Idea ID: 2875164

Additional Reports

DennisR1 DennisR1
Status : New Idea

I would like to suggest some additional reports.

A shared authenticators report showing all authenticators linked and to which account they are linked would be very helpful. It is a security concern to not be able to easily see which accounts are linked to which other accounts. The report should include the owner account, the account that is linked and the authenticator itself of course. Perhaps additional fields could be date/time authenticator was last used and on which event.

It would also be beneficial to have a report similar to the user report, only instead of authentication traffic it should show user activity within AA including logins, but also any other actions taken within in AA. Basically an tracking list of the users actions for auditing purposes or security investigations. 

i.e.- I envision the report showing the user logging into the helpdesk and then perhaps removing a users PIN and HOTP. Maybe they unlocked a user account as well. The report will be based on a user's logon name, like the user report, but one that can be entered/selected like the Helpdesk portal does for managing a user.

Both of these reports would have security benefits to a customer and could be very helpful in the event that a security related incident occurred. 



    Thank you for the entry.

    A few questions for clarification:

    1. The "Shared Authenticators" report data, so we would want to have owner, method, linked for the date, should it not be the date when the account was linked to the other?

    2. Following question (1), Does the current "Activity Stream" report not cover the "when the user authenticated", "which method was used" and "which event" for shared authenticators? If it does, perhaps the Activity Stream report could be expanded have a flag field/column called "Shared authenticator" with a yes/no or with the method name (if any).

    3. The "User tracking" report seems to be more complex and perhaps needs to be unpacked further. As far as I understand, the report information, at this stage, is only available per site in the cluster so this report would only cover activity within the site. Also, would the number of rows (volume of data kept on the report) could increase the table size with a possible impact on performance especially for long date range searches.

    4. The information to be "tracked", from the description, it would be similar to the information being recorded on the logs, i.e: User start logon process, logon process result, changes to enrollment, policies, methods and configuration, etc. AAF currently can integrate with a Syslog server to send information from the logs to the Syslog. Also, the Syslog has the advantage of taking information from all servers in the cluster and not being limited to a site. Should the Syslog not be able to compile such activity information to be reported? Or are there gaps that need to be covered?

    There has also been an improvement in the CEF format that AAF uses. 

    I hope the above questions make sense but please feel free to let me know if any of the above points needs to be expanded more.