For viewing the audit trail, the user should be set as the Auditor with rights to view the audit trail. See the steps below for more information.
Create one or more Auditor domains.
An Auditor Query domain is essentially a subset of the eDirectory tree. When the Auditor connects to an NAAS Server, the server queries all objects in the Auditor's domain and builds a list of objects to which the Auditor has Audit rights. An Auditor Query domain specifies the boundaries within which the NAAS Server should query objects.
In ConsoleOne, right-click the desired container then, click New > Object.
Select the NAASQueryDomain then, click OK.
Enter the name of the Auditor Query Domain.
Enter eDirectory context of the tree where NAAS is installed.
Add a list distinguished name (DN) that are roots of the subtrees that make up the domain.
(Optional). To bind each subtree in the domain by the partition boundary of the eDirectory partition containing the subtree root, check Partition Boundary.
(Optional). To restrict the number of tree levels where the domain can extend below the subtree roots, check Depth.
Maximum Depth will be enabled only if Depth is checked. Type the maximum number of tree levels for extending the associated domain below the subtree roots.
(Optional). To limit the domain at specific objects, check this Specific Objects. If one of the specified DN is present in a subtree, then that DN and the subtrees below it are excluded from the domain.
Right-click the User object.
Click Extensions > Add Extension > NAASAuditor.
Add one or more Auditor query domains.
Set