Info about Super Users or other Admin User from Admin UI

Document ID : KB000099982
Last Modified Date : 08/06/2018
Show Technical Document Details
Question:
We need to export the admin users and their permissions defined in
Admin UI daily and automatically for Audit purposes.

Is there a way to export them (API or directly from the DB)?

Could you please add the info on how to do that for the API or where
in the LDAP of the PS (AdminUI uses Policy Store which is a Oracle
Directory Server) I could find the data?
Answer:
Out of the box, we don't provide a tool to exclusively export the
Administrator and their rights. We invite you to open a Enhancement
Request for our product here on the Security Ideation Page :

  1. Go to the CA Security Overview Page :
     https://communities.ca.com/community/ca-security/ca-single-sign-on
  2. Click on the "Actions" drop-down menu and select "Create an
     idea."
  3. Give your idea a title and detailed description to encourage
     voting.
  4. Publish and vote on your idea!

More, you can the XPSExplorer command that will allow you :

 - Export the Administrators in a XCart, and then the XCart in a file;
 - XPSExport using the XCart produced above to get in a file the
   administrators and their details;

To get the signification of the MethodAllowed and Flags, go in
XPSSecurity, navigate to the administrator menu, and show one. Set it
as you would like to change its value.


  ADMINISTRATOR MENU*****************************************************#3640

  ----------------------------- Metadata ----------------------------
       XID: CA.XPS::Administrator@000aa423-a9db-1808-8516-01017f0090dd(3640)
  In Cache? no
   (1)
       Created: 2016-10-20 11:31:13 GMT
  Last Updated: 2016-11-02 20:48:16 GMT
  By: os:root (via Security)
  -------- Attributes from CA.XPS::Administrator (Base Class) -------
  01: Description                     
  02: Flags                           1(0x1): Disabled
  03: MethodsAllowed                  393215(0x5ffff): LocalAPI,RemoteAPI,AdminUI,XPSDDInstall,XPSDictionary,XPSConfig,XPSExplorer,XPSSecurity,XPSRegClient,XPSExport,XPSImport,Audit,Eval,Reports,License,Counter,Sweeper,LegacyAPI
  04: Name                            "patrick"
  05: UserPath                        "SM://000929c7-8df5-1655-8df5-01017f0090dd/patrick"
  06: Workspaces                      
  -------------------------------------------------------------------
     B  - Blank out an Attribute

     G  - Generate GUID
     V  - Validate
     U  - Update
     D  - Delete
     R  - List Rights
     A  - List 6 Attributes

     Q  - Quit
  -------------------------------------------------------------------
  Enter Option (# or BGVUDRAQ): 03
  -------------------------------------------------------------------
  Attr:  MethodsAllowed [CA.XPS::Administrator.MethodsAllowed] 
  Description         Determines how this administrator can access XPS data?
  Type:               Number
  Handling:           Bit Flags (enter '?' for setting interactively)
  Character Case:     Mixed
  New Value (? for interactive, blank to quit):?
  -------------------------------------------------------------------
  Attr:  MethodsAllowed [CA.XPS::Administrator.MethodsAllowed] 
  Desc:"Determines how this administrator can access XPS data?"
  Type: Number {1}
  ------------------------------- Bits ------------------------------
   1 X Audit                                             = 0x00000800
       Access allowed from XPSAudit
   2 X AdminUI                                           = 0x00000004
       Access allowed from the Admin UI
   3 X XPSExplorer                                       = 0x00000040
       Access allowed through XPSExplorer
   4 X XPSDictionary                                     = 0x00000010
       Access allowed through XPSDictionary
   5 X Reports                                           = 0x00002000
       Access allowed from EPM Reports
   6 X XPSDDInstall                                      = 0x00000008
       Access allowed through XPSDDInstall
   7 X Sweeper                                           = 0x00010000
       Access allowed from XPSSweeper
   8 X LegacyAPI                                         = 0x00040000
       Access allowed from PM API Emulation
   9 X LocalAPI                                          = 0x00000001
       Access allowed from the local API
  10 X XPSConfig                                         = 0x00000020
       Access allowed through XPSConfig
  11 X XPSRegClient                                      = 0x00000100
       Access allowed through XPSRegClient
  12 X License                                           = 0x00004000
       Access allowed from XPSLicense
  13 X Eval                                              = 0x00001000
       Access allowed from XPSEval
  14 X XPSImport                                         = 0x00000400
       Access allowed from XPSImport
  15 X Counter                                           = 0x00008000
       Access allowed from XPSCounter
  16 X XPSExport                                         = 0x00000200
       Access allowed from XPSExport
  17 X XPSSecurity                                       = 0x00000080
       Access allowed through XPSSecurity
  18 X RemoteAPI                                         = 0x00000002
       Access allowed from the remote API

  -------------------------------------------------------------------
  Enter Option (#, A for All, N for None, or Q to Quit): 

To get the mapping and meaning of the Rights, go in XPSExplorer and
show the rights of one of the administrator, make as you would modify
it and request help (?) when setting the value.

  OBJECT MENU************************************************************#3639

  ------------------------- Object Meta Data ------------------------
       XID: CA.SM::Admin@12-000aa423-a9db-1808-8516-01017f0090dd
  Actual Class: CA.SM::Admin
  Base Class: CA.SM::Admin
  In Cache: no 1
       Created: 2016-10-20 11:26:23 GMT
  Last Updated: 2016-10-23 00:22:46 GMT
       By: siteminder (via GUI)
  ------------------- Attributes from CA.SM::Admin ------------------
  01: AuthSchemeLink                  
  02: Desc                            
  03:*DirectoryAuth                   = false
  04: DomainsLink                     = CA.SM::Domain@03-000e7f6c-51c4-1807-8516-01017f0090dd
  05:*Name                            = "patrick"
  06: Password                        = <***>
  07:*Rights                          = 14(0xe): ManageObjects,ManageUsers,ManageSecurity
  08: UserDirectoryLink               
  -------------------------------------------------------------------
     M - Display Meta Data
     J - Display Joined Attribute value
     L - Display Links
     R - Display Related records (3 types)
     P - Polymorph object (2 classes)
     B - Blank out an Attribute

     V - Validate record
     U - Update record
     D - Delete Object
     A - List 8 Attributes

     X - Add to XCart (use Mode: DEFAULT)
     + - Change XCart Mode
     Q - Quit
  -------------------------------------------------------------------
  Enter Option (# or MJLRPBVUDAX+Q): 07
  -------------------------------------------------------------------
  Attr:  Rights [CA.SM::Admin.Rights] 
  Description         (not set)
  Type:               Number
  Handling:           Bit Flags (enter '?' for setting interactively)
  Character Case:     Mixed
  New Value (? for interactive, blank to quit):?
  -------------------------------------------------------------------
  Attr:  Rights [CA.SM::Admin.Rights] 
  Desc:(not set)Type: Number {1}
  ------------------------------- Bits ------------------------------
   1 - ManageEverything                                  = 0x0000002f
       All bits with the exception of CacheManager.
   2 X ManageSecurity                                    = 0x00000008
   3 X ManageObjects                                     = 0x00000002
   4 X ManageUsers                                       = 0x00000004
   5 - ManageAllDomains                                  = 0x00000001
   6 - CacheManager                                      = 0x00000010
   7 - AccessSharedDB                                    = 0x00000040
   8 - RegisterTrustedHosts                              = 0x00000020
   9 X None                                              = 0x00000000

  -------------------------------------------------------------------
  Enter Option (#, A for All, N for None, or Q to Quit):