User account audit Access fr Audits

Good day, all.

Please can I get some help?

As per the latest ISO compliance regulations our customers have to prove  

  1. All user accounts that have the “System Administrator” server role
  2. All user accounts with administrator rights are in a vault.

Basically what I would love to be able to pull a detailed pillaged access or permissions report, I am working with multiple vaults 10+  and hundreds of users. What I want to avoid is going user by user to get this information like the below screenshot.

Basically something like this or as close to it as possible without putting undue workload onto the client or auditors.

Or like this any ideas are most welcome!

Kind Regards 

  • You might want to reach out to your reseller.  I know that we have at least one tool that generates some documentation on a vault but I don't recall whether it does users and permissions to the level you want.  If it does then that sounds like a good starting point.

    If it does not then this sounds like something which could be created "relatively quickly" using our APIs (I added the quotes as the devil is always in the detail).

  • Thank you, I have seen some API scripting that can pull the data I'm looking for, I just don't have the knowledge to do it myself. 

    I have logged a support Query already but I always find the forums are the best place to find quick answers :) 

  • I don't have any off-the-shelf code for you, although I can see that from an auditing perspective this may be a common requirement.  Maybe over time we could add something as a public sample, or perhaps this would be a good "consulting tool" that could be made available in an unsupported capacity.

    As a general point you'd need to work with the "login account" and "user account" objects.  The login account data will show whether it's a system admin, and the user account data what roles a given user has in that vault.  Some reference points:

    For each of these you would retrieve the collection they return and then check the properties of the returned items, checking (for example) the roles that the user has in the vault.  This would then allow you to create a CSV or similar that you could show auditors.

  • Hi Craig I was going through the consulting tools academy course right now actually and thought the same.

    Even the Wiki links for the consulting tools pages are not 404 So looks like this is something that needs to be looked into.

    Especially with the latest ISO standards being updated.

  • Please do send me a private message with the links that are broken (and where you found them) and I'll try to raise that to the correct people.

  • # Initialize PowerShell for M-Files
    $mfserver = New-Object MFilesAPI.MFilesServerApplicationClass
    # Connect to server
    #$users = $mfserver.LoginAccountOperations.GetLoginAccounts()
    $vault = $mfserver.LogInToVault("{6113C44B-8D6C-4243-ABCA-DAF32A02C786}")
    $users = $vault.UserOperations.GetUserAccounts();
    ## UNCOMMENT THIS TO GET VAULT LOGINS (if vault level login accounts are in use) #$users = $vault.UserOperations.GetLoginAccounts();
    foreach ($user in $users) {
        ## VAULT ROLES
        ## 0    None.
        ## 1    Full control of vault.
        ## 2    Can log into the vault.
        ## 4    Can create documents or other objects.
        ## 8    See and read all vault content (including deleted objects).
        ## 16   See and undelete deleted objects.
        ## 32   Destroy objects.
        ## 64   Force undo checkout.
        ## 128  Change permissions for all objects.
        ## 256  Change metadata structure.
        ## 512  Manage user accounts.
        ## 1024 Internal user (as opposed to external user).
        ## 2048 Can create and modify traditional folders.
        ## 3078 The default vault roles for a normal user.
        ## 4096 Manage templates (obsolete).
        ## 8192 Manage common views and notification rules.
        ## 16384    Manage workflows.
        ## 32768    Cannot manage private views and notification rules.
        ## 65536    Anonymous user.
        ## Check each band individually and output the results
        if ($user.VaultRoles -band 1) {
            Write-Output "$($user.LoginName) has Full control of vault."
        if ($user.VaultRoles -band 2) {
            Write-Output "$($user.LoginName) can log into the vault."
        if ($user.VaultRoles -band 4) {
            Write-Output "$($user.LoginName) can create documents or other objects."
        if ($user.VaultRoles -band 8) {
            Write-Output "$($user.LoginName) can see and read all vault content (including deleted objects)."
        if ($user.VaultRoles -band 16) {
            Write-Output "$($user.LoginName) can see and undelete deleted objects."
        if ($user.VaultRoles -band 32) {
            Write-Output "$($user.LoginName) can destroy objects."
        if ($user.VaultRoles -band 64) {
            Write-Output "$($user.LoginName) can force undo checkout."
        if ($user.VaultRoles -band 128) {
            Write-Output "$($user.LoginName) can change permissions for all objects."
        if ($user.VaultRoles -band 256) {
            Write-Output "$($user.LoginName) can change metadata structure."
        if ($user.VaultRoles -band 512) {
            Write-Output "$($user.LoginName) can manage user accounts."
        if ($user.VaultRoles -band 1024) {
            Write-Output "$($user.LoginName) is an internal user (as opposed to external user)."
        if ($user.VaultRoles -band 2048) {
            Write-Output "$($user.LoginName) can create and modify traditional folders."
        if ($user.VaultRoles -band 3078) {
            Write-Output "$($user.LoginName) has the default vault roles for a normal user."
        if ($user.VaultRoles -band 4096) {
            Write-Output "$($user.LoginName) can manage templates (obsolete)."
        if ($user.VaultRoles -band 8192) {
            Write-Output "$($user.LoginName) can manage common views and notification rules."
        if ($user.VaultRoles -band 16384) {
            Write-Output "$($user.LoginName) can manage workflows."
        if ($user.VaultRoles -band 32768) {
            Write-Output "$($user.LoginName) cannot manage private views and notification rules."
        if ($user.VaultRoles -band 65536) {
            Write-Output "$($user.LoginName) is an anonymous user."

    I found a Powershell script that works well.

    Now just to export this into a report and ill be done, I think it can be fine-tuned for multi-vault clients.