Privileged access configuration reports
Group set configuration
Purpose: Configuration of group sets.
Executable: managedgroupset
Criteria | Description |
|---|---|
Item type to display | Select the group set configuration item type to search by:
|
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, search for one or more policies. |
Group set ID | Type the ID of a group set you want to include in the report. Alternatively, search for one or more group sets. |
Target system ID | Type a comma-and-space-delimited list of target system IDs to include in the report. Alternatively, search for one or more target systems. This field is only visible when Item type to display is set to "Explicitly attached groups" , "Target system hosting user accounts" , or "All" . |
Group ID | Type the ID of a group you want to include in the report. Alternatively, search for one or more groups. This field is only visible when Item type to display is set to "Explicitly attached groups" or "All" . |
Rule ID | Type the ID of a group inclusion rule to include in the report. This field is only visible when Item type to display is set to "Group inclusion rules" or "All" . |
Column | Description |
|---|---|
Managed system policy ID | The ID of the managed system policy associated with the group set. |
Group set ID | The unique identifier of the group set. |
Group set description | The description of the group set. |
Group set type | The type of the group set configuration item (target system, explicitly attached group, or group inclusion rule). |
Member ID | The ID of the member within the group set (group ID, target system ID, or rule ID depending on the item type). |
Member description | The description of the member. |
Target system ID | The ID of the target system associated with the group set member. |
Target system description | The description of the target system. |
Group set members - Missing on managed systems
Purpose: Groups that are defined in a group set but which do not exist on systems in the same managed system policy.
Executable: gsetfailure
Criteria | Description |
|---|---|
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs you want to include in the report. Alternatively, you can search for one or more policies. |
Group set ID | Type the ID of a group set you want to include in the report. Alternatively, search for one or more group sets. |
Managed system ID | Type a comma-and-space-delimited list of IDs for managed systems you want to include in the report. Alternatively, you can search for one or more managed systems. |
Group type | Choose all, "Explicitly attached", or "Attached by inclusion rule" |
Column | Description |
|---|---|
Managed system policy ID | The ID of the managed system policy where the group set is configured. |
Group set ID | The ID of the group set containing the missing group. |
Missing group ID | The ID of the group that is defined in the group set but missing on the managed system. |
Missing group target ID | The ID of the target system where the group is missing. |
Missing group target description | The description of the target system where the group is missing. |
Group type | The type of group membership (explicitly attached or attached by inclusion rule). |
Account set configuration
Purpose: Allows you to query on the current configuration of existing account sets (both manually and automatically created). In the Request privileged access (PSW) module, the account set configuration is displayed within 3 tabs: "General", Explicitly attached accounts", and "Account inclusion rule". This report displays the account set information using three different modes, one for each Request privileged access (psw) module tab information.
Most of the fields displayed in the Request privileged access (PSW) module account set tabs are reflected in the filters and output from the report.
Account sets deleted from the system are not returned in the report. Furthermore, when deleting a managed system policy associated to an account set, the account set is automatically deleted.
Select the "report type" first (at the bottom of the search criteria). The search criteria will change based on the "report type" you select.
Executable: maqconfiguration
Criteria | Description |
|---|---|
Report type | There are three types of reports to select from:
|
Account set ID | Type a comma-and-space-delimited list of account set IDs to include in the report. Leave the field blank to return all of the account sets or alternatively, search for one or more account set IDs. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Leave the field blank to search on all managed system policies or alternatively, search for one or more managed system policy IDs. |
Creator ID | Type a comma-and-space-delimited list of creator IDs or leave it blank to search all creators. Alternatively, search for one or more creator IDs. |
Shared | When queries are created, they can be shared with other users, or kept personal. Choose one of the following options:
|
Managed account | Search for one or more managed accounts you want to report on. Alternatively, you can type a managed account ID or a pattern of managed account IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. |
Managed system ID | Type a comma-and-space-delimited list of managed system IDs to include in the report. Alternatively, search for one or more managed system IDs. |
Valid account | Accounts can become invalid for many reasons, including being deleted from the target system, being removed from the managed system policy or the target system has been removed. Choose one of the following options:
|
Rule ID | Type in a specific rule ID or leave it blank to return all of the rules attached to the account set. |
The report output columns depend on the report type selected.
Column | Description |
|---|---|
Query ID | The unique identifier of the account set query. |
Query description | The description of the account set query. |
Policy ID | The managed system policy ID associated with the account set. |
Policy description | The description of the managed system policy. |
Creator | The user who created the account set. |
Shared | Indicates whether the account set is shared or personal. |
Column | Description |
|---|---|
Query ID | The unique identifier of the account set query. |
Query description | The description of the account set query. |
Account ID | The unique identifier of the account. |
Managed system ID | The unique identifier of the managed system. |
Managed system name | The display name of the managed system. |
Valid account | Indicates whether the account is currently valid. |
Column | Description |
|---|---|
Query ID | The unique identifier of the account set query. |
Query description | The description of the account set query. |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Include all accounts | Indicates whether all accounts are included by the rule. |
Requirement | The requirement associated with the rule condition. |
Requirement ID | The unique identifier of the requirement. |
Requirement description | The description of the requirement. |
Requirement attribute | The attribute used in the requirement condition. |
Requirement value | The value used in the requirement condition. |
Enabled requirement | Indicates whether the requirement is enabled. |
Account set access log
Purpose: History of account set access.
