By default, all role definitions—including predefined role definitions—are set to “Audit if possible” as the audit level. With this setting, user activity is audited if the auditing service is installed and enabled on a managed computer. If the auditing service is not installed or not running on a given computer, this setting has no effect. Users can log on and use the access rights that are defined for their role assignment without having their activity audited.
In most cases, the default “Audit if possible” setting is appropriate because it doesn’t block user access if you are not deploying the auditing infrastructure but will automatically capture user activity if you are deploying auditing. In some cases, however, you might want to change the audit level. You can modify the audit level for any role definition to specify whether users must be audited in order to log on.
To change the audit level for a role definition:
- Open Access Manager.
- Expand Zones and the individual parent or child zones required to select the zone name where you want to change the audit level.
- Expand Authorization and Role Definitions.
- Select a role definition, right-click, then select Properties.
- Click the Audit tab.
Select the appropriate audit level to use for the role definition.
- Select Audit not requested/required if you are not interested in auditing session activity for users in the role.
- Select Audit if possible if you want to audit user activity on computers running the Centrify auditing service. If you select this option and the auditing service is not installed or not currently available, users assigned to the role are allowed to log on without having their activity audited. This option is selected by default for new roles.
- Select Audit required if you want to audit all session activity for users assigned to the role. If you select this option and the auditing service is not installed or not currently available, users assigned to this role are not allowed to log on.
If auditing is required for users in a role, you should also define a role with rescue rights to allow selected administrators to log on and correct problems when other users are locked out. For more information about creating a role with rescue rights, see Creating a role definition with rescue rights.
- Click OK to save the role definition.