eDir: Rights audit

How is the recommended way to gt an eDir rights audit about a specific user object?

  • 0  

    Hi BM2EC,

    if by "rights audit" you mean some kind of OOTB "report" that will show you where a certain user / trustee has rights in the tree, then my answer will probably be disappointing to you.

     

    Tool-wise, there is the effective rights functionality in iManager / Identity Console, showing the rights of a specific user (trustee) for a certain context in the tree.

     

    But that's it for "official" tools and functionalities, I think. There have been some proprietary tools by 3rd party vendors/companies in the past, but most of them are not really supported anymore.

     

    This is probably partly due to the fact, that the "rights" in eDirerctory are largely represented by ACLs set on objects resulting in rights, witch can then be inherited down the subtree on attribute level. Which is a very powerful mechanism but quite complex in terms of "give me concise report of the rights of this user in the whole tree". Also, you then have the “security equivalence” attribute, which adds to the complexity of the subject.

     

    Most of the customers/partners now try to abstract this mechanism by using IDM and/or Identity Governance and groups/roles or other “application level” authorization concepts to better map eDirectory permissions to business level structures and terms.

     

    Best regards,
    Philipp