cancel
Showing results for 
Search instead for 
Did you mean: 

AD integration

I have customer who is interested to understand the DB configurations for AD and native BP authentication . In particular where in the DB structure you can find the name entries.  As background the Customer is using Cyber ARK but only to fetch the password for Citrix sessions. In Audit logs however we have the info about 3rd party applications and those we store so far, only inside BP Credential Manager. Regarding native BP authentication, for login purposes we use Active Directory integration. So, only people “with access” can login.

Example given :

From our audit logs we can see that:

  1. The user 'lp319@ modified the credential 'TBO RTS access PA938'
  2. The user 'wn054@' modified the schedule 'TEST PA940 log off'
  3. The user 'wn054@ modified the schedule 'TEST PA940 log in '
  4. The user 'br102@' modified the credential 'ECP_Test'

 

  • Can  event 1 and 4  be stored inside AD ?

 

  • Would we be able to see AD group privilege modifications (System> Security>User Roles) inside database and which tables contain that?

 

  • We login to BP by using SSO, so we don’t have to provide any username/password. Users who have access in AD can login “automatically”. However, is there a possibility in this scenario that we can have failed login events? And if yes, where that information about this might be stored? (I assume database as well)
1 REPLY 1

JerinJose
Level 10
Hi Jorg

All audit events are stored in BP database BP reaches out to AD only to validate the users's membership in the AD groups that have assigned some roles in BP. to best of my knowledge BP does not send any logs about successful login/failure back to AD. I have not observed any logs regarding failed logon attempts being captured in database, on the other hand all successful logons are logged.

to understand the userrole permission assignments you need to look at following DB tables 
1.BPAPerm
2.BPA userroles
3.BPA userrole assignment
4.BPA UserrolePerm


there are other permissions on process groups, resource groups and object groups which will be helpful in setting up Multi team environment with more granular access controls for developers

I would differ to BP product team to confirm if they do log unsuccessful login events in database. since I have not observed one such event in Audit logs so far