Universal Logging System

Description of the different users, user groups and their rights and duties in ULS. All users use the same web address. The resulting user interface is derived from the username and its rights. The `ULS-Master-Admin`_ and the `ULS-Administrators`_ are forwarded to the * ULS administration application, the “normal” `ULS-User`_ is forwarded to the * ULS interactive analysis. System Administrators ===================== System administrators do have access to the operating system of the servers on which the ULS-server is running. The ULS-server consists mainly of the MySQL database and the unix2web webserver. The system administrators have complete access to the installed software and the MySQL database. But they do not use any ULS application as system administrator, although they may use it as one of the ULS-users. ULS-Master-Admin ================ There is only one `ULS-Master-Admin`_. That account, username: 'admin', is used for the initial configuration of the domains, servers, `ULS-Administrators`_, `ULS-Users`_ and more. Use `ULS-Administrators`_ accounts for further administrative actions. See the Administrator's Guide for more information. All changes made by the `ULS-Master-Admin`_ are logged, but NOT the creation and deletion of ULS-Administrators, because that uses currently an underlying mechanic of the unix2web webserver, which is more on the operating system level. If your ULS-server is to be audited, define a two-man rule (or 4-eye principle) for all actions as ULS-master-admin. Divide its password into two parts, each only known to one of the two men and put it into a closed envelope. Access only by permission. ULS-Administrators ================== These are user accounts used only for the administration of ULS. They can accomplish all administrative tasks through the administrative web application except the creation of new ULS-administrators. See the Administrator's Guide for more information. These accounts do the complete administration of domains, servers, ULS-users, notification destinations, units, detail access attributes and more. All changes are logged. To further limit the access, only defined ip addresses (or address ranges) are allowed to use the administrative web application. Only the ULS-Master-Admin can define these ip addresses. ULS-Users ========= ULS-Users are accounts that use the web application for interactive analysis to access all values in all domains for which the have the access rights. All domain rights and admitted detail access attributes are configured by ULS-Administrators. Rights ====== Domain rights restrict ULS-Users to specific groups of sources or servers, detail access attributes can be used to restrict access to specific details (values) within the detail hierarchy of a domain. ULS-Administrators can grant domain rights and detail access attributes to ULS-Users. Domain Rights ————- Anyone source which sends values to the ULS-server belongs to only one domain, definetly. All values from that source, structured as section-teststep-detail hierarchy, are related to the domain. ULS-Administrators grant domain rights to ULS-Users. The ULS-Users than can access by default all details with the detail access attributes 'all'. The following table lists the differences in standard and read-only domain rights. ============================== ======== =========== define, change, delete standard read-only domain domain rights rights ============================== ======== =========== favorites x x reports x x mail-reports x x aggregations x limits x combined limits x differential limits x isAlives x limits on aggregated values x monitoring pause x retention time of details x sort sequence of details x deletion of details x source (server) documentations x ============================== ======== =========== Detail Access Attributes ———————— By default, ULS-Users can view all** values of the source-section-teststep-detail hierarchy of a domain, for which he got a domain right granted.

Detail access attributes are used to prevent ULS-Users from accessing specific details, which e.g. may contain security or other crucial information.

Detail access attributes are granted by ULS-Administrators to ULS-Users. That is effective for all details within the domain.

Standardmäßig werden alle Werte mit den Zugriffsattribut all (oder ohne Zugriffsattribut) übertragen, der Zugriff auf diese Werte ist uneingeschränkt für alle ULS-Benutzer möglich, die Zugriff auf das entsprechende Verfahren haben.

ULS-Administratoren können beliebige zusätzliche Zugriffsattribute definieren, dies muss vor der ersten Benutzung bei der Übertragung von Werten erfolgen, ansonsten erfolgt die Einordnung der Werte unter dem Zugriffsattribut all für das entsprechende Detail.

The detail access attributes are system-wide valid and can be used in all domains. Here is the list of basically available detail access attributes:

detail access description attribute

all General access attribute for all details which are stored

             in ULS without any access attribute or which are explicitly 
             marked with the 'all' access attribute. All ULS-Users can 
             view these detail values.

adm A ULS-User must have been granted the 'admin' access attribute

             to be able to access the values of the details that are
             marked with the 'adm' access attribute. This access attribute 
             is used by the ULS-client for Linux 
             to hide crucial system information like firewall settings
             and LDAP configurations from 'normal' ULS-Users.

sec A ULS-User must have been granted the 'security' access attribute

             to be able to access the values of the details that are
             marked with the 'sec' access attribute. This access attribute 
             is used by the ULS-client for Linux to hide the sudo2uls recordings
             of terminal- and user-based sessions from 'normal' ULS-Users.

prot A ULS-User must have been granted the 'protocol' access attribute

             to be able to access the values of the details that are
             marked with the 'prot' access attribute. This access attribute 
             is used to mark any changes of the ULS-Master-Admin and the 
             ULS-Administrators, as well as changes to 
             threshold definitions made by any ULS-Users.