Creating custom audit roles

Audit roles allow specific auditors to search and replay specific sessions, review specific events, or generate reports using the Audit Analyzer console based on the criteria you define. Each role specifies the criteria to use, the users and groups that are assigned to the role, and the specific permissions those users and groups have been granted.

For example, you might specify the criteria for filtering sessions to be only the session activity recorded on a particular audited computer or all UNIX sessions recorded after a specific date and time.

The collection of auditors is identified by specifying either explicit auditors, or an Active Directory group of auditors. Using Active Directory groups is recommended because this puts all of a user's privileges under the common Active Directory infrastructure.

For each audit role, you can also configure the specific permissions granted to each member of the role. For example, some audit roles might permit auditors to read and replay sessions but not update the status, add review comments, or delete the sessions to which they have access.

To create and assign audit roles:

  1. Open Audit Manager and expand the audit installation to which you are connected.
  2. Select Audit Roles, right-click, then select Add Audit Role.
  3. Type a name and, optionally, a description of the audit role, then click Next.
  4. Select the type of sessions—UNIX sessions, Windows sessions, or both UNIX and Windows sessions—to include for auditors assigned to this audit role, then click Add to specify filtering criteria for the role.
  5. Select an attribute for filtering information from the list of Attributes.

    For example, you can match sessions based on the period of time in which they were active, based on a specific state, or based on Active Directory group membership. You can also match sessions based on the specific activity that took place during the session. For example, you can find sessions where specific UNIX commands or Windows applications were used.

  6. Select the appropriate criteria for the attribute you have selected, then click OK.

    The specific selections you can make depend on the attribute selected. For example, if the attribute is Review Status, you can choose between “Equals” and “Not equals” and the specific review status you want to find, such as “To be Reviewed.” If you select the attribute Comment, you can specify “Contains any of” and type the text string that you want to find any part of. If you select the attribute Group, you can select “Is (exactly)” and the user principal name (UPN) of an Active Directory group, such as adm-sf@acme.com.

    You can specify multiple attributes, by clicking Add and selecting additional attributes and criteria. You can test the filtering criteria you have added by clicking Execute Query and examining the results. When you have finished adding filters, click Next.

  7. Select the privileges for the audit role, then click Next.

  8. Review your settings for the audit role, click Next, then click Finish.

    You can assign users and groups to the audit role immediately by running the Assign users and Groups wizard or at a later time by right‑clicking on the role name.

  9. Type all or part of name to search for and select Active Directory users and groups to assign to the audit role.