Executable: maqlog
Criteria | Description |
|---|---|
Account set ID | Type a comma-and-space-delimited list of account set IDs to include in the report. Alternatively, search for one or more account set IDs. Leave blank if you want to search for all account sets. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, search for one or more managed system policy IDs. Leave blank if you want to search all managed system policy IDs. |
Shared | When queries are created, they can be shared with other users, or kept personal. Choose one of the following options:
|
Operation | Choose one or many (hold down the Ctrl key to select more than one) of the following options:
|
Operation date | Define a date range during which the operation was run. |
User ID | Type a comma-and-space-delimited list of user IDs to include in the report. Alternately, search for one or many user IDs. |
Column | Description |
|---|---|
Query ID | The unique identifier of the account set query. |
Query description | The description of the account set query. |
Policy ID | The managed system policy ID associated with the account set. |
Shared | Indicates whether the account set is shared or personal. |
Operation | The type of operation performed on the account set. |
Message | Additional details or messages about the operation. |
Member | The user who performed the operation. |
Target system ID | The target system ID associated with the operation. |
Operation date | The date and time the operation was performed. |
Account name | The name of the account involved in the operation. |
Account set saved commands
Purpose: Allows you to query detailed information about account sets saved commands.
Executable: maqsavedcommand
Criteria | Description |
|---|---|
Command | Enter the saved commands executed with the account set access. |
Account set ID | Type a comma-and-space-delimited list of account set IDs to include in the report. Leave the field blank to return all of the queries or alternatively, search for one or more account set IDs. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Leave the field blank to search on all managed system policies or alternatively, search for one or more managed system policy IDs. |
Command creator ID | Type a comma-and-space-delimited list of "command creator IDs" or leave it blank to search all command creators. Alternatively, search for one or more command creator IDs. |
Create date | Define a date range during which the command was created. |
Shared command | When commands are created, they can be shared with other users, or kept personal. Choose one of the following options:
|
Column | Description |
|---|---|
Command | The saved command text. |
Query ID | The unique identifier of the account set query. |
Policy ID | The managed system policy ID associated with the account set. |
Creator | The user who created the saved command. |
Create date | The date and time the command was created. |
Shared | Indicates whether the command is shared or personal. |
Times executed | The number of times the command has been executed. |
Last execution | The date and time the command was last executed. |
Discovered system status
Purpose: Displays the status of discovered systems (managed or unmanaged).
Executable: discoveredsystemstatus
Criteria | Description |
|---|---|
Status | Select a status to run:
|
Discovered system name | Type a comma-and-space-delimited list of discovered system names to include in the report. Alternatively, search for one or more users. |
Address | Enter the address of the discovered system. |
Display attribute | Select one of the attributes from the drop-down list. The value of that attribute will be displayed in the report. |
Filter attribute | Select one of the attributes from the drop-down list. The value specified by the corresponding Filter value will act as a search filter in the report. |
Filter value | Value associated with the preceding filter attribute: which will act as the search filter. |
Last connect time | Define a date range for the last connect time. |
Column | Description |
|---|---|
Discovered system ID | The unique identifier of the discovered system. |
Discovered system name | The name of the discovered system. |
Type | The type of the discovered system. |
Address | The network address of the discovered system. |
Display attribute 1-3 | Dynamic columns showing the values of up to three selected display attributes. The column headers reflect the attribute names chosen in the search criteria. |
Filter attribute 1-3 | Dynamic columns showing the values of up to three selected filter attributes. The column headers reflect the attribute names chosen in the search criteria. |
Status | The current status of the discovered system (managed or unmanaged). |
Admin ID status | The status of the administrator ID associated with the discovered system. |
Last connection time | The date and time of the last successful connection to the discovered system. |
Managed system status
Purpose: Status of managed systems, including number of managed accounts, last connection time and failure counts.
Executable: managedsystemstatus
Criteria | Description |
|---|---|
Report type | Select a report type from the drop-down list:
|
Integration direction | Select one of the options from the drop-down list:
|
Managed system ID | Type a comma-and-space-delimited list of IDs for managed systems you want to include in the report. Alternatively, you can search for one or more managed systems. |
Status | Select one of the options from the drop-down list:
|
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, search for one or more policies. |
Manual password randomization batches | Select one of the options from the drop-down list:
|
Attribute | Select one of the attributes from the drop-down list. The value of that attribute will be displayed in the report. |
Last connect time | Define a date range for the last connect time. This option will only be present when Report Type is set to "View updated systems". |
Length of time without connection | Define a date range for the length of time without connection. This option will only be present when Report Type is set to "View systems that were not updated". |
Column | Description |
|---|---|
Managed system ID | The unique identifier of the managed system. |
Managed system name | The name of the managed system. |
Address | The network address of the managed system. |
Managed system attribute 1-3 | Dynamic columns showing the values of up to three managed system attributes. The column headers reflect the attribute names configured for the system. |
Display attribute 1-3 | Dynamic columns showing the values of up to three selected display attributes. The column headers reflect the attribute names chosen in the search criteria. |
Status | The current policy attachment status of the managed system. |
Managed system policy ID | The ID of the managed system policy associated with the system. |
Managed system policy description | The description of the managed system policy. |
Last connection time | The date and time of the last successful connection to the managed system. |
Discovered accounts | The number of accounts discovered on the managed system. |
Listed accounts | The number of accounts listed on the managed system. |
Managed accounts | The total number of managed accounts on the system. |
Managed accounts with random password | The number of managed accounts that have had their passwords randomized. |
Managed system summary
Purpose: List information about managed systems.
Executable: resourcesummary
Criteria | Description |
|---|---|
Managed system ID | Type a comma-and-space-delimited list of IDs for managed systems you want to include in the report. Alternatively, you can search for one or more managed systems. |
Managed system description | Type the description for a managed system you want to include in the report. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, you can search for one or more policies. |
Display only managed systems not associated to any policy | Enable this checkbox to display only managed systems not associated to any managed system policy. |
Number of days for inactive managed systems | Enter a positive number of days, and if a managed system has become inactive within the specified number of days, then it will be included in the report. |
Choose last connection date | Define a date range of last contact between the managed system and Bravura Security Fabric . |
Choose initial date | Define a date range during which the managed system was added to Bravura Security Fabric . |
Column | Description |
|---|---|
Managed system ID | The unique identifier of the managed system. |
Managed system name | The display name of the managed system. |
Address | The network address of the managed system. |
System status | The current status of the managed system. |
Deleted | Indicates whether the managed system has been deleted. |
Managed system type | The type of the managed system. |
Target type | The target type of the managed system. |
OS version | The operating system version of the managed system. |
Last connection time | The date and time of the last connection to the managed system. |
Time since last connection | The elapsed time since the last connection to the managed system. |
Initial time | The date and time the managed system was initially added. |
Policy ID | The managed system policy ID associated with the system. |
Number of managed accounts | The total number of managed accounts on the system. |
Account / Subscriber dependencies
Purpose: Show domain and local accounts and the objects that use them.
