granted through profiles. From this data you can then look at reducing overall user privileges to tighten up security, and also reduce access to tools and tasks.

Webui User Rights Audit Tasks & tools tab

Counts by profile

The COUNTS BY PROFILE table mirrors the Gantt chart opposite.

The information presented on this page is as follows:

Heading Description
Profile Name of the profile the tools and tasks are configured in.
Enabled Indicates if the profile is Enabled to allow users access to tools and tasks through the PxM Client.
Tasks Shows the total number of tasks used/unused within the profile.
Tools Shows the total number of tools used/unused within the profile.
Device x Users

Shows the total number of devices x users within the profile.

Sort this column in descending in order to view the severity. The higher numbers in this column should be reviewed against unused tools and tasks in a Profile, to improve and reduce user privileges.


8.3.1.4. User privilege distribution

User privilege is a measure of how much coverage of a system a user has access to. It is a weighted sum of all the devices that a user has access to divided by the total number of devices in the PxM device estate.

The weighting is done by the numerical level given in the device templates. In the device templates it is used to order the types of Fully managed accounts by access level. Here it’s used to calculate relative privilege levels. Users given access by Known or Managed accounts are counted as having the highest possible privilege level for the device. Privilege can’t be outside of 0 and 1.

Superadmins are automatically given a privilege of 1.

The histogram shows how many users fall into various ranges of privilege levels.

Example: There are 3 devices in a system. A user has access to 2 of these. This user has access to one Managed account and one Fully managed account on different devices. The template that lists the Fully managed accounts has admin with a level of 100 and read only with a level of 50. The user’s Fully managed account is read only. Therefore, the user has a privilege level of 0.5.

(Number of Known and Managed accounts + ( user access level / max access level )) / number of devices

( 1 + (50 / 100) ) / 3 = 0.5

The template library has now been updated so that all the levels are more representative of the level of control over the devices that people actually have. Admin is 100, read only is 10 and anything else usually falls between levels 40 and 70.

Webui User Rights Audit User Privilege distribution