Skip to main content
C
craymond12-Amethyst
12-Amethyst
November 11, 2019
Solved

Track who logged in as wcadmin

  • November 11, 2019
  • 3 replies
  • 41521 views

We have a business/security requirement to track who has logged in as wcadmin so that specific actions performed as wcadmin can be traced back to a person.


I've tried searching through the support portal, but have been unsuccessful it seeing if such a feature is included in Windchill or has been customized into Windchill in some way.


Any ideas?


Thanks in advance.

Best answer by BrianToussaint

If you wanted to go through the access.log file that is created in HTTPServer, it will give you the IP addresses of who is accessing Windchill along with the name of the Windchill user logged in.  You would then have to track the IP address back to the computer it was used on.  However this file grows rather large quickly and might not be useful to try and find the information you are looking for.  But it is there.

 

I would agree with @BenLoosli though to give them their own logins for the purposes that you need.

3 replies

B
23-Emerald III
BenLoosli23-Emerald III
23-Emerald III
November 11, 2019

I don't think this is possible as Windchill has no way to collect that information.

Your best bet is to create user privileged accounts for each person who needs the same rights as wcadmin and then limit the wcadmin account to a single person.

I'm not a programmer, but maybe you could write some custom code that logs the user name and then launches Windchill with the wcadmin account. A wcadmin user could still launch Windchill directly, if they wanted to.

 

    B
    BrianToussaint19-TanzaniteAnswer
    19-Tanzanite
    November 11, 2019

    If you wanted to go through the access.log file that is created in HTTPServer, it will give you the IP addresses of who is accessing Windchill along with the name of the Windchill user logged in.  You would then have to track the IP address back to the computer it was used on.  However this file grows rather large quickly and might not be useful to try and find the information you are looking for.  But it is there.

     

    I would agree with @BenLoosli though to give them their own logins for the purposes that you need.

      K
      KevinJ.Hanmann10-Marble
      10-Marble
      November 11, 2019

      Ben Loosli is correct.  Not a Windchill capability.  wcadmin is the user.  No real way to know "Who" logged in with that single account.

       

      Many customers create a specific user account for each user they want to have admin privileges like "kjhAdmin",  then provide this account admin privileges.  This is separate from that same users normal account, say "kjh"

       

      Another recommendation when doing this is to let these users be ORG admin only.  This allows said users to have business control over Windchill configuration,  but not Site level.  Keep Site level to that wcadmin account.

      jbailey
      jbailey18-Opal
      18-Opal
      February 9, 2020

      Greetings from NASA Kevin,

       

      At GRC We have developed a way to allow people to login with multiple accounts using SmartCard authentication via SAML that DOES allow multiple people to access, and logins can be tracked back to the PKI card cert owner.

       

      I understand this may not help in all scenarios (especially those who don't use PKI), but we are using PingFederate as an IDP and Ping 9.3's Identity First Adapter to validate access.

       

      I am sure with a little bit of programming & looking at our solution slightly differently, it could easily be done with other than PKI login.

      However, we are at a standstill because the Thingworx team has said they aren't going to support Ping 9.3 until the end of the calendar year.  I think it would be extremely valuable for the Windchill team to see what we are doing to help with some advanced authentication that DOESN'T require any customization to Windchill.

      Jim

       

       

      C
      craymond12-AmethystAuthor
      12-Amethyst
      November 11, 2019

      Thanks,

      All good replies.

       

      I didn't expect Windchill had that capability (but I did hope).

       

      The Apache access log may work in our case.  We use a single sign on solution, and the user would have to log out and log in manually to switch to wcadmin.  So the same ip would show with the real username, and subsequently with Administrator.

       

      It's not 100%, but things never are.  There are fringe cases where SSO doesn't work.

       

      F
      fivig5-Regular Member
      5-Regular Member
      November 11, 2019

      But you can use audit report

      It capture ip address:

      Event Label Event Key Event Time User Name User ID IP Address User Organization

       

      or create custom report for the SessionUserAuditEvent object.

      Y
      yadavankur12-Amethyst
      12-Amethyst
      November 11, 2019

      This is the right answer. An out of the box Windchill installation has security auditing enabled for the context logon event, and that should give the IP address.

       

      EDIT: just saw your other reply, did not account for dynamic ip

      Terms & ConditionsAccessibility statement