000016912 - Reporting on RSA Authentication Manager 8.1 users with On-Demand Token, a fixed passcode or a hardware/software token assigned and when they last authenticated

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000016912
Applies ToRSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
IssueThe license status page on the Security Console under Setup > Licenses > Status shows the number of active users in the database and the total number of active users allowed on the license.  This solution provides information on how to determine which users are contributing to the active user count.
Resolution

Steps to Run the Active User Report


  1. Download the query script using the link in the Notes section of this article.
  2. Copy the SQL script attached to this article to the  Authentication Manager 8.x primary's /home/rsaadmin directory (using WinSCP for example).
  3. Set the file owner for the UserLicenseReportv8.sql file to rsaadmin

chown rsaadmin UserLicenseReportv8.sql


  1. Set file permissions on the SQL script to be executable, using one of the two commands below:
chmod +x UserLicenseReportv8.sql


chmod 0755 UserLicenseReportv8.sql


  1. Confirm that SSH is enabled via the Operations Console under Administration > Operating System Access.
  2. Logon to the Authentication Manager 8.x primary via SSH as the rsaadmin user.
  3. Determine the Authentication Manager 8.x database password as shown in following example.  Note that the OC administrator name and output password will be different than the example values shown here:
rsaadmin@am8p:~> cd /opt/rsa/am/utils
rsaadmin@am8p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: <enter name of the Operations Console administrator>
Please enter OC Administrator password: <enter password for the Operations Console administrator>
com.rsa.db.dba.password: <rsa.db.dba.password is returned>

For example, 

rsaadmin@am8p:~> cd /opt/rsa/am/utils
rsaadmin@am8p:/opt/rsa/am/utils> ./rsautil manage-secrets -a get com.rsa.db.dba.password
Please enter OC Administrator username: ocadmin
Please enter OC Administrator password: ********
com.rsa.db.dba.password: GrcvNN2FUAsWjyPfhaIsSWvjvZhvtN

  1. Execute the query.  You will be prompted for the com.rsa.db.dba.password output from step 7.
cd ../pgsql/bin
rsaadmin@am8p:/opt/rsa/am/pgsql/bin> ./psql -h localhost -p 7050 -d db -U rsa_dba -f ~/UserLicenseReportv8.sql > ~/output.html
Password for user rsa_dba: <enter com.rsa.db.dba.password captured above>

  1. The output.html is written to /home/rsaadmin.  Using WinSCP, or another file transfer tool, copy the output.html file off the Authentication Manager server for review.

Sample Output



The tables below show sample output from running this report


Users with a Token


tokenidserialtoken_typeusernameuserid
dbd546b20b8d940a01e21d006c577c83XXXXXX7768SOFTIDuser.subdomain21cbb255d0b8d940a01b685408c546b54
c732dffc0b8d940a01b4dbdc7cb27983XXXXXX4021SID800on.demand4753bdb00b8d940a0206fc869db5d862
dbd546930b8d940a01e596c7960ed372XXXXXX7761SOFTIDon.demand4753bdb00b8d940a0206fc869db5d862
dbd546a30b8d940a01da848ff692edaeXXXXXX7765SOFTIDsmithj69d617890b8d940a01ea754e2e5a4735
dbd546a30b8d940a01e0db9875cfe7a6XXXXXX7764SOFTIDsmithj69d617890b8d940a01ea754e2e5a4735
c252948a0b8d940a01f5126d581b06e4XXXXXX1332SID800token.user7d4186760b8d940a025f5f29d52711a2
c732de660b8d940a01a2b7a9d4d2ed4cXXXXXX3997SID800doembd7166410b8d940a01b837590a350b6c
761f49910b8d940a02003f7e7d5b53afXXXXXX2256KEYFOBdoembd7166410b8d940a01b837590a350b6c
dbd546640b8d940a01c4fe7db09a19dcXXXXXX7755SOFTIDsoft.tokenc42380de0b8d940a01f2e5ffb619483c
dbd546930b8d940a01e4bec42a031ab8XXXXXX7760SOFTIDsoft.tokenc42380de0b8d940a01f2e5ffb619483c
c2560e9d0b8d940a01d7f48adeb14e53XXXXXX4670KEYFOBrsatestc713094a0b8d940a034c88b30bb9106c
dbd546930b8d940a01c0f3509c5e1e62XXXXXX7759SOFTIDrsatestc713094a0b8d940a034c88b30bb9106c
dbd546930b8d940a01c76ca09a2f3692XXXXXX7758SOFTIDrsatestc713094a0b8d940a034c88b30bb9106c
485742750b8d940a01f6ffe2eefdc0a5XXXXXX7530SID800selfenrol1f07063e30b8d940a018e8da09016da50
dbd546840b8d940a01c6cba4d6c49998XXXXXX7757SOFTIDselfenrol1f07063e30b8d940a018e8da09016da50