Executable: discoveredaccounts
Criteria | Description |
|---|---|
Report type | Select the type of report to run:
|
Observed account | Type the observed account ID to include in the report. The ID must exactly match the format that was provided to the object. |
Associated account | Type the short ID of an account to include in the report. |
Associated account status | Select the type of accounts to include:
|
Associated target system ID | Type a comma-and-space-delimited list of IDs of target systems from which accounts are associated. For local accounts, this is also where the objects are associated from. Alternatively, search for target systems. |
Discovered target system | Type a comma-and-space-delimited list of IDs of target systems from which objects are run by domain accounts. This option is only available for the domain account report. Alternatively, search for target systems. |
Object name | Type the name of the object. |
Object type | Select one or more object types to include in the report:
|
Associated target system status | Select the type of target systems to include:
|
Associated target system integration method | Select the type of target system integration to include:
|
Last load time | Define a date range during which the object was last loaded. |
Account is associated | Select this option to include accounts that are associated with a target system. This field is visible when Report type is Object. |
Associated account is valid | Select this option to include valid associated accounts. This field is only visible when Account is associated is selected. |
Summarize report | Select this if you prefer to have a numerical summary of the report. |
The output columns vary depending on the selected report type.
Column | Description |
|---|---|
Observed account | The observed domain account ID as provided to the object. |
Discovered computer | The discovered computer where the object was found. |
Object name | The name of the object using the account. |
Object type | The type of object (service, scheduled task, DCOM, etc.). |
Associated account | The short ID of the associated account. |
Associated target system | The target system where the associated account resides. |
Status | The managed or unmanaged status of the associated account. |
Integration method | The integration method of the associated target system (push or local service mode). |
Last load time | The date and time the object was last loaded. |
Column | Description |
|---|---|
Observed account | The observed local account ID as provided to the object. |
Target system | The target system where the account and objects reside. |
Object name | The name of the object using the account. |
Object type | The type of object (service, scheduled task, DCOM, etc.). |
Associated account | The short ID of the associated account. |
Status | The managed or unmanaged status of the associated account. |
Integration method | The integration method of the target system (push or local service mode). |
Last load time | The date and time the object was last loaded. |
Column | Description |
|---|---|
Object name | The name of the object (subscriber or security group). |
Object type | The type of object. |
Discovered computer | The discovered computer where the object was found. |
Observed account | The observed account ID used by the object. |
Associated account | The short ID of the associated account. |
Associated target system | The target system where the associated account resides. |
Status | The managed or unmanaged status of the associated account. |
Integration method | The integration method of the associated target system. |
Last load time | The date and time the object was last loaded. |
Discovered subscribers
Purpose: Show discovered subscribers and its attributes.
Executable: discoveredsubscribers
Criteria | Description |
|---|---|
Report type | Select the type of report to run:
|
Associated target system ID | Type a comma-and-space-delimited list of IDs of target systems from which accounts are associated. For local accounts, this is also where the objects are associated from. Alternatively, search for target systems. |
Discovered target system | Type a comma-and-space-delimited list of target systems from which objects are run by domain accounts. Alternatively, search for target systems. |
Observed account | Type the observed account ID to include in the report. The ID must exactly match the format that was provided to the object. |
Object type | Select one or more object types to include in the report:
|
Object name | Type the name of the object. |
Associated account | Type the short ID of an account to include in the report. |
Associated account status | Select the type of accounts to include:
|
Last load time | Define a date range during which the object was last loaded. |
Subscriber attributes | Select one or more subscriber attributes to include in the report. |
The report output columns depend on the report type selected.
Column | Description |
|---|---|
Target system | The target system from which the subscriber was discovered. |
Target system description | The description of the target system. |
Discovered computer | The computer on which the subscriber was discovered. |
Discovered target system ID | The unique identifier of the discovered target system. |
Discovered target system description | The description of the discovered target system. |
Observed account ID | The account ID observed running the object. |
Object type | The type of object (service, scheduled task, IIS, DCOM, etc.). |
Object name | The name of the discovered object. |
Associated account ID | The account ID associated with the subscriber. |
Associated account status | Whether the associated account is managed or unmanaged. |
Last load time | The date and time the object was last loaded. |
Attribute | The subscriber attribute name. |
Attribute value | The value of the subscriber attribute. |
Column | Description |
|---|---|
Object name | The name of the discovered object. |
Object type | The type of object (service, scheduled task, IIS, DCOM, etc.). |
Discovered computer | The computer on which the subscriber was discovered. |
Discovered target system ID | The unique identifier of the discovered target system. |
Discovered target system description | The description of the discovered target system. |
Observed account ID | The account ID observed running the object. |
Last load time | The date and time the object was last loaded. |
Attribute | The subscriber attribute name. |
Attribute value | The value of the subscriber attribute. |
Managed systems and accounts - Import method
Purpose: Show whether managed systems or managed accounts were added manually or created using an import rule.
