Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

compliance team-report empty columns: number of records & shared folder names #1054

Open
jerko-lenex opened this issue Jun 29, 2023 · 4 comments
Open

compliance team-report empty columns: number of records & shared folder names #1054

jerko-lenex opened this issue Jun 29, 2023 · 4 comments

Comments

@jerko-lenex
Copy link

Hi there!

Using version 16.9.8, when I run the command:
compliance team-report -r -nc -tu

Both at the MSP level and the MC level the number of records column displays "0".
The shared folder names are missing only for the MC level.

I've tried this at several MCs, same result for when there's 1 team or many.

For readability, I've attached the debug logs in spoiler tags below:

MSP debug output 
My Vault> compliance team-report -r -nc -tu
Loading record information..>>> [RQ] enterprise/get_preliminary_compliance_data: {
  "enterpriseUserIds": [
    "10...21",
    "10...22"
  ]
}
Starting new HTTPS connection (1): keepersecurity.eu:443
https://keepersecurity.eu:443 "POST /api/rest/enterprise/get_preliminary_compliance_data HTTP/1.1" 200 None
>>> [RS] enterprise/get_preliminary_compliance_data: {
  "auditUserData": [
    {
      "enterpriseUserId": "10...21",
      "auditUserRecords": [
        {
          "recordUid": "AI...Yw",
          "encryptedData": "...",
          "shared": true
        },
        ...
      ]
    },
    {
      "enterpriseUserId": "10...22",
      "auditUserRecords": [
        {
          "recordUid": "AD...tA",
          "encryptedData": "...",
          "shared": true
        },
        ...
      ]
    }
  ]
}
..
Using proactor: IocpProactor
Loading compliance data..>>> [RQ] enterprise/run_compliance_report: {
  "complianceReportRun": {
    "reportCriteriaAndFilter": {
      "nodeId": "10...86",
      "criteria": {}
    },
    "users": [
      "10...21",
      "10...22"
    ],
    "records": [
      "AI...Yw",
      ...
    ]
  },
  "reportName": "Compliance Report on 2023-06-29 11:03:20.269839"
}
Starting new HTTPS connection (1): keepersecurity.eu:443
https://keepersecurity.eu:443 "POST /api/rest/enterprise/run_compliance_report HTTP/1.1" 200 None
>>> [RS] enterprise/run_compliance_report: {
  "runByUserName": "[email protected]",
  "complianceReportRun": {
    "reportCriteriaAndFilter": {
      "nodeId": "10...86",
      "criteria": {},
      "nodeEncryptedData": "..."
    },
    "users": [
      "10...21",
      "10...22"
    ],
    "records": [
      "AI...Yw",
      ...
    ]
  },
  "userProfiles": [
    {
      "enterpriseUserId": "10...22",
      "fullName": "Joanne Doe",
      "email": "[email protected]",
      "roleIds": [
        "10...11"
      ]
    },
    {
      "enterpriseUserId": "10...21",
      "fullName": "James Doe",
      "email": "[email protected]"
    }
  ],
  "auditTeams": [
    {
      "teamUid": "d3...Qw",
      "teamName": "<TEAM>"
    }
  ],
  "auditRecords": [
    {
      "recordUid": "1Y...Rw",
      "auditData": "..."
    },
    ...
  ],
  "userRecords": [
    {
      "enterpriseUserId": "10...22",
      "recordPermissions": [
        {
          "recordUid": "Nx...gA",
          "permissionBits": 29
        },
        ...
      ]
    },
    {
      "enterpriseUserId": "10...21",
      "recordPermissions": [
        {
          "recordUid": "9F...Zw",
          "permissionBits": 29
        }
      ]
    }
  ],
  "sharedFolderTeams": [
    {
      "sharedFolderUid": "vE...nA",
      "teamUids": [
        "d3...Qw"
      ]
    }
  ],
  "auditTeamUsers": [
    {
      "teamUid": "d3...Qw",
      "enterpriseUserIds": [
        "10...22",
        "10...21"
      ]
    }
  ],
  "auditRoles": [
    {
      "roleId": "10...11",
      "encryptedData": "...",
      "restrictShareOutsideEnterprise": true,
      "restrictShareOfAttachments": true,
      "restrictMaskPasswordsWhileEditing": true
    }
  ]
}
..:
Team Name    Team UID                Shared Folder Name    Shared Folder UID       Permissions          Records    Team Users
-----------  ----------------------  --------------------  ----------------------  -------------------  ---------  ------------------
<TEAM>       d3...Qw                 <Shared Folder Name>  vE...nA                 Can Share, Can Edit  0          [email protected]
                                                                                                                   [email protected]
MC debug output 
My Vault> compliance team-report -r -nc -tu
Loading record information..>>> [RQ] enterprise/get_preliminary_compliance_data: {
"enterpriseUserIds": [
  "16...23",
  "16...25"
]
}
Starting new HTTPS connection (1): keepersecurity.eu:443
https://keepersecurity.eu:443 "POST /api/rest/enterprise/get_preliminary_compliance_data HTTP/1.1" 200 8347
>>> [RS] enterprise/get_preliminary_compliance_data: {
"auditUserData": [
  {
    "enterpriseUserId": "16...23",
    "auditUserRecords": [
      {
        "recordUid": "HC...5g",
        "encryptedData": "...",
        "shared": true
      },
      ...
    ]
  },
  {
    "enterpriseUserId": "16...25",
    "auditUserRecords": [
      {
        "recordUid": "cR...rQ",
        "encryptedData": "...",
        "shared": true
      }
    ]
  }
    ]
  }
]
}
..
Using proactor: IocpProactor
Loading compliance data..>>> [RQ] enterprise/run_compliance_report: {
"complianceReportRun": {
  "reportCriteriaAndFilter": {
    "nodeId": "16...90",
    "criteria": {}
  },
  "users": [
    "16...23",
    "16...25"
  ],
  "records": [
    "HC..5g",
    ...
  ]
},
"reportName": "Compliance Report on 2023-06-29 10:44:55.338978"
}
Starting new HTTPS connection (1): keepersecurity.eu:443
https://keepersecurity.eu:443 "POST /api/rest/enterprise/run_compliance_report HTTP/1.1" 200 None
>>> [RS] enterprise/run_compliance_report: {
"runByUserName": "[email protected]",
"complianceReportRun": {
  "reportCriteriaAndFilter": {
    "nodeId": "16...90",
    "criteria": {},
    "nodeEncryptedData": "..."
  },
  "users": [
    "16...23",
    "16...25"
  ],
  "records": [
    "HC...5g",
    ...
  ]
},
"userProfiles": [
  {
    "enterpriseUserId": "16...23",
    "fullName": "John Doe",
    "email": "[email protected]",
    "roleIds": [
      "16...21"
    ]
  },
  {
    "enterpriseUserId": "16...25",
    "fullName": "Jane Doe",
    "email": "[email protected]",
    "roleIds": [
      "16...21"
    ]
  }
],
"auditTeams": [
  {
    "teamUid": "u5...NA",
    "teamName": "<TEAM>"
  }
],
"auditRecords": [
  {
    "recordUid": "...",
    "auditData": "..."
  },
  ...
],
"userRecords": [
  {
    "enterpriseUserId": "16...23",
    "recordPermissions": [
      {
        "recordUid": "...",
        "permissionBits": 13
      },
      ...
    ]
  },
  {
    "enterpriseUserId": "16...25",
    "recordPermissions": [
      {
        "recordUid": "...",
        "permissionBits": 13
      }
    ]
  }
],
"sharedFolderTeams": [
  {
    "sharedFolderUid": "HY...fA",
    "teamUids": [
      "u5...NA"
    ]
  }
],
"auditTeamUsers": [
  {
    "teamUid": "u5...LNA",
    "enterpriseUserIds": [
      "16...23",
      "16...25"
    ]
  }
],
"auditRoles": [
  {
    "roleId": "16...21",
    "encryptedData": "Rq...UH",
    "restrictShareOutsideEnterprise": true,
    "restrictMaskPasswordsWhileEditing": true
  }
]
}
..:
Team Name    Team UID                Shared Folder Name    Shared Folder UID       Permissions          Records    Team Users
-----------  ----------------------  --------------------  ----------------------  -------------------  ---------  ----------------------
<TEAM>       u5...NA                                       HY...fA                 Can Share, Can Edit  0          [email protected]
                                                                                                                 [email protected]

