You are viewing limited content. For full access, please sign in.

Discussion

Discussion

SID name in Audit Trail

Audit Trail
Updated January 31, 2024
posted on July 24, 2019

Hi, 

I am preparing an audit report about an entry in which security permissions were changed. The results show "old security descriptor" and "new security descriptor", however, the value shown apparently corresponds to a SID of a user.

Where do I relate this SID to the username? I have tried at the database level however the values do not match the users registered in the repository.

 

 

0 0
replied on July 24, 2019

If the SID starts (as the one pictured does) with S-1-9-, it's a repository user, and the final component (in the pictured case, 9) is the trustee ID.  If the trustee still exists, you should be able to query on that in the repository database (e.g. SELECT trustee_name FROM trustee WHERE trustee_id = 9).  If the trustee has been deleted from the repository, you could try looking for other audit events with a trustee ID of 9 to see if one of them mentions the name.

If the SID starts with S-1-5-, it's a Windows trustee, and you'll need to query Active Directory to figure out the name.  Unfortunately, I'm less familiar with the particulars of how to do that.

0 0
replied on January 31, 2024

Adding to OP's question... If the customer has LF Cloud, how do we equate/query the SID's for the usernames without having access to a database? Are they listed somewhere in the Account section?

Also, in the screenshot it says the owner is "S-1-0-0" which my understanding means it is null or has no owner, is that correct?

0 0
replied on January 31, 2024

For users currently active in the system, you can run an audit report for Login events (or the like), and you can add SID as a column (it's in the "User" section in the column picker) and compare to the user name / email address column (I'm assuming from the context of the thread here that you have auditing set up).  You can filter on this column also, if there's some specific SID you're hoping to look up.

If you want more of a lookup table, then from the Account Administration panel (in the Account section), if you use the "Generate a CSV containing user information" option (in the toolbar), one of the columns is TrusteeID.

I don't know of a place where we more directly expose the trustee IDs through the UI.

Your understanding of S-1-0-0 is correct; it is the Null SID, and indicates in the screenshot that the entry has no owner.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...