Console User Rights Audit

(imported topic written by SystemAdmin)

Is there a session relevance inspector that will let me create a report to audit the console user rights? I am looking to determine if all of our users use a specific property that we consider the foundation for our security permissions.

(imported comment written by BenKus)

Does this help?

unique values of values of (results (bes property “OS”, it)) of elements of administered computer set of bes user whose (name of it as lowercase = “ben”)

Ben

(imported comment written by SystemAdmin)

Hello Ben,

I am getting no results when I try and enter my ID where ben is located. I tried this a few different ways. I can get the following to return values:

names of elements of administered computer set of bes users whose (name of it as lowercase contains “ben”)

Looking at the code though, I don’t believe this is going to give me what I want. I believe this is trying to find a user and the computers that they can manage, then look at the properties of those computers to determine what they are.

I really need to see exactly what you would see if you clicked on “Operators” in the console, selected a user, then looked at the “Management Rights Assignments” tab. This “Management Rights Assignments” would be given to one or multiple properties to provide access. Is this possible using session relevance?

My concern is that some accounts are not being provisioned with the mandatory properties to restrict access.

(imported comment written by MrFixit)

Make a small change to what Ben provided and use “Computer Name” for the property instead of OS.

unique values of values of (results (bes property “Computer Name”, it)) of elements of administered computer set of bes user whose (name of

it as lowercase = “ben”)

(imported comment written by SystemAdmin)

Yeah, so this is still not giving me what I need.

I really need to see exactly what you would see if you clicked on “Operators” in the console, selected a user, then looked at the “Management Rights Assignments” tab. This “Management Rights Assignments” would be given to one or multiple properties to provide access. Is this possible using session relevance?

(imported comment written by BenKus)

Hey Kevin,

Not really… You can see the set of computers and their properties, but you can’t see the properties that define the mgmt rights… Sorry…

Ben

(imported comment written by MattBoyd)

FYI for anyone else looking for something similar… if you’re assigning management rights based on automatic computer groups, this might work (it’s a hack):

((name of item 0 of (bes computer groups, it) whose (id of item 0 of it = item 1 of it) | 
"?") of numeric values of ((substrings separated by 
"group" of it) as trimmed string) whose (it does not start with 
"((not" and it does not start with 
"((exists ") of it, (preceding texts of firsts 
"%22" of following texts of firsts 
"AdminBy_" of it)) of applicability relevances of hidden bes actions whose (management rights flag of it = 

true)