Note: this component is designated "advanced", which means that objects of this type are not expected to be created or altered in most environments. If you believe that such a change is necessary, you may want to contact support in order to understand the potential impact of that change.
The Privilege Data Security Auditor is used to identify entries that include privilege information.
This data security auditor reports all entries with privileges assigned. The privileges may be assigned directly or via virtual attributes. Note that this auditor reports all identified entries at the error audit severity level.
The Privilege Data Security Auditor component inherits from the Data Security Auditor
The properties supported by this managed object are as follows:
Basic Properties: | Advanced Properties: |
---|---|
enabled | None |
report-file | |
include-attribute | |
audit-backend | |
audit-severity | |
include-privilege |
Description | Indicates whether the Data Security Auditor is enabled for use. |
Default Value | true |
Allowed Values | true false |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the name of the detailed report file. |
Default Value | entries-with-privileges.ldif |
Allowed Values | A string |
Multi-Valued | No |
Required | Yes |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the attributes from the audited entries that should be included detailed reports. By default, no attributes are included. This property allows the administrator to specify which attributes from the audited entries will be included in detailed reports. Note that reported entries will use a different object class than original entry. If you wish to include the original object class, you may specify objectClass in this property. The report entry will include the original objectClass values in the ds-data-security-audit-objectclass attribute. |
Default Value | None |
Allowed Values | The name or OID of an attribute type defined in the server schema. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies which backends the data security auditor may be applied to. By default, the data security auditors will audit entries in all backend types that support data auditing (Local DB, LDIF, and Config File Handler). This property allows the administrator to specify which backends the data security auditor may be applied to. By default, the data security auditors will audit entries in all backend types that support data auditing (Local DB, LDIF, and Config File Handler). |
Default Value | None |
Allowed Values | The DN of any Backend. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | Specifies the severity of events to include in the report. This property allows the administrator to specify the severity of events to include in the report. Severity can be one of error, warning or verbose. See the description of the Data Security Auditor to see what events are reported at each severity level. |
Default Value | notice |
Allowed Values | error - Only the most important security risks are identified. warning - Includes all events from the error severity level as well as events that are less severe or may present issues in the near future. notice - Includes all events from the error and warning levels as well as events that do not necessarily indicate problems but are things that administrators may want to take note of. verbose - Includes all events from the error, warning, and notice levels as well as information considered less significant or with only marginal security risk. |
Multi-Valued | No |
Required | No |
Admin Action Required | None. Modification requires no further action |
Description | If defined, only entries with the specified privileges will be reported. By default, entries with any privilege assigned will be reported. |
Default Value | None |
Allowed Values | audit-data-security - Allows the associated user to execute data security auditing tasks. bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation. bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations. modify-acl - Allows the associated user to modify the server's access control configuration. config-read - Allows the associated user to read the server configuration. config-write - Allows the associated user to update the server configuration. The config-read privilege is also required. jmx-read - Allows the associated user to perform JMX read operations. jmx-write - Allows the associated user to perform JMX write operations. jmx-notify - Allows the associated user to subscribe to receive JMX notifications. ldif-import - Allows the user to request that the server process LDIF import tasks. ldif-export - Allows the user to request that the server process LDIF export tasks. backend-backup - Allows the user to request that the server process backup tasks. backend-restore - Allows the user to request that the server process restore tasks. server-shutdown - Allows the user to request that the server shut down. server-restart - Allows the user to request that the server perform an in-core restart. proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. disconnect-client - Allows the user to terminate other client connections. password-reset - Allows the user to reset user passwords. update-schema - Allows the user to make changes to the server schema. privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes. unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control. bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server. lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. third-party-task - Allows the associated user to invoke tasks created by third-party developers. soft-delete-read - Allows the associated user access to soft-deleted entries. metrics-read - Allows the associated user access to data in the metrics backend. manage-topology - Allows the associated user to manage the set of server instances that are part of a topology. permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control. permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy. exec-task - Allows the associated user to schedule an exec task. collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation. file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege. permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates. permit-verify-password-request - Allows the requester to issue requests to verify user passwords without performing any other password policy processing. |
Multi-Valued | Yes |
Required | No |
Admin Action Required | None. Modification requires no further action |
To list the configured Data Security Auditors:
dsconfig list-data-security-auditors [--property {propertyName}] ...
To view the configuration for an existing Data Security Auditor:
dsconfig get-data-security-auditor-prop --auditor-name {name} [--tab-delimited] [--script-friendly] [--property {propertyName}] ...
To update the configuration for an existing Data Security Auditor:
dsconfig set-data-security-auditor-prop --auditor-name {name} (--set|--add|--remove) {propertyName}:{propertyValue} [(--set|--add|--remove) {propertyName}:{propertyValue}] ...
To create a new Privilege Data Security Auditor:
dsconfig create-data-security-auditor --auditor-name {name} --type privilege [--set {propertyName}:{propertyValue}] ...
To delete an existing Data Security Auditor:
dsconfig delete-data-security-auditor --auditor-name {name}