Executable: managedmethod
Criteria | Description |
|---|---|
Report type | Select the type of report to run:
|
Method | Select the type of method the managed accounts or systems were added:
|
Managed account | Search for one or more managed accounts you want to report on. Alternatively, you can type a managed account ID or a pattern of managed account IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. This field is only visible when Report type is set to Managed accounts . |
Managed system ID | Type a comma-and-space-delimited list of IDs of managed systems to include in the report. Alternatively, search for one or more users. |
Managed systems rule ID | Type a comma-and-space-delimited list of IDs of managed system import rules to include in the report. This field is only visible when Report type is set to "Managed systems" . Alternatively, search for one or more users. |
Managed system policy ID | Type a comma-and-space-delimited list of IDs of managed system policies to include in the report. This field is only visible when Report type is set to "Managed systems" . Alternatively, search for one or more users. |
The output columns vary depending on the selected report type.
Column | Description |
|---|---|
Account | The managed account ID. |
Managed system ID | The ID of the managed system where the account resides. |
Managed system name | The name of the managed system. |
Policy ID | The ID of the managed system policy. |
Policy description | The description of the managed system policy. |
Method | The method by which the account was added (manually or automatically via import rule). |
Column | Description |
|---|---|
Managed system ID | The unique identifier of the managed system. |
Managed system name | The name of the managed system. |
Discovered system name | The name of the discovered system associated with the managed system. |
Rule ID | The ID of the import rule used to add the managed system. |
Rule description | The description of the import rule. |
Policy ID | The ID of the managed system policy. |
Policy description | The description of the managed system policy. |
Method | The method by which the system was added (manually or automatically via import rule). |
Date managed | The date when the system was added as a managed system. |
Managed account attributes
Purpose: Displays discovered system attributes, managed system resource attributes, managed account resource attributes and account attributes of a managed account.
Executable: managedaccountattributes
Criteria | Description |
|---|---|
Managed system ID | Type a comma-and-space-delimited list of IDs for managed systems you want to include in the report. Alternatively, you can search for one or more managed systems. |
Managed system description | Type the description for a managed system you want to include in the report. |
Discovered system attribute to display | Choose which discovered system attributes to display. |
Discovered system attribute to search | Select a discovered system attribute on which to filter. You can select up to four attributes. The union of all attributes configured will be returned. |
Managed system resource attribute to display | Choose which managed system resource attributes to display. |
Managed system resource attribute to search | Select a managed system resource attribute on which to filter. You can select up to four attributes. The union of all attributes configured will be returned. |
Managed account | Search for one or more managed accounts you want to report on. Alternatively, you can type a managed account ID or a pattern of managed account IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. |
Account attribute to display | Choose which account attributes to display. |
Account attribute to search | Select an account attribute on which to filter. You can select up to four attributes. The union of all attributes configured will be returned. |
Managed account resource attribute to display | Choose which managed account resource attributes to display. |
Managed account resource attribute to search | Select a managed account resource attribute on which to filter. You can select up to four attributes. The union of all attributes configured will be returned. |
Comparison | This field is displayed if the Managed system resource attribute to search or Managed account resource attribute to search field is something other than "Attribute not required". Comparators available depend on the resource attribute type. Select: is empty - if you want Bravura Security Fabric to search on empty values. is not empty - if you want Bravura Security Fabric to search on non empty values. is equal to - if you want Bravura Security Fabric to search on values equal to a specified string. is not equal to - if you want Bravura Security Fabric to search on values not equal to a specified string. is less than - if you want Bravura Security Fabric to search on values that are less than a specific integer. is less than or equal to - if you want Bravura Security Fabric to search on values that are less than or equal to a specific integer. is greater than - if you want Bravura Security Fabric to search on values that are greater than a specific integer. is greater than or equal to - if you want Bravura Security Fabric to search on values that are greater than or equal to a specific integer. is greater than or equal to - if you want Bravura Security Fabric to search on values that are greater than or equal to a specific integer. is later than today + N days - if you want Bravura Security Fabric to search on dates that are later than N days after today. is earlier than, or equal to, today - N days - if you want Bravura Security Fabric to search on dates that are earlier or equal to N days before today. |
Value | Type or select the value to compare. Required if Discovered system attribute to search or Account attribute to search field is something other than "Attribute not required" , or Comparison field is set to something other than is empty or is not empty . |
If you do not specify any search criteria, the report output includes all managed accounts.
The report output includes the following fixed columns, plus dynamic attribute columns based on the attributes selected in the search criteria.
Column | Description |
|---|---|
Policy ID | The managed system policy ID associated with the account. |
Managed system ID | The unique identifier of the managed system. |
Managed system name | The display name of the managed system. |
Managed account | The managed account ID. |
Additional columns are dynamically added based on the discovered system attributes, managed system resource attributes, account attributes, and managed account resource attributes selected in the search criteria.
Managed system policies
Purpose: Lists information about managed system policies.
Executable: resgroup
Criteria | Description |
|---|---|
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, you can search for one or more policies. |
Managed system policy description | Type the description of the managed system policy to include in the report. |
Managed system policy type | Select one or more managed system policy types. |
Managed by | Select one or more node IDs. |
Push mode managed system policy status | Select one or more managed system policy statuses. |
Scope of password synchronization | Select one or more password synchronization methods:
|
Authentication type | Select one or more authentication types. This option is only available if Report type = Summary .
|
Report type | Select what type of report to generate:
|
The report output columns depend on the report type selected.
