SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

RSA Auth Mgr 8.1 Privileged help desk role

Yesterday I had to assist several users who where in Emergency Access mode.


In our environment we do not allow the end user to place themselves there from self-service


All our service desk folks have Auth Mgr Privileged Help Desk Admin role, which gives them the ability to provide both online and offline emergency access help


 Emergency Access mode should be an extremely rare circumstance. I am trying to figure out who set the user up that way. As System Admin I can only think of one time where I've had to enable someone for it in last 3 years.


Here's the question....I have asked the service if they had set anyone in that mode. They claim no.


So how can I find out who may have enabled several users that way using the system reporting tools. These users could have been set that way for some time and I really don't have a time frame to search with.

Labels (1)
11 Replies

Thanks for your suggestion. I already have a separate Test Primary and a Test Web Tier which is in a DMZ. Just don't have any tokens in it and my company is not going to spring for them. We are a small bank and I'm the sole admin and helpdesk for over a 1000 users. I have a Primary and 5 replicas in other locations so its gonna be quite a task getting upgraded to 8.4 patch 10 and keeping us running at the same time...especially with the web tier upgrades along the way. the web tiers are problematic because I don't really have any Linux skills. I'm not confident I have all the skills necessary to handle the upgrade process.


We have tentative plans to upgrade this year using a 3rd party vendor to help me.


Right now I'm just trying to survive the onslaught on token request's for everyone who suddenly feels it necessary to work from home.


You can export/import users and tokens (or just tokens) and get all your users and tokens onto the test system easily, and it won't delete them from the source. It is an exact copy. Or, backup and restore will do the same thing. You don't need to spring for new anything, all your setup from Prod can be placed in DEV, including user, tokens, token pins...all of it. So, very flexible. Just giving you some ideas...


NOTE: One problem in versions lower than 8.2 patch 1 is on-demand tokens do not export/import
but they are contained in a backup/restore. Regular hard tokens or soft tokens do export/import.


Export import is: (help menu gives exact details)


a) generate an encryption key on the target.

b) Export from the source which will need the encryption key from the target.

c) Pick what you need to export. (by placing users in a group you can export the group and all the users/tokens in that group).

d) Export. The users and tokens on the source are copied, not deleted, so this does no interruption to production.

e) then import that file to the target.

Target will ask to send to internal database or LDAP source (if you have ldap set up on target system).