Customer wants to have a report on unauthorized access changes events. I have not found any report template on this purpose. Has anybody any experience with this?
I am using 7.0.1 P2.
If you are looking to filter change requests which are originated from Unauthorized Changes, then you can use the SOURCE_TYPE column for filtering.
SELECT * FROM PV_CHANGE_REQUEST_DETAILWHERE SOURCE_TYPE = 'UC';
I'm pretty sure that UC stands for Unauthorized Change
thanks. Even though I have a doubt on this.
Note that an unauthorized access is given to a user without a change request; which means that these access can't be stored in the PV_CHANGE_REQUEST_DETAIL table. That table only store anything item that were part of an access request on the system.
Any say on that?
h/t Aaron Beaudoin
There is an OOB template that can be used. When creating a new report, the template for Rules/Rule Violations can be used, then the filter set for unauthorized change detection:
There is the one i was looking for.
In my dev environment I tested this rule and got some hits and the email sent, however, there is nothing in the rule violations section nor any data in the V_AVR_ALL_VIOLATIONS table. I looked in the help section and it says that rule violations are only created for two rule types: Should I have rule violation date for unauthorized change detection rules?
RSA Identity Governance and Lifecycle generates rule violations whenever it detects that users have access to entitlements they should not have as specified by the following rule types:
My assumption was that a rule type Unauthorized Change Detection is being used to identify this type of access
Okay I see, you were correct based on your assumption as this will flag all the request that occurred as a result of the unauthorized change.
Just a note that if you were to write a query in the report module against pv_change_request_detail, you would need to say 'select * from avuser.pv_change_request_detail' because that view is owned by 'avuser' and the report module is connected to the database as the 'avdwuser' schema and not 'avuser'. Note you could rewrite the query as 'select * from change_request_detail' which is a public schema table. RSA recommends using the public schema tables in reports so that they will work from version to version (i.e. any underlying schema changes between versions should not effect queries that use the public schema tables.)
Yes I know that. Thanks for the note
Group IT | email@example.com<mailto:firstname.lastname@example.org> | Tel: +27 11 286 8063 | Cell: +27 76 920 8549
Client Support Centre: +27 11 286 9663 / 0860 110 161 | www.investec.co.za <https://www.investec.co.za/>
“The best way to get started is to quit talking and begin doing.”
Retrieving data ...