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
User | The user associated with the policy. |
Managed system | The managed system associated with the policy. |
Managed group | The managed group associated with the policy. |
Resource type | The type of resource managed by the policy. |
Managed by | The node managing the policy. |
Sync type | The password synchronization type configured for the policy. |
Authentication type | The authentication type (password, SSH key, or group set). |
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Account ID | The unique identifier of the managed account. |
Managed system ID | The unique identifier of the managed system. |
Managed system name | The display name of the managed system. |
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Sunday | The password randomization schedule for Sunday. |
Monday | The password randomization schedule for Monday. |
Tuesday | The password randomization schedule for Tuesday. |
Wednesday | The password randomization schedule for Wednesday. |
Thursday | The password randomization schedule for Thursday. |
Friday | The password randomization schedule for Friday. |
Saturday | The password randomization schedule for Saturday. |
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Target type | The target type of the managed system. |
Total count | The total number of managed systems of this target type. |
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Rule description | The description of the password policy rule. |
Status | The compliance status of the rule. |
Value | The configured value for the rule. |
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Rule type | The type of import rule. |
Column | Description |
|---|---|
Authorizer source | The source of the authorizer (user group, user class, etc.). |
Authorizer ID | The unique identifier of the authorizer. |
Phase | The authorization phase. |
Authorization for | The type of access the authorizer can approve. |
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Resource type | The type of resource managed by the policy. |
Managed by | The node managing the policy. |
Sync type | The password synchronization type configured for the policy. |
Privileged password synchronization conflicts
Purpose: Identify potential misconfiguration of accounts in managed system policies some of which employ password synchronization and others that do not.
Executable: syncmngsyspolicy
Criteria | Description |
|---|---|
Report type | Select the type of report to run:
|
Managed account | Search for one or more managed accounts you want to report on. Alternatively, you can type a managed account ID or a pattern of managed account IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, you can search for one or more policies. This option only appears if Report type is set to either "Display accounts with synchronized passwords" or "Display accounts with unsynchronized passwords". |
Scope of password synchronization | Select the scope of password synchronization to include in the report. This option only appears if Report type is set to either "Display accounts with synchronized passwords" or "Display accounts with unsynchronized passwords". |
The output columns vary depending on the selected report type.
Column | Description |
|---|---|
Account | The managed account ID. |
Managed system ID | The ID of the managed system where the account resides. |
Managed system name | The name of the managed system. |
No sync | The number of policies where the account has no password synchronization. |
Account-based sync | The number of policies where the account has account-based password synchronization. |
Policy-based sync | The number of policies where the account has policy-based password synchronization. |
Column | Description |
|---|---|
Account | The managed account ID. |
Managed system ID | The ID of the managed system. |
Managed system name | The name of the managed system. |
Policy ID | The ID of the managed system policy. |
Sync type | The type of password synchronization configured for the account in this policy. |
Column | Description |
|---|---|
Policy ID | The ID of the managed system policy. |
Sync type | The type of password synchronization configured in this policy. |
Account | The managed account ID. |
Managed system ID | The ID of the managed system. |
Managed system name | The name of the managed system. |
Configured user groups in managed system policies
Purpose: For all, or specified managed system policies, returns any user groups configured with at least one access control.
Executable: policyusergroup
Criteria | Description |
|---|---|
Managed system policy ID | Type a comma-and-space-delimited list of IDs of managed system policies to include in the report. Alternatively, search for one or more managed system policies. |
User group ID | Select one or more user groups to include in the report. |
Display configuration details | By selecting this option, additional details will be included in the report, including user classes, users, managed systems and managed accounts. |
Display access controls in single column | This option is enabled by default. If unchecked, a separate column for each access control will be displayed. This option is only available if Display configuration details is selected. |
User class ID | Select one or more user classes to include in the report. This option is only available if Display configuration details is selected. |
User ID | Type a comma-and-space-delimited list of IDs of users to include in the report. Alternatively, search for one or more users. This option is only available if Display configuration details is selected. |
Managed system ID | Type a comma-and-space-delimited list of IDs of managed systems to include in the report. Alternatively, search for one or more managed systems. This option is only available if Display configuration details is selected. |
Managed account | Search for one or more managed accounts to include in the report. Alternatively, you can type a managed account ID or a pattern of managed account IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. This option is only available if Display configuration details is selected. |
The report output columns depend on whether Display configuration details is selected.
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
User group ID | The unique identifier of the user group. |
User group description | The description of the user group. |
Column | Description |
|---|---|
Policy ID | The managed system policy ID. |
Policy description | The description of the managed system policy. |
Managed system ID | The unique identifier of the managed system. |
Managed system name | The display name of the managed system. |
Account ID | The unique identifier of the managed account. |
User group ID | The unique identifier of the user group. |
User group description | The description of the user group. |
Access control | The access control assigned to the user group (displayed as a single column or multiple columns depending on the search criteria). |
View group set | Permission to view the group set. |
Modify group set | Permission to modify the group set. |
View password | Permission to view the password. |
Modify password | Permission to modify the password. |
Request password | Permission to request the password. |
View info | Permission to view account information. |
View group set access | Permission to view group set access. |
Request group set access | Permission to request group set access. |
Search session monitoring | Permission to search session monitoring records. |
View session monitoring | Permission to view session monitoring records. |
View in browser session monitoring | Permission to view session monitoring in a browser. |
MSP reports | Permission to run managed system policy reports. |
View historical password | Permission to view historical passwords. |
Modify account set | Permission to modify account sets. |
Manage system | Permission to manage the system. |
User class ID | The unique identifier of the user class. |
User class description | The description of the user class. |
User ID | The unique identifier of the user. |
User name | The display name of the user. |
Rights of specified users
Purpose: Show all access rights that specified users have within Privileged Access Manager.
