External Reports
The External Reports tab allows you to configure an Authority Broker Events Report, which provides the information of interest to auditors.
NOTE: Switches that end after the End Time: The reports include an end of job marker to show that the active switch has ended during the queried report period. If the report does not include this marker, the user should be aware that the switch continued past the time period covered by the report.
- Start Date/Time • End Date/Time: The time period refers to the time the switch is first initiated, ended, or has activity (based on the configuration of the "Include switches based on" setting). Start Time and End Time must be a valid time, which is any value between 00:00:00 and 23:59:59. The End Time must be later than Start Time.
- Include Switches Based on:
- *START: Choose *START to include switches started during the specified time range.
- *END: Choose *END to include switches ended during the specified time range.
- *ANY: Choose *ANY to include all switches with activity during the specified time range.
- Omit activity outside the date/time range: When this box is checked, no activity outside the specified date/time range is reported. When this box is not checked, Detail Activity for all active switches during the specified time range is reported. For example, if *START is selected for "Include switches based on," Detail Activity that occurred after the end of the specified time range for switches that started during the specified time range will appear on the report.
- User Type: This option allows you to report for three different classes of users of Authority Broker.
- System User is the user profile who performed the switch.
- Switch Profile is the profile into which a system user switched.
- Interested Party users who have been registered that they wish to receive reports when specific profile switches occur.
- User: Enter a specific user name for the above, or enter *All to get reports for all user profiles of the type that you have selected.
- Report Type: There are 4 levels of reporting detail that can be selected using The Information I want on this report is ....
- Command: The same information as the Summary report along with a detailed listing of the commands that the user ran while switched. The command information is based on 'CD' type entries in the IBM security audit journal (QAUDJRN).
- Summary: The starting and ending time of all switches that occurred during the chosen time period along with the reason for the switch.
- All: Full details from the IBM security audit journal showing all the audited actions for the Switch Profile while the user was switched.
- Errors: Only reports on any rejected attempt by a user to attempt to switch into a profile to which they are not authorized. Consider this to be analogous to an invalid signon report for signons to the system. You need to be aware of users who are trying to do things that they are not authorized to do.
- Omit CL Program Commands: Check this box to omit audit activity of commands that were not run from a command line. This option will eliminate commands that are run within programs. Uncheck to select all items. This option will omit commands that were entered through a command line interface such as QCMD, QCMDEXEC, and QCAPCMD. This option does not override the Omit Registered Programs option.
NOTE: To exclude specific commands from Authority Broker's reports, see Excluding Programs in Authority Broker.
- Omit Registered Programs: Should this report omit registered programs, it will determine whether the system includes programs from the Excluded Programs list in the audited data. Programs and Commands registered in the Excluded Programs list are specifically filtered off of this report when this option is selected. Omitting registered programs allows you to mark some programs as “known good” and reduce the overall size of the report.
- Job Depth: Enter the depth of jobs you wish to include within the report. A profile switch can start an unlimited number of additional jobs. Job depth to report provides the ability to report to a specific depth. The value must be between 0 and 99. A value of 0 means no additionally started jobs are to be reported.
EXAMPLE:
Job A can submit job B, job B can submit job C, job C can submit job D and so on. Jobs B, C and D can be eliminated from the report by selecting a depth of 0. Selecting a depth of 2 will include activity for jobs A, B and C. Selecting a depth of 3 will include jobs A, B, C and D.
Job A can submit job B, job B can submit job C, job C can submit job D and so on. Jobs B, C and D can be eliminated from the report by selecting a depth of 0. Selecting a depth of 2 will include activity for jobs A, B and C. Selecting a depth of 3 will include jobs A, B, C and D.