cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

We are happy to announce the new Windchill Customization board! Learn more.

Track who logged in as wcadmin

craymond
11-Garnet

Track who logged in as wcadmin

We have a business/security requirement to track who has logged in as wcadmin so that specific actions performed as wcadmin can be traced back to a person.


I've tried searching through the support portal, but have been unsuccessful it seeing if such a feature is included in Windchill or has been customized into Windchill in some way.


Any ideas?


Thanks in advance.

1 ACCEPTED SOLUTION

Accepted Solutions

If you wanted to go through the access.log file that is created in HTTPServer, it will give you the IP addresses of who is accessing Windchill along with the name of the Windchill user logged in.  You would then have to track the IP address back to the computer it was used on.  However this file grows rather large quickly and might not be useful to try and find the information you are looking for.  But it is there.

 

I would agree with @BenLoosli though to give them their own logins for the purposes that you need.

View solution in original post

13 REPLIES 13
BenLoosli
23-Emerald II
(To:craymond)

I don't think this is possible as Windchill has no way to collect that information.

Your best bet is to create user privileged accounts for each person who needs the same rights as wcadmin and then limit the wcadmin account to a single person.

I'm not a programmer, but maybe you could write some custom code that logs the user name and then launches Windchill with the wcadmin account. A wcadmin user could still launch Windchill directly, if they wanted to.

 

If you wanted to go through the access.log file that is created in HTTPServer, it will give you the IP addresses of who is accessing Windchill along with the name of the Windchill user logged in.  You would then have to track the IP address back to the computer it was used on.  However this file grows rather large quickly and might not be useful to try and find the information you are looking for.  But it is there.

 

I would agree with @BenLoosli though to give them their own logins for the purposes that you need.

Ben Loosli is correct.  Not a Windchill capability.  wcadmin is the user.  No real way to know "Who" logged in with that single account.

 

Many customers create a specific user account for each user they want to have admin privileges like "kjhAdmin",  then provide this account admin privileges.  This is separate from that same users normal account, say "kjh"

 

Another recommendation when doing this is to let these users be ORG admin only.  This allows said users to have business control over Windchill configuration,  but not Site level.  Keep Site level to that wcadmin account.

Greetings from NASA Kevin,

 

At GRC We have developed a way to allow people to login with multiple accounts using SmartCard authentication via SAML that DOES allow multiple people to access, and logins can be tracked back to the PKI card cert owner.

 

I understand this may not help in all scenarios (especially those who don't use PKI), but we are using PingFederate as an IDP and Ping 9.3's Identity First Adapter to validate access.

 

I am sure with a little bit of programming & looking at our solution slightly differently, it could easily be done with other than PKI login.

However, we are at a standstill because the Thingworx team has said they aren't going to support Ping 9.3 until the end of the calendar year.  I think it would be extremely valuable for the Windchill team to see what we are doing to help with some advanced authentication that DOESN'T require any customization to Windchill.

Jim

 

 

Thanks,

All good replies.

 

I didn't expect Windchill had that capability (but I did hope).

 

The Apache access log may work in our case.  We use a single sign on solution, and the user would have to log out and log in manually to switch to wcadmin.  So the same ip would show with the real username, and subsequently with Administrator.

 

It's not 100%, but things never are.  There are fringe cases where SSO doesn't work.

 

But you can use audit report

It capture ip address:

Event Label Event Key Event Time User Name User ID IP Address User Organization

 

or create custom report for the SessionUserAuditEvent object.

This is the right answer. An out of the box Windchill installation has security auditing enabled for the context logon event, and that should give the IP address.

 

EDIT: just saw your other reply, did not account for dynamic ip

Why you can't add user to the administrator group?

Capture.JPG

We can and do add users to Site Administrators.  What we're trying to capture here is a fringe case that shouldn't occur, except under rare circumstances.

 

In response to your other post (probably bad etiquette here), we do have dynamic ip addresses.  You'd think they wouldn't change all that often, but 'work from home" vs "work at work" tends to mess with that.

 

Thanks.

To those with 11.1 or higher, if you create a second user account for a single person to access Admin functions, do you also need to buy an additional license since there are 2 entries in the LDAP assigned to a single person?

 

You would put them in the Exclusion Group so they would not take a license, if they are doing purely admin type tasks. 

Be careful though of which license groups you put the License Exclusion group in though.  If you put that group in a View only type group, it will take away admin rights.

jbailey
17-Peridot
(To:BenLoosli)

At Liveworx last year, we spoke with the PTC Windchill leads, and were assured that for test and admin accounts, where the user already has another account there would be an "Admin" group that they can be added to.  We are just evaluating 11.2 currently with the new license functionality, so I can update as we look at things.

Top Tags