SID name in Audit Trail

replied on July 24, 2019

If the SID starts (as the one pictured does) with S-1-9-, it's a repository user, and the final component (in the pictured case, 9) is the trustee ID. If the trustee still exists, you should be able to query on that in the repository database (e.g. SELECT trustee_name FROM trustee WHERE trustee_id = 9). If the trustee has been deleted from the repository, you could try looking for other audit events with a trustee ID of 9 to see if one of them mentions the name.

If the SID starts with S-1-5-, it's a Windows trustee, and you'll need to query Active Directory to figure out the name. Unfortunately, I'm less familiar with the particulars of how to do that.

0 0

replied on January 31

Adding to OP's question... If the customer has LF Cloud, how do we equate/query the SID's for the usernames without having access to a database? Are they listed somewhere in the Account section?

Also, in the screenshot it says the owner is "S-1-0-0" which my understanding means it is null or has no owner, is that correct?

0 0

replied on January 31

For users currently active in the system, you can run an audit report for Login events (or the like), and you can add SID as a column (it's in the "User" section in the column picker) and compare to the user name / email address column (I'm assuming from the context of the thread here that you have auditing set up). You can filter on this column also, if there's some specific SID you're hoping to look up.

If you want more of a lookup table, then from the Account Administration panel (in the Account section), if you use the "Generate a CSV containing user information" option (in the toolbar), one of the columns is TrusteeID.

I don't know of a place where we more directly expose the trustee IDs through the UI.

Your understanding of S-1-0-0 is correct; it is the Null SID, and indicates in the screenshot that the entry has no owner.

0 0

Discussion

Discussion

Comments 3

Follow-Ups 0

Sign in to reply to this post.