If there's anything else I can do to provide more info, please let me know. :)
@sk-keeper
Copy link
Collaborator

sk-keeper commented Jun 29, 2023
edited
Loading

Thank you for reporting issues with the compliance report.

the number of records column displays "0".

It is a known issue if your shared folder has only teams. Adding any user to the shared folder fixes compliance report output.

The shared folder names are missing only for the MC level.

Shared folder names come from the vault of the currently logged in user. This information is not stored at the enterprise level.
MSP logged as MC does not have access to the MC's vault. MSP cannot resolve MC's shared folder names.

@jerko-lenex
Copy link
Author

It is a known issue if your shared folder has only teams. Adding any user to the shared folder fixes compliance report output.

Good to know! I'll add a user that's already added via a team to the shared folders, cheers. :)

Shared folder names come from the vault of the currently logged in user. This information is not stored at the enterprise level.
MSP logged as MC does not have access to the MC's vault. MSP cannot resolve MC's shared folder names.

Makes sense when thinking of least-privileged, but it's unfortunate that we can't create reports that show which shared folders are being created by the end-users.
At this moment, we can't configure the permissions of end-users in such a way that they're 1) allowed to create folders within shared folders that are shared with them, but 2) aren't allowed to create shared folders themselves.

I'm looking for a way to monitor/manage all shared folders within an MC (including the ones shared directly with individuals, rather than teams).

@sk-keeper
Copy link
Collaborator

I'm looking for a way to monitor/manage all shared folders within an MC (including the ones shared directly with individuals, rather than teams).

Audit reports can be used for monitoring shared folder activity within an MC. The audit data available only for one MC at the time currently. It would not be hard to let MSP retrieve audit events for all MCs at the time.

@jerko-lenex
Copy link
Author

jerko-lenex commented Jul 3, 2023
edited
Loading

Thank you for your suggestion. :)
I had an incorrect approach to getting this information, audit reports seem to be the way!

If there would be a way to report shared folder activity on the MSP level over all MCs, that would save me some time.
For now, I'll use audit alerts for immediate notifications and our external audit logging system for generating weekly/monthly reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sk-keeper @jerko-lenex