How to generate a report of registered users in RSA Authentication Manager 8.x database
2 months ago
Originally Published: 2021-05-11
Article Number
000064697
Applies To
RSA Product Set:  SecurID
RSA Product/Service Type:  Authentication Manager
RSA Version/Condition:  8.x
Issue
This article provides information about how to generate a report of registered users in Authentication Manager database.
Resolution
The report is generated at the command line where the administrator has access to the rsaadmin account password and knows the Operations Console username and password.
  1. Logon to the SecurID Appliance either with an SSH session or at the local console with the rsaadmin account.
  2. Go to /opt/rsa/am/utils.
  3. Retrieve the password for the rsa_dba user using the following command:
/opt/rsa/am/utils/rsautil manage-secrets -a get com.rsa.db.dba.password
  1. Enter the Operations Console username and password when prompted. 
  2. Make a note of the returned com.rsa.db.dba.password value.
  3. Create a text file in /opt/rsa/am/utils with an appropriate name; for example, registered_users.sql.
  4. Copy the SQL statement below into the text file and save the change.
SELECT 
      ipd.loginuid,
      ipd.IDENTITY_SRC_KEY,
      iis.name,
      iis.principal_base_dn
FROM
      RSA_REP.IMS_PRINCIPAL_DATA ipd
INNER JOIN
      RSA_REP.IMS_IDENTITY_SOURCE iis
ON
      iis.id = ipd.IDENTITY_SRC_ID;
  1. From /opt/rsa/am/utils, use the following command to generate a .csv output file using registered_users.sql.
/opt/rsa/am/pgsql/bin/psql -h localhost -p 7050 -d db -U rsa_dba -A -F , -X -t -f registered_users.sql -o regusers_report.csv
  1. When prompted, enter the com.rsa.db.dba.password value obtained in step 3.
  2. Open the regusers_report.csv to see a list of all of the registered users in the Authentication Manager 8.x database.

 
Notes

A 'registered' user in Authentication Manager is any UserID from either internal database or external LDAP Identity Source who has had a Token, fixed passcode authenticator assigned, or has answered Security Questions in the Self Service Console and therefore count against the active user limit on the License.

A Clean-up job looks in LDAP Identity Sources and if the UserID no longer exists, [has been moved out of scope or deleted] the clean-up job will unassign all tokens, clean fixed passcodes, delete Security Question answers and remove the ExUID pointer to the LDAP Identity Source [ObjectGUID in AD] to make this user no longer count against the Active User Limit in the AM Server

SC-Setup-Identity-Clean_up

Some care is required when running Clean up jobs, for example if the Service account used to access the LDAP external Identity source were no longer valid, or a firewall blocked access from the AM server to the LDAP server, or if LDAPS were used and a Server cert expired, AM would be unable to see any LDAP UserIDs, and therefore would consider them all deleted. That is why there are limits on Clean-up jobs, such as limit the clean-up to unresolvable users who have not been seen for at least 7 days, or limit to max number of cleaned up users to 50, on the theory that if more than 50 unresolvable users were found, that might be a problem.

Related Articles

Trending Articles

Don't see what you're looking for?