cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Track who logged in as wcadmin

SOLVED
Highlighted
Gravel

Track who logged in as wcadmin

We have a business/security requirement to track who has logged in as wcadmin so that specific actions performed as wcadmin can be traced back to a person.


I've tried searching through the support portal, but have been unsuccessful it seeing if such a feature is included in Windchill or has been customized into Windchill in some way.


Any ideas?


Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Track who logged in as wcadmin

If you wanted to go through the access.log file that is created in HTTPServer, it will give you the IP addresses of who is accessing Windchill along with the name of the Windchill user logged in.  You would then have to track the IP address back to the computer it was used on.  However this file grows rather large quickly and might not be useful to try and find the information you are looking for.  But it is there.

 

I would agree with @BenLoosli though to give them their own logins for the purposes that you need.

View solution in original post

10 REPLIES 10

Re: Track who logged in as wcadmin

I don't think this is possible as Windchill has no way to collect that information.

Your best bet is to create user privileged accounts for each person who needs the same rights as wcadmin and then limit the wcadmin account to a single person.

I'm not a programmer, but maybe you could write some custom code that logs the user name and then launches Windchill with the wcadmin account. A wcadmin user could still launch Windchill directly, if they wanted to.

 

Re: Track who logged in as wcadmin

If you wanted to go through the access.log file that is created in HTTPServer, it will give you the IP addresses of who is accessing Windchill along with the name of the Windchill user logged in.  You would then have to track the IP address back to the computer it was used on.  However this file grows rather large quickly and might not be useful to try and find the information you are looking for.  But it is there.

 

I would agree with @BenLoosli though to give them their own logins for the purposes that you need.

View solution in original post

Re: Track who logged in as wcadmin

Ben Loosli is correct.  Not a Windchill capability.  wcadmin is the user.  No real way to know "Who" logged in with that single account.

 

Many customers create a specific user account for each user they want to have admin privileges like "kjhAdmin",  then provide this account admin privileges.  This is separate from that same users normal account, say "kjh"

 

Another recommendation when doing this is to let these users be ORG admin only.  This allows said users to have business control over Windchill configuration,  but not Site level.  Keep Site level to that wcadmin account.

Re: Track who logged in as wcadmin

Thanks,

All good replies.

 

I didn't expect Windchill had that capability (but I did hope).

 

The Apache access log may work in our case.  We use a single sign on solution, and the user would have to log out and log in manually to switch to wcadmin.  So the same ip would show with the real username, and subsequently with Administrator.

 

It's not 100%, but things never are.  There are fringe cases where SSO doesn't work.

 

Re: Track who logged in as wcadmin

But you can use audit report

It capture ip address:

Event Label Event Key Event Time User Name User ID IP Address User Organization

 

or create custom report for the SessionUserAuditEvent object.

Re: Track who logged in as wcadmin

Why you can't add user to the administrator group?

Capture.JPG

Re: Track who logged in as wcadmin

We can and do add users to Site Administrators.  What we're trying to capture here is a fringe case that shouldn't occur, except under rare circumstances.

 

In response to your other post (probably bad etiquette here), we do have dynamic ip addresses.  You'd think they wouldn't change all that often, but 'work from home" vs "work at work" tends to mess with that.

 

Thanks.

Re: Track who logged in as wcadmin

This is the right answer. An out of the box Windchill installation has security auditing enabled for the context logon event, and that should give the IP address.

 

EDIT: just saw your other reply, did not account for dynamic ip

Re: Track who logged in as wcadmin

To those with 11.1 or higher, if you create a second user account for a single person to access Admin functions, do you also need to buy an additional license since there are 2 entries in the LDAP assigned to a single person?

 

Announcements
LiveWorx Call For Papers Happening Now!