Saturday, March 8, 2008

Using ODBC UA to monitor who's using ADMIN MODE

The ADMIN MODE permission in ITM 6 is powerful. It allows a user to publish workspaces that are available to all TEPS users. Here's how you can monitor whenever someone is currently using ADMIN MODE using the ODBC data provider and the Universal Agent...

TEPS user permissions are stored in the TEPS database. The effective permissions of a user, however, are a little harder to derive as they are stored in a 64-bit hex code in the AUTHEX column in the KFWUSER table. When ADMIN MODE is enabled for a user for example, the 64th bit in the hex is flipped from a '0' to a '1'.

Given this information, we can now write a metafile for the UA ODBC data provider to do an odbc query to return the NAME and AUTHEX fields back to the TEP for data evaluation. Here is an example metafile:

//NAME Query_Admin_Mode K 300 Interval=60
//SOURCE ODBC teps user=teps pswd=teps
Name D 30
AuthEx D 64

Once the data is returned to TEP, we can write a situation against the data to alert when the '0' is flipped to '1' in the AUTHEX column. We'll use the "return a subset of a string" function in our formula to search for a 1 in the 64th position in the AUTHEX string.

Now we can have our situation fire an event to the situation console, send an event to TEC, email/page someone, open a ticket, etc, when it evaluates true.

No comments: