User rights audit
This section looks at the User rights audit report page and the information that can be found on the page. The following topics are included in this section:
Introduction
The User rights audit report indicates user activity by displaying the usage of tasks and tools. It shows which users have performed which action, and also helps easily identify the profiles that contain tasks and tools that have not been used.
To view the User rights audit report, click User rights audit in the left-hand menu.
The User rights audit report is broken down into the following tabs.
Summary tab
The Summary tab provides an overview of the User engagement breakdown, Tasks in profiles and Tools in profiles.
The following information is presented in the pie charts:
| Key | Description |
|---|---|
 Full usage |
The total number of users that have logged onto the UI, run tasks and made device connections. |
 Device connections only |
The number of users that have made device connections only. |
 Tasks only |
The number of users that have only run tasks. |
 Login only |
The number of users that have logged onto the UI. |
 Never logged in |
The number of users that have never logged onto the UI. |
 Used |
The number of users that have used tasks/tools. |
 Unused |
The number of users that have not used tasks/tools. |
User engagement
The User engagement tab gives you a view of users and helps you analyse their activity. The User activity table mirrors the Gantt chart opposite.
User activity
The information presented on this page is as follows:
| Heading | Description |
|---|---|
| User | Name of the UI user. |
| Enabled | Indicates if the user is able to connect to the UI (Enabled) or if the user account has been disabled. |
| PAM sessions | The number of times a user has logged onto the UI. |
| Tasks | The number of times a user has run a task. |
| Device connections | The number of times a user has connected to a tool. |
You can use this table to determine low user usage and investigate the reason why a user may not be using the UI to manage devices and run tasks.
Tasks and tools
The Tasks and tools tab can help you reassess user access over privileges granted through profiles. From this data you can then look at reducing overall user privileges to tighten up security, and also reduce access to tools and tasks.
Counts by profile
The Counts by profile table mirrors the Gantt chart opposite.
The information presented on this page is as follows:
| Heading | Description |
|---|---|
| Profile | Name of the profile the tools and tasks are configured in. |
| Enabled | Indicates if the profile is Enabled to allow users access to tools and tasks through the UI. |
| Tasks | Shows the total number of tasks used/unused within the profile. |
| Tools | Shows the total number of tools used/unused within the profile. |
| Device x Users | Shows the total number of devices x users within the profile. Sort this column in descending order to view the severity. The higher numbers in this column should be reviewed against unused tools and tasks in a Profile, to improve and reduce user privileges. |
User privilege distribution
User privilege is a measure of how much coverage of a system a user has access to. It is a weighted sum of all the devices that a user has access to divided by the total number of devices in Osirium PAM device estate.
The weighting is calculated by the numerical level given in the device templates. In the device templates it is used to order the types of Fully Managed accounts by access level. Here it's used to calculate relative privilege levels.
Users given access by Password known or Password Management accounts are counted as having the highest possible privilege level for the device. Privilege can't be outside of 0 and 1.
Superadmins are automatically given a privilege of 1.
The histogram shows how many users fall into various ranges of privilege levels.
Example:
- There are 3 devices in a system.
- A user has access to 2 of these.
- This user has access to one Password Management account and one Fully Managed account on different devices.
- The template that lists the Fully Managed accounts has admin with a level of 100 and read only with a level of 50.
- The user's Fully Managed account is read only.
Therefore, the user has a privilege level of 0.5.
(Number of Password known and Password managed accounts + ( user access level / max access level )) / number of devices
( 1 + (50 / 100) ) / 3 = 0.5
The template library has now been updated so that all the levels are more representative of the level of control over the devices that people actually have. Admin is 100, read only is 10 and anything else usually falls between levels 40 and 70.
