User account audit Access fr Audits

Good day, all.

Please can I get some help?

As per the latest ISO compliance regulations our customers have to prove  

  1. All user accounts that have the “System Administrator” server role
  2. All user accounts with administrator rights are in a vault.

Basically what I would love to be able to pull a detailed pillaged access or permissions report, I am working with multiple vaults 10+  and hundreds of users. What I want to avoid is going user by user to get this information like the below screenshot.

Basically something like this or as close to it as possible without putting undue workload onto the client or auditors.

Or like this any ideas are most welcome!

Kind Regards 

Parents
  • # Initialize PowerShell for M-Files
    [Reflection.Assembly]::LoadWithPartialName("Interop.MFilesAPI")
    $mfserver = New-Object MFilesAPI.MFilesServerApplicationClass
    
    # Connect to server
    $mfserver.Connect(1)
    
    ## UNCOMMENT THIS FOR SERVER USERS
    #$users = $mfserver.LoginAccountOperations.GetLoginAccounts()
    ## UNCOMMENT THESE FOR VAULT USERS
    $vault = $mfserver.LogInToVault("{6113C44B-8D6C-4243-ABCA-DAF32A02C786}")
    ## UNCOMMENT THIS TO GET VAULT USERS
    $users = $vault.UserOperations.GetUserAccounts();
    ## UNCOMMENT THIS TO GET VAULT LOGINS (if vault level login accounts are in use) #$users = $vault.UserOperations.GetLoginAccounts();
    
    foreach ($user in $users) {
        ## VAULT ROLES
        ## 0    None.
        ## 1    Full control of vault.
        ## 2    Can log into the vault.
        ## 4    Can create documents or other objects.
        ## 8    See and read all vault content (including deleted objects).
        ## 16   See and undelete deleted objects.
        ## 32   Destroy objects.
        ## 64   Force undo checkout.
        ## 128  Change permissions for all objects.
        ## 256  Change metadata structure.
        ## 512  Manage user accounts.
        ## 1024 Internal user (as opposed to external user).
        ## 2048 Can create and modify traditional folders.
        ## 3078 The default vault roles for a normal user.
        ## 4096 Manage templates (obsolete).
        ## 8192 Manage common views and notification rules.
        ## 16384    Manage workflows.
        ## 32768    Cannot manage private views and notification rules.
        ## 65536    Anonymous user.
    
        ## Check each band individually and output the results
        if ($user.VaultRoles -band 1) {
            Write-Output "$($user.LoginName) has Full control of vault."
        }
        if ($user.VaultRoles -band 2) {
            Write-Output "$($user.LoginName) can log into the vault."
        }
        if ($user.VaultRoles -band 4) {
            Write-Output "$($user.LoginName) can create documents or other objects."
        }
        if ($user.VaultRoles -band 8) {
            Write-Output "$($user.LoginName) can see and read all vault content (including deleted objects)."
        }
        if ($user.VaultRoles -band 16) {
            Write-Output "$($user.LoginName) can see and undelete deleted objects."
        }
        if ($user.VaultRoles -band 32) {
            Write-Output "$($user.LoginName) can destroy objects."
        }
        if ($user.VaultRoles -band 64) {
            Write-Output "$($user.LoginName) can force undo checkout."
        }
        if ($user.VaultRoles -band 128) {
            Write-Output "$($user.LoginName) can change permissions for all objects."
        }
        if ($user.VaultRoles -band 256) {
            Write-Output "$($user.LoginName) can change metadata structure."
        }
        if ($user.VaultRoles -band 512) {
            Write-Output "$($user.LoginName) can manage user accounts."
        }
        if ($user.VaultRoles -band 1024) {
            Write-Output "$($user.LoginName) is an internal user (as opposed to external user)."
        }
        if ($user.VaultRoles -band 2048) {
            Write-Output "$($user.LoginName) can create and modify traditional folders."
        }
        if ($user.VaultRoles -band 3078) {
            Write-Output "$($user.LoginName) has the default vault roles for a normal user."
        }
        if ($user.VaultRoles -band 4096) {
            Write-Output "$($user.LoginName) can manage templates (obsolete)."
        }
        if ($user.VaultRoles -band 8192) {
            Write-Output "$($user.LoginName) can manage common views and notification rules."
        }
        if ($user.VaultRoles -band 16384) {
            Write-Output "$($user.LoginName) can manage workflows."
        }
        if ($user.VaultRoles -band 32768) {
            Write-Output "$($user.LoginName) cannot manage private views and notification rules."
        }
        if ($user.VaultRoles -band 65536) {
            Write-Output "$($user.LoginName) is an anonymous user."
        }
    }
    

    I found a Powershell script that works well.

