User account audit Access fr Audits

Question

Good day, all. 
 Please can I get some help? 
 As per the latest ISO compliance regulations our customers have to prove

All user accounts that have the &ldquo;System Administrator&rdquo; server role 
 All user accounts with administrator rights are in a vault. 
 
 Basically what I would love to be able to pull a detailed pillaged access or permissions report, I am working with multiple vaults 10+ and hundreds of users. What I want to avoid is going user by user to get this information like the below screenshot. 
 
 Basically something like this or as close to it as possible without putting undue workload onto the client or auditors.

Or like this any ideas are most welcome!

Kind Regards

dylanc@itclarity.co.za · Accepted Answer

# Initialize PowerShell for M-Files
[Reflection.Assembly]::LoadWithPartialName("Interop.MFilesAPI")
$mfserver = New-Object MFilesAPI.MFilesServerApplicationClass

# Connect to server
$mfserver.Connect(1)

## UNCOMMENT THIS FOR SERVER USERS
#$users = $mfserver.LoginAccountOperations.GetLoginAccounts()
## UNCOMMENT THESE FOR VAULT USERS
$vault = $mfserver.LogInToVault("{6113C44B-8D6C-4243-ABCA-DAF32A02C786}")
## UNCOMMENT THIS TO GET VAULT USERS
$users = $vault.UserOperations.GetUserAccounts();
## UNCOMMENT THIS TO GET VAULT LOGINS (if vault level login accounts are in use) #$users = $vault.UserOperations.GetLoginAccounts();

foreach ($user in $users) {
 ## VAULT ROLES
 ## 0 None.
 ## 1 Full control of vault.
 ## 2 Can log into the vault.
 ## 4 Can create documents or other objects.
 ## 8 See and read all vault content (including deleted objects).
 ## 16 See and undelete deleted objects.
 ## 32 Destroy objects.
 ## 64 Force undo checkout.
 ## 128 Change permissions for all objects.
 ## 256 Change metadata structure.
 ## 512 Manage user accounts.
 ## 1024 Internal user (as opposed to external user).
 ## 2048 Can create and modify traditional folders.
 ## 3078 The default vault roles for a normal user.
 ## 4096 Manage templates (obsolete).
 ## 8192 Manage common views and notification rules.
 ## 16384 Manage workflows.
 ## 32768 Cannot manage private views and notification rules.
 ## 65536 Anonymous user.

 ## Check each band individually and output the results
 if ($user.VaultRoles -band 1) {
 Write-Output "$($user.LoginName) has Full control of vault."
 }
 if ($user.VaultRoles -band 2) {
 Write-Output "$($user.LoginName) can log into the vault."
 }
 if ($user.VaultRoles -band 4) {
 Write-Output "$($user.LoginName) can create documents or other objects."
 }
 if ($user.VaultRoles -band 8) {
 Write-Output "$($user.LoginName) can see and read all vault content (including deleted objects)."
 }
 if ($user.VaultRoles -band 16) {
 Write-Output "$($user.LoginName) can see and undelete deleted objects."
 }
 if ($user.VaultRoles -band 32) {
 Write-Output "$($user.LoginName) can destroy objects."
 }
 if ($user.VaultRoles -band 64) {
 Write-Output "$($user.LoginName) can force undo checkout."
 }
 if ($user.VaultRoles -band 128) {
 Write-Output "$($user.LoginName) can change permissions for all objects."
 }
 if ($user.VaultRoles -band 256) {
 Write-Output "$($user.LoginName) can change metadata structure."
 }
 if ($user.VaultRoles -band 512) {
 Write-Output "$($user.LoginName) can manage user accounts."
 }
 if ($user.VaultRoles -band 1024) {
 Write-Output "$($user.LoginName) is an internal user (as opposed to external user)."
 }
 if ($user.VaultRoles -band 2048) {
 Write-Output "$($user.LoginName) can create and modify traditional folders."
 }
 if ($user.VaultRoles -band 3078) {
 Write-Output "$($user.LoginName) has the default vault roles for a normal user."
 }
 if ($user.VaultRoles -band 4096) {
 Write-Output "$($user.LoginName) can manage templates (obsolete)."
 }
 if ($user.VaultRoles -band 8192) {
 Write-Output "$($user.LoginName) can manage common views and notification rules."
 }
 if ($user.VaultRoles -band 16384) {
 Write-Output "$($user.LoginName) can manage workflows."
 }
 if ($user.VaultRoles -band 32768) {
 Write-Output "$($user.LoginName) cannot manage private views and notification rules."
 }
 if ($user.VaultRoles -band 65536) {
 Write-Output "$($user.LoginName) is an anonymous user."
 }
}

I found a Powershell script that works well. 
 Now just to export this into a report and ill be done, I think it can be fine-tuned for multi-vault clients.

Craig Hawker · Answer

I don't have any off-the-shelf code for you, although I can see that from an auditing perspective this may be a common requirement. Maybe over time we could add something as a public sample, or perhaps this would be a good "consulting tool" that could be made available in an unsupported capacity. 
 As a general point you'd need to work with the "login account" and "user account" objects. The login account data will show whether it's a system admin, and the user account data what roles a given user has in that vault. Some reference points: 
 
 M-Files API - GetLoginAccounts Method (for logins) 
 M-Files API - GetUserAccounts Method (for users) 
 
 For each of these you would retrieve the collection they return and then check the properties of the returned items, checking (for example) the roles that the user has in the vault. This would then allow you to create a CSV or similar that you could show auditors.

User account audit Access fr Audits

Top Replies

Contact Us

Schedule a Demo

Careers

Trust Center

Privacy Policy

Security Hall of Fame

M-Files Community

Support Portal

Help Center

Product Center

Download M-Files

User Guides

Product News