(15 rows)


Total Tokens Assigned


tokens_assigned
15

(1 row)


Total Unique Users with Tokens


Note that a user can have up to three tokens assigned to them.


total_unique
8

(1 row)


Users Enabled for On Demand Authentication


tokenidusernameuserid
937fd36fdd8e940a1a845a4e89110aa5risk.based6818ab470b8d940a01e5323de4e7a166
59571bc30b8d940a0246d45829470b7crsatestc713094a0b8d940a034c88b30bb9106c
6adc132e0b8d940a02e3e748b24a8180on.demand4753bdb00b8d940a0206fc869db5d862
f0875fec0b8d940a0271cf7d22174dd9selfenroll1f0875b480b8d940a01c3f4d2c4aa3c73

(4 rows)


Total Users Enabled for On Demand Authentication


total
4

(1 row)


Users Enabled for Risk Based Authentication


username
risk.based
self.service
admin
rsatest
on.demand
m??ller??
smithj

(7 rows)


Users with Fixed Passcode


loginuid
jdoe
rsatest
m??ller??
ip.user
Challenge.Me
site1admin
site2admin
Administrator
radiustest
locked.out
special.user
tacplus
win71

(13 rows)


Total Users with a Fixed Passcode


total
13

(1 row)


All Active Users


usernameidentity_sourcefixed_passcodetokenon_demand_enabledlast_loginrba_enabled
adminInternal DatabaseNO NO YES
AdministratorSMITH.LOCALYES NO2012-08-09 11:29:14NO
blahInternal DatabaseNO000216702256NO NO
blahInternal DatabaseNO000209513997NO NO
Challenge.MeSMITH.LOCALYES NO2012-10-05 20:32:53NO
ip.userSMITH.LOCALYES NO2012-09-18 14:30:49NO
jdoeInternal DatabaseYES NO NO
locked.outSMITH.LOCALYES NO NO
m??ller??Internal DatabaseYES NO2013-07-12 15:06:40.174YES
on.demandSMITH.LOCALNO000209514021YES2013-05-24 09:37:38.285YES
on.demandSMITH.LOCALNO000205167761YES2013-05-24 09:37:38.285YES
radiustestInternal DatabaseYES NO2012-06-19 09:11:05NO
risk.basedSMITH.LOCALNO YES2013-04-24 10:33:48.73YES
rsatestSMITH.LOCALYES000075884670YES2013-07-16 12:50:59.676YES
rsatestSMITH.LOCALYES000205167759YES2013-07-16 12:50:59.676YES
rsatestSMITH.LOCALYES000205167758YES2013-07-16 12:50:59.676YES
selfenrol1Internal DatabaseNO000079277530NO NO
selfenrol1Internal DatabaseNO000205167757NO NO
selfenroll1SMITH.LOCALNO YES2012-06-18 14:36:04NO
self.serviceSMITH.LOCALNO NO YES
site1adminInternal DatabaseYES NO NO
site2adminInternal DatabaseYES NO NO
soft.tokenSMITH.LOCALNO000205167755NO NO
soft.tokenSMITH.LOCALNO000205167760NO NO
special.userSpecial CharactersYES NO2013-03-18 16:15:20NO
tacplusInternal DatabaseYES NO2013-03-21 08:53:00NO
token.userSMITH.LOCALNO000215691332NO2013-03-18 12:09:12NO
user.subdomain2Internal DatabaseNO000205167768NO NO
smithjSMITH.LOCALNO000205167764NO2013-05-03 13:08:57.071YES
smithjSMITH.LOCALNO000205167765NO2013-05-03 13:08:57.071YES
win71Internal DatabaseYES NO2013-01-09 14:11:18NO

(31 rows)


Count of Unique Active Users


A user is active if they have a token and/or a fixed password, and/or an on-demand authenticator, and/or are enabled for Risk Based Authentication


active_users
24

(1 row)


NotesNote:  Unresolvable users will also count towards the total number of users. The report generated by this solution will not detect unresolvable users, so please ensure that you run a cleanup identity source job to check for unresolvable users before report execution.  To run the cleanup,
  1. Login to the Security Console and select Setup > Identity Sources > Cleanup Unresolvable Users.
  2. Select the identity source in question.
  3. Define a grace period.
  4. Click Next.
  5. Review the list of unresolveable users.  
  6. Click Clean Up Now.
This solution is applicable only to RSA Authentication Manager 8.x.  

A SQL query script can determine the active user count details and is attached below or available for download here.  

Legacy Article IDa61974

Outcomes