9 Replies Latest reply on Feb 21, 2013 6:49 PM by Bill Robinson

    RBAC change logging

    Jim Campbell

      Is there a way to enable more detailed RBAC logging?  In particular we would like to be able to monitor the appserver log files for changes made to the users who can assume a particular role.


      I know that users actually assuming a role is logged by default, but we would prefer to be able to log any time when a certain role is modified.

        • 1. Re: RBAC change logging

          Jim, when you say 'certain role is modified', do you mean to log when modifications are made to the Role? If so, do you see anything in the Audit Trail of the role that could be useful?

          • 2. Re: RBAC change logging
            Jim Campbell

            What we want to monitor is users being added as possible users of the role either by modifying the role to include the user or by adding the role as one that can be assumed by the user.  If we have a role named 'role1' we would like to see something in a log file that can be actively monitored to indicate any changes in what users can assume 'role1'.  If I edit 'user1' to add 'role1' as potential role or if I edit 'role1' to include user1 it would need to be logged.


            If we can somehow actively monitor the Audit Trail that would work as well, but I'm not sure of any way to do that.  We're looking to use an external monitoring tool to send alerts in the event that a role is altered to allow inappropriate access (making it so that those who are granted the RBACAdmins role don't necessarily have the effective capability of assuming all other roles simply by editing those roles).

            • 3. Re: RBAC change logging

              I see.. personally not sure how to increase logging for this (if applicable), and the audit trail will only tell you that the change was made, but not which one. Probably what you could do is to set up some scheduled task that would collect the rbac roles/users (via blcli?), and then monitor those reports for changes. If change found in the report, alert and review.

              • 4. Re: RBAC change logging
                Bill Robinson

                you can enable snmp/email notifications on the RBACRole.Modify authorization, and some others, and you will get a notification every time that authorization is exercised.  i don't think there's a way to limit the notifications to a particular object.

                • 5. Re: RBAC change logging
                  Jim Campbell

                  This would work quite well as long as it included the role being modified in the email/SNMP trap.


                  Is there something else required to enable this?  I tried setting an email on successful use of 'Role.ManageUsers' and also tried 'Role.Modify' but didn't see any emails (and we do have emailing configured on the application server).  I do see the entry in the audit trail for the Role I modified (by adding/removing a user).


                  Edit: Forget the above, turned out to be a problem with my Outlook's connection to exchange.

                  • 6. Re: RBAC change logging
                    Jim Campbell

                    This works for the purpose intended, but is there also a way to perform such notifications on changes made to the notifications as well (i.e. to make sure that someone with RBACAdmins doesn't remove the notification prior to making the change) ?

                    • 7. Re: RBAC change logging
                      Bill Robinson

                      monitor the monitor ?


                      i'd add notification to Authorization.Modify

                      • 8. Re: RBAC change logging
                        Jim Campbell

                        I will try that.  Our organizational model is to have the Bladelogic admins (RBACAdmins and BLAdmins) not be able to access certain servers which are instead only accessible to different users assigned to other roles.

                        • 9. Re: RBAC change logging
                          Bill Robinson

                          generally you shouldn't be using BLAdmins / RBACAdmins to manage your servers.  there's no reason to have BLAdmins have access to any servers, same thing w/ RBACAdmins.  you can create silo'd admin roles that can create and manage objects and servers w/ the use of the object permission template.