Configuring Privileged User Manager Rules to Restrict Audit Reports

How to configure rules so that a manager is restricted to audit reports of only those employees who report to him?

Many a times in an organization managers are expected to review the audit reports of their employees so that they can take appropriate action in case any risky activity is executed by an employee.

Compliance Auditor in Privileged User Manager (PUM) console provides a feature where one can review all audit reports. It provides some filters which we can restrict what reports should be shown to which manager. In order to achieve this a few configurations are required which is explained using a use case below:

Use Case:
Assume that we have two managers - Manager1 and Manager2.
Emp1, Emp2, Emp3 – reports to Manager1
Emp4, Emp5 – reports to Manager2
Manager1 and Manager2 – they report to Director1.

So in above case, Manager1 should be able to review audit reports of Emp1, Emp2 and Emp3. Manager2 should be able to review audit reports of Emp4 and Emp5.
Director1 should be able to review reports of all 5 employees and 2 managers.

This can be achieved by doing following configurations in PUM:

I. Framework User Manager Configuration:

  1. Create Manager1 user and Manager1Group. Add manager1 in this group.

  • In Manager1Group assign required roles:

    1. Secaudit – Read

  • Secaudit – console

  • Secaudit – write

  • Secaudit - audit

  • Secaudit – Manager1TeamRole (This role you need to type in, it is not in dropbox)

  • Audit – read

  • Audit - write

  • Similarly create Manager2 user and Manager2Group.

  • In Manager2 Group add above roles except for change to role Secaudit - Manager2TeamRole

  • Create a group called DirectorGroup and add above two groups as sub-groups. Add director1 user in this group. Director1 will inherit above two group roles.

This role creation is used later in Compliance Auditor to restrict the access of audit reports which will be explained later.

II. Command Control Configuration:

  1. Create a UserGroup called Manager1. Add manager1 and Emp1, Emp2, Emp3 to this group.

  • Add a UserGroup called Manager2 and add manager2, emp4, emp5 to this group.

  • Create rules as follows:
            Begin Rule: Default Audit
    Audit Group = "Default Audit"
    End Rule: Default Audit

    Begin Rule: Audit Mgr - Manager1
    If (user IN Manager1)
    Audit Group = "Manager1Team"
    End If
    End Rule: Audit Mgr - Manager1

    Begin Rule: Audit Mgr - Manager2
    If (user IN Manager2)
    Audit Group = "Manager2 Team"
    End If
    End Rule: Audit Mgr - Manager2

    By creating the above rules whenever Emp1, Emp2 or Emp3 starts a session in a system where PUM agent is installed, all their sessions are tagged with Manager1Team Audit Group. Similarly all sessions of Emp4 and Emp5 are tagged with Manager2Team.

III. Compliance Auditor Configuration:
Create Compliance Auditor Rules as follows:
Create two Rules as Follows:

  1. Manager1Reports:

    • Audit Role – Manager1TeamRole

      This is same name as given in FrameWorkUser manager group.

  2. Filter Category – Command Control

  • Filter – AuditGroup – Manager1Team

    This is same name as given in Command Control rule value.

  • Manager2Reports:

    • Audit Role – Manager2TeamRole

      This is same name as given in FrameWorkUser manager group.

  • Filter Category – Command Control

  • Filter – AuditGroup – Manager2Team

    This is same name as given in Command Control rule value.

As a result of the above rules, Compliance auditor will collect audit reports in following fashion:

  1. Manager1Report will collect all those audit reports where sessions are tagged as – Manager1Team. i.e. all emp1, emp2 and emp3 reports are collected.

  • Manager1Report will collect all those audit reports where sessions are tagged as – Manager1Team. i.e. all emp4 and emp5 reports are collected.

Thus required functionality is achieved as follows:

  1. When Manager1 logs into PUM console and checks reports in Compliance Auditor, he will see all reports collected by Manager1Reports. This is because manager1 is assigned Manager1TeamRole in Framework user manager and Manager1Report is also restricted to that role.

    i.e. Manager1 can view reports only of Emp1, Emp2 or Emp3.

  • Similarly Manager2 would be able to see reports only of emp4 and emp5.

  • When Director1 does login, he will see reports of all employees as due to inheritance he is assigned both Manager1TeamRole and Manager2TeamRole.

Note: There is an alternate way of doing the same which is explained in brief below:

  1. Create FrameUserManager users and groups as done earlier.

  • You need NOT assign Audit Group in Command Control.

  • In Compliance Auditor Rule, add the Audit Role as done earlier, but use Command Control Filter where you define Submit User. Add multiple Submit User filters with or condition. So for Manager1Report rule add –

    SubmitUser – Emp1 OR

    SubmitUser-Emp2 OR


You will achieve the same result. This approach is tedious, as if one manager has 1000 employees reporting to him or so, then creation of the above rule with submituser filters will not be easy and non readable.


How To-Best Practice
Comment List
Related Discussions