Executable: useraccess
Criteria | Description |
|---|---|
User ID | Type a comma-and-space-delimited list of IDs of users to include in the report. This is a required field. Alternatively, search for one or more users. |
User name | Type the name of the user to include in the report. |
Managed system ID | Type a comma-and-space-delimited list of IDs for managed systems you want to include in the report. Alternatively, search for one or more managed systems. |
Managed account | Search for one or more managed accounts you want to report on. Alternatively, you can type a managed account ID or a pattern of managed account IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. |
Group set ID | Type a comma-and-space-delimited list of IDs for group sets you want to include in the report. Alternatively, search for one or more group sets. |
Managed system policy ID | Type a comma-and-space-delimited list of IDs for managed system policies you want to include in the report. Alternatively, search for one or more managed system policies. |
User group ID | Type a comma-and-space-delimited list of IDs for user groups you want to include in the report. Alternatively, search for one or more managed systems. |
With privileges only | Enable this checkbox to display only managed objects that the user has permission to access. |
Column | Description |
|---|---|
User ID | The unique identifier of the user. |
User name | The full name of the user. |
Managed account ID | The ID of the managed account the user has access to. |
Managed system ID | The ID of the managed system associated with the account. |
Managed system name | The name of the managed system. |
Group set ID | The ID of the group set the user has access to. |
Group set description | The description of the group set. |
Policy ID | The ID of the managed system policy. |
Policy description | The description of the managed system policy. |
Policy status | The current status of the managed system policy (active or inactive). |
User group | The user group through which the user has access. |
Request password | Indicates whether the user can request the password for the managed account. |
View password | Indicates whether the user can view the password for the managed account. |
Modify password | Indicates whether the user can modify the password for the managed account. |
View info | Indicates whether the user can view information about the managed account. |
Request group set | Indicates whether the user can request access to the group set. |
View group set | Indicates whether the user can view the group set. |
Import rules list
Purpose: Configuration of import rules used to activate target systems, managed systems and managed accounts.
Executable: importrulelist
Criteria | Description |
|---|---|
Target systems rule ID | Search for or type target systems import rules. This option only appears if at least one target systems import rule is defined. |
Managed systems rule ID | Search for or type managed systems import rules. This option only appears if at least one managed systems import rule is defined. |
Managed accounts rule ID | Search for or type managed accounts import rules. This option only appears if at least one managed accounts import rule is defined. |
New system connection credentials | Select the connection method for the Bravura Security Fabric server to use when it attempts to connect to the discovered systems. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, you can search for one or more policies. |
Condition ID | The ID of the import rule condition. |
Rule type | Select the type of import rule:
|
Action to perform on matching objects | Select the type of rule usage:
|
Column | Description |
|---|---|
Rule type | The type of import rule (target systems, managed systems, or managed accounts). |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Auto import | Indicates whether the rule is configured for automatic import. |
Template target | The template target system used by the import rule. |
Connection credential | The connection credential method configured for the rule. |
Policy ID | The ID of the managed system policy associated with the rule. |
Usage | The action the rule performs on matching objects (manage/bind or stop managing/unbind). |
Requirement | The requirement type for the import rule condition. |
Requirement ID | The unique identifier of the requirement condition. |
Requirement description | The description of the requirement condition. |
Requirement value | The value configured for the requirement condition. |
Import rule test results
Purpose: List discovered objects that have been tested against import rules. For each discovered object only the most recent test is displayed.
Executable: importruletest
Criteria | Description |
|---|---|
Discovered object | Type the discovered object that has been tested against import rules for which you want to generate the report. |
Discovered system | Search for or type the ID of a discovered system. |
Rule type | Select the type of import rule:
|
Target systems rule ID | Search for or type target systems import rules. This option only appears if at least one target systems import rule is defined. |
Managed systems rule ID | Search for or type managed systems import rules. This option only appears if at least one managed systems import rule is defined. |
Managed accounts rule ID | Search for or type managed accounts import rules. This option only appears if at least one managed accounts import rule is defined. |
Condition ID | The ID of the import rule condition. This only displays results if the rule failed. |
Action performed by | Type either the service or user that performed the test. |
Current status | Select the current status to include:
|
Result | Select the results to be displayed:
|
Import rule test date | Define a date range for the test date. |
Report type | Select Discovered object or Rule ID to group the report by the selected type. Default is discovered object . |
The output columns vary depending on the selected report type.
Column | Description |
|---|---|
Rule type | The type of import rule (target systems, managed systems, or managed accounts). |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Discovered object | The discovered object that was tested against the rule. |
Discovered system | The discovered system associated with the tested object. |
Column | Description |
|---|---|
Discovered object | The discovered object that was tested against import rules. |
Discovered system | The discovered system associated with the tested object. |
Priority | The priority of the import rule. |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Rule type | The type of import rule. |
Result | The result of the test (passed or failed). |
Policy ID | The ID of the managed system policy associated with the rule. |
Policy description | The description of the managed system policy. |
Usage | The action the rule performs on matching objects. |
Requirement ID | The ID of the requirement condition that was tested. |
Failure attribute | The attribute that caused the test to fail, if applicable. |
Current status | The current managed or unmanaged status of the discovered object. |
Test date | The date and time when the import rule test was performed. |
Performed by | The service or user that performed the test. |
Import rule trial run results
Purpose: List discovered objects that have been given a trial run against import rules. For each discovered object only the most recent trial run is displayed.
Executable: trialrun
Criteria | Description |
|---|---|
Discovered object | Type the discovered object that has been tested against import rules for which you want to generate the report. |
Discovered system | Search for or type the ID of a discovered system. |
Rule type | Select the type of import rule:
|
Target systems rule ID | Search for or type target systems import rules. This option only appears if at least one target systems import rule is defined. |
Managed systems rule ID | Search for or type managed systems import rules. This option only appears if at least one managed systems import rule is defined. |
Managed accounts rule ID | Search for or type managed accounts import rules. This option only appears if at least one managed accounts import rule is defined. |
Action performed by | Type either the service or user that performed the test. |
Current status | Select the current status to include:
|
Result | Select the results to be displayed:
|
Import rule test date | Define a date range for the test date. |
Column | Description |
|---|---|
Rule type | The type of import rule (target systems, managed systems, or managed accounts). |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Discovered object | The discovered object that was tested against the import rule. |
Discovered system | The discovered system associated with the object. |
Policy ID | The managed system policy ID associated with the rule. |
Policy description | The description of the managed system policy. |
Result | Whether the trial run passed or failed. |
Fail condition | The condition that caused the trial run to fail, if applicable. |
Test status | The status of the trial run test. |
Current status | The current status of the discovered object (managed or unmanaged). |
Last modified time | The date and time the record was last modified. |
Start time | The date and time the trial run started. |
End time | The date and time the trial run ended. |
Performed by | The service or user that performed the trial run. |
Import rule binding failures
Purpose: Deactivation of imported managed account or systems due to import rule condition expression mismatch.