    Now just to export this into a report and ill be done, I think it can be fine-tuned for multi-vault clients.

Reply
  • # Initialize PowerShell for M-Files
    [Reflection.Assembly]::LoadWithPartialName("Interop.MFilesAPI")
    $mfserver = New-Object MFilesAPI.MFilesServerApplicationClass
    
    # Connect to server
    $mfserver.Connect(1)
    
    ## UNCOMMENT THIS FOR SERVER USERS
    #$users = $mfserver.LoginAccountOperations.GetLoginAccounts()
    ## UNCOMMENT THESE FOR VAULT USERS
    $vault = $mfserver.LogInToVault("{6113C44B-8D6C-4243-ABCA-DAF32A02C786}")
    ## UNCOMMENT THIS TO GET VAULT USERS
    $users = $vault.UserOperations.GetUserAccounts();
    ## UNCOMMENT THIS TO GET VAULT LOGINS (if vault level login accounts are in use) #$users = $vault.UserOperations.GetLoginAccounts();
    
    foreach ($user in $users) {
        ## VAULT ROLES
        ## 0    None.
        ## 1    Full control of vault.
        ## 2    Can log into the vault.
        ## 4    Can create documents or other objects.
        ## 8    See and read all vault content (including deleted objects).
        ## 16   See and undelete deleted objects.
        ## 32   Destroy objects.
        ## 64   Force undo checkout.
        ## 128  Change permissions for all objects.
        ## 256  Change metadata structure.
        ## 512  Manage user accounts.
        ## 1024 Internal user (as opposed to external user).
        ## 2048 Can create and modify traditional folders.
        ## 3078 The default vault roles for a normal user.
        ## 4096 Manage templates (obsolete).
        ## 8192 Manage common views and notification rules.
        ## 16384    Manage workflows.
        ## 32768    Cannot manage private views and notification rules.
        ## 65536    Anonymous user.
    
        ## Check each band individually and output the results
        if ($user.VaultRoles -band 1) {
            Write-Output "$($user.LoginName) has Full control of vault."
        }
        if ($user.VaultRoles -band 2) {
            Write-Output "$($user.LoginName) can log into the vault."
        }
        if ($user.VaultRoles -band 4) {
            Write-Output "$($user.LoginName) can create documents or other objects."
        }
        if ($user.VaultRoles -band 8) {
            Write-Output "$($user.LoginName) can see and read all vault content (including deleted objects)."
        }
        if ($user.VaultRoles -band 16) {
            Write-Output "$($user.LoginName) can see and undelete deleted objects."
        }
        if ($user.VaultRoles -band 32) {
            Write-Output "$($user.LoginName) can destroy objects."
        }
        if ($user.VaultRoles -band 64) {
            Write-Output "$($user.LoginName) can force undo checkout."
        }
        if ($user.VaultRoles -band 128) {
            Write-Output "$($user.LoginName) can change permissions for all objects."
        }
        if ($user.VaultRoles -band 256) {
            Write-Output "$($user.LoginName) can change metadata structure."
        }
        if ($user.VaultRoles -band 512) {
            Write-Output "$($user.LoginName) can manage user accounts."
        }
        if ($user.VaultRoles -band 1024) {
            Write-Output "$($user.LoginName) is an internal user (as opposed to external user)."
        }
        if ($user.VaultRoles -band 2048) {
            Write-Output "$($user.LoginName) can create and modify traditional folders."
        }
        if ($user.VaultRoles -band 3078) {
            Write-Output "$($user.LoginName) has the default vault roles for a normal user."
        }
        if ($user.VaultRoles -band 4096) {
            Write-Output "$($user.LoginName) can manage templates (obsolete)."
        }
        if ($user.VaultRoles -band 8192) {
            Write-Output "$($user.LoginName) can manage common views and notification rules."
        }
        if ($user.VaultRoles -band 16384) {
            Write-Output "$($user.LoginName) can manage workflows."
        }
        if ($user.VaultRoles -band 32768) {
            Write-Output "$($user.LoginName) cannot manage private views and notification rules."
        }
        if ($user.VaultRoles -band 65536) {
            Write-Output "$($user.LoginName) is an anonymous user."
        }
    }
    

    I found a Powershell script that works well.

    Now just to export this into a report and ill be done, I think it can be fine-tuned for multi-vault clients.

Children
No Data