search cancel

CEM Policy statement with test ACF2 UID String - Starts With/Contains failing

book

Article ID: 202572

calendar_today

Updated On:

Products

Compliance Event Manager

Issue/Introduction

User's UID string is *B****TEST where *=space/wildcard.

Setup tracking of this UID a couple of years ago with UID string contains "B    TEST" (4 spaces between B and TEST). This tracks users of this UID string.

Switched a few users over to "Starts with" and added a space before the B in the UID string. For example, testing for UID starts with " B    TEST" and the tracking appears to have stopped working. The display shows UID starts with " B TEST" and what looks to have trimmed the spaces between.

Policy Statement  11:
   Event      = OBJECTACCESS,OBJAUDIT
   CONDITION  = USERUID=%"C    TEST" && USERUID=*" B    TEST"
   PUUID      = 32ba271e-afad-40e3-813d-a663896e9a80
   ACTION     = INCLUDE

 

Environment

Release : 6.0

Component : CA COMPLIANCE EVENT MANAGER

Resolution

Ensure that the Policy Statement and test conditions are accurate. To do so do issue the status command for the CEMALERT, CEMMON ... etc , 'F cemfunciton,STATUS'. As an example:

Policy Statement  11:
   Event      = OBJECTACCESS,OBJAUDIT
   CONDITION  = USERUID=%"C    TEST" && USERUID=*" B    TEST"
   PUUID      = 32ba271e-afad-40e3-813d-a663896e9a80
   ACTION     = INCLUDE

The test condition would check for the ACF2 UID string to be both starting with ' B    TEST' and contain 'C    TEST'. If the condition cannot be made it will not be reported.

In this case, the condition should be made to OR instead of AND. Please update the policy to match individual logonids.