Executable: importrulebindfailures
Criteria | Description |
|---|---|
Discovered object type | Choose:
|
Managed systems rule ID | Search for or type managed systems import rules. This option only appears if at least one managed systems import rule is defined. |
Managed accounts rule ID | Search for or type managed accounts import rules. This option only appears if at least one managed accounts import rule is defined. |
Discovered account | Type the name of the discovered account to include in the report. This option is only available when Discovered object type is set to "Discovered account". |
Discovered system | Type a comma-and-space-delimited list of discovered systems to include in the report. Alternatively, search for one or more discovered systems. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, you can search for one or more policies. |
Import rule test date | Define a date range for the test date. |
Column | Description |
|---|---|
Rule type | The type of import rule (managed systems or managed accounts). |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Requirement | The requirement that was evaluated. |
Failure requirement | The specific requirement that caused the binding failure. |
Failure attribute key | The attribute key associated with the failure condition. |
Failure operation | The operation that was being performed when the failure occurred. |
Failure attribute value | The attribute value that caused the failure. |
Discovered account | The discovered account that failed binding. |
Discovered system ID | The unique identifier of the discovered system. |
Discovered system name | The name of the discovered system. |
Policy ID | The managed system policy ID associated with the rule. |
Policy description | The description of the managed system policy. |
Test date | The date and time the import rule was tested. |
Evaluation method | The method used to evaluate the import rule. |
Performed by | The service or user that performed the import rule evaluation. |
Import rules performance
Purpose: This report calculates performance statistics for import rule evaluations.
Executable: importruleperformance
Criteria | Description |
|---|---|
Rule type | Select one of the options from the drop-down list:
|
Target systems rule ID | Type a comma-and-space-delimited list of IDs of target system import rules to include in the report. Alternatively, search for one or more import rules. |
Managed systems rule ID | Type a comma-and-space-delimited list of IDs of target system import rules to include in the report. Alternatively, search for one or more import rules. |
Managed accounts rule ID | Type a comma-and-space-delimited list of IDs of managed account import rules to include in the report. Alternatively, search for one or more import rules. |
Integration direction | Select one of the options from the drop-down list:
|
Rule execution status | Select statuses:
|
Rule execution start date | Define a date range during which the rule started execution. |
Rule execution end date | Define a date range during which the rule finished execution. |
Column | Description |
|---|---|
Rule type | The type of import rule (target systems, managed systems, or managed accounts). |
Rule ID | The unique identifier of the import rule. |
Rule description | The description of the import rule. |
Integration method | The integration method used (push mode or local service mode). |
Policy ID | The managed system policy ID associated with the rule. |
Occurrences | The number of times the rule was evaluated. |
Total time (ms) | The total execution time in milliseconds across all occurrences. |
Average time (ms) | The average execution time in milliseconds per occurrence. |
Minimum time (ms) | The minimum execution time in milliseconds for a single occurrence. |
Maximum time (ms) | The maximum execution time in milliseconds for a single occurrence. |
Imported target systems
Purpose: Target systems that were added using an import rule.
Executable: importtargets
Criteria | Description |
|---|---|
Discovered target system | Type a comma-and-space-delimited list of IDs of auto-discovered target systems to include in the report. Alternatively, search for one or more discovered target systems. |
Target systems rule ID | Type a comma-and-space-delimited list of IDs of target system import rules to include in the report. Alternatively, search for one or more import rules. |
New system connection credentials | Select credentials to be used to connect to the target systems:
|
Column | Description |
|---|---|
Discovered target system | The ID of the discovered target system that was imported. |
Target system description | The description of the target system. |
Source target system | The source target system from which the import was performed. |
Rule ID | The ID of the import rule that was used to import the target system. |
Rule description | The description of the import rule. |
Connection credential | The connection credential method used for the imported target system. |
Administrator ID | The ID of the administrator assigned to the imported target system. |
Imported managed systems
Purpose: Managed systems that were added using an import rule.
Executable: importsystems
Criteria | Description |
|---|---|
Discovered managed system | Type a comma-and-space-delimited list of IDs of managed systems to include in the report. Alternatively, search for one or more discovered managed systems. |
Managed systems rule ID | Type a comma-and-space-delimited list of IDs of target system import rules to include in the report. Alternatively, search for one or more import rules. |
Managed system policy ID | Type a comma-and-space-delimited list of IDs of managed system policies to include in the report. Alternatively, search for one or more managed system policies. |
Column | Description |
|---|---|
Discovered managed system | The ID of the discovered managed system that was imported. |
Managed system name | The name assigned to the managed system. |
Source target system | The source target system from which the managed system was imported. |
Managed system policy ID | The ID of the managed system policy associated with the imported system. |
Managed system policy description | The description of the managed system policy. |
Rule ID | The ID of the import rule used to import the managed system. |
Rule description | The description of the import rule. |
Imported managed accounts
Purpose: Managed accounts that were added using an import rule.
Executable: importaccounts
Criteria | Description |
|---|---|
Discovered account | Type the ID of a managed account to include in the report. |
Discovered managed system | Type a comma-and-space-delimited list of IDs of managed systems to include in the report. Alternatively, search for one or more managed systems. |
Managed accounts rule ID | Type a comma-and-space-delimited list of IDs of managed account import rules to include in the report. Alternatively, search for one or more import rules. |
Managed system policy ID | Type a comma-and-space-delimited list of IDs of managed system policies to include in the report. Alternatively, search for one or more managed system policies. |
Column | Description |
|---|---|
Discovered account | The ID of the discovered account that was imported as a managed account. |
Discovered managed system | The name of the discovered managed system associated with the account. |
Discovered managed system ID | The unique ID of the discovered managed system. |
Target system description | The description of the target system where the account was discovered. |
Rule ID | The ID of the import rule used to import the managed account. |
Rule description | The description of the import rule. |
Managed system policy ID | The ID of the managed system policy associated with the account. |
Managed system policy description | The description of the managed system policy. |
Automatically discovered target system administrator creation
Purpose: List administrators created from target system import rules.
Executable: admincreation
Criteria | Description |
|---|---|
Discovered target system | Enter the ID of the discovered target system. Alternatively, search to find matching discovered target systems. |
Target systems rule ID | Enter the ID of the target system rule ID. Alternatively, search to find the matching rules. |
Administrator ID | Enter the ID of the administrator. |
Last run time | Define a date range for the last run time. |
Column | Description |
|---|---|
Discovered target system | The ID of the discovered target system where the administrator was created. |
Administrator ID | The ID of the administrator that was created. |
Result | The result of the administrator creation attempt (success or failure). |
Error message | The error message if the administrator creation failed. |
Time | The date and time when the administrator creation was attempted. |
Rule ID | The ID of the target system import rule that triggered the administrator creation. |
Rule version | The version of the import rule at the time of execution. |
Team Management configuration
Purpose: Displays configuration of Team Management, including teams, team members and their privileges, and onboarded systems and accounts.
Executable: pamteammanagement
Criteria | Description |
|---|---|
Report type | Select a report type from the drop-down list:
|
Team name | Type a comma-and-space-delimited list of IDs for teams you want to include in the report. Alternatively, you can search for one or more teams. This field is only available for report types that include teams. |
Team description | Type the description for a team you want to include in the report. This field is only available for report types that include teams. |
Privilege | Select one or more privileges to include in the report. Privileges include:
|
Group by privilege | Enable this checkbox to group records by privilege. This field is only available for report types that include privileges. |
System ID | Type a comma-and-space-delimited list of IDs for onboarded systems you want to include in the report. Alternatively, you can search for one or more onboarded systems. This field is only available for report types that include systems. |
System name | Type the description for a managed system you want to include in the report. This field is only available for report types that include systems. |
User ID | Type a comma-and-space-delimited list of IDs of team users to include in the report. Alternatively, search for one or more users. This field is only available for report types that include users. |
User name | Type the name for a team user you want to include in the report. This field is only available for report types that include users. |
Account name | Type a comma-and-space-delimited list of IDs for onboarded accounts you want to include in the report. Alternatively, you can search for one or more onboarded accounts. This field is only available for report types that include accounts. |
Click below to view a demonstration of running a privileged access configuration report to review the team management configuration.
The report output columns depend on the report type selected.
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
System ID | The unique identifier of the onboarded system. |
System name | The display name of the onboarded system. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
System ID | The unique identifier of the onboarded system. |
System name | The display name of the onboarded system. |
Account name | The name of the onboarded account. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
Privilege | The privilege assigned to the team. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
Membership | The type of membership (direct or via group). |
Group | The group through which the user is a member, if applicable. |
User ID | The unique identifier of the team member. |
User name | The display name of the team member. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
Privilege | The privilege assigned to the team member. |
Membership | The type of membership (direct or via group). |
Group | The group through which the user is a member, if applicable. |
User ID | The unique identifier of the team member. |
User name | The display name of the team member. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
Privilege | The privilege assigned to the team member. |
Membership | The type of membership (direct or via group). |
Group | The group through which the user is a member, if applicable. |
User ID | The unique identifier of the team member. |
User name | The display name of the team member. |
System ID | The unique identifier of the onboarded system. |
System name | The display name of the onboarded system. |
Column | Description |
|---|---|
Team name | The name of the team. |
Team description | The description of the team. |
Privilege | The privilege assigned to the team member. |
Membership | The type of membership (direct or via group). |
Group | The group through which the user is a member, if applicable. |
User ID | The unique identifier of the team member. |
User name | The display name of the team member. |
System ID | The unique identifier of the onboarded system. |
System name | The display name of the onboarded system. |
Account name | The name of the onboarded account. |
Column | Description |
|---|---|
Membership | The type of membership (direct or via group). |
Group | The group through which the user is a member, if applicable. |
User ID | The unique identifier of the user. |
User name | The display name of the user. |
System ID | The unique identifier of the onboarded system. |
System name | The display name of the onboarded system. |
Privilege | The privilege assigned to the user. |
Column | Description |
|---|---|
Membership | The type of membership (direct or via group). |
Group | The group through which the user is a member, if applicable. |
User ID | The unique identifier of the user. |
User name | The display name of the user. |
System ID | The unique identifier of the onboarded system. |
System name | The display name of the onboarded system. |
Account name | The name of the onboarded account. |
Privilege | The privilege assigned to the user. |
Conflicting passwords
Purpose: List current conflicting passwords and their details.
Executable: conflictingpasswords
Criteria | Description |
|---|---|
Account | Select or search for one or more accounts to include in the report. |
Managed system ID | Type a comma-and-space-delimited list of IDs for managed systems you want to include in the report. Alternatively, you can search for one or more managed systems. |
Managed system policy ID | Type a comma-and-space-delimited list of managed system policy IDs to include in the report. Alternatively, search for one or more policies. |
Column | Description |
|---|---|
Account | The account with a conflicting password. |
Managed system ID | The unique identifier of the managed system. |
Managed system name | The display name of the managed system. |
Policy ID | The managed system policy ID associated with the account. |
Policy description | The description of the managed system policy. |
Manual reason | The reason the password was flagged as conflicting. |
Last action | The last action taken on the conflicting password. |