Object function group auditing tool

File uploaded by JussiValkonen on Aug 2, 2016Last modified by JussiValkonen on Aug 18, 2016
Version 5Show Document
  • View in full screen mode

This script will process the object names known by the local CA Service Desk Manager installation, process them one by one and in the end dump the objects into stdout. If the --funcName is given then prints objects only for that function group. With no arguments dumps all objects for each function group. See --help for a more verbose description of the available options.

pdm_perl getObjectsForFuncGroup.pl [--funcName <name> | --help | --debug]

Restrictions: Only works with Windows. If someone needs to adapt this for *nix and don't know how to do it I'll be happy to help them.


Rationale for writing this tool: While working with a client they asked me if I knew who had modified their department data. I had no idea but I started looking into it. I turns out that one role of theirs had way too much access, they were somehow able to edit department data when they should only be able to view it. All this was of course an innocent accident, they wanted to do something completely different but ended up editing the name of a department instead and this started a snowball effect somewhere else.

I quickly discovered that the role had functional access for inventory set to modify. Ok, simple enough, change it to view and we should be ok. But wait, what if there are other objects with "inventory" function group which they need to edit? What objects have "inventory" set as their function group? I knew bop_sinfo -f can tell you that for one object but is there a reverse for this? I contacted the support through the chat and they were not aware of anything capable of doing that, so I decided to build my own and share it with the community in case someone has similar needs and/or is doing some kind of security assessment or auditing. A couple of hours later the first version of this tool was ready and tested and later on it has been further developed to be more user-friendly as well as more capable as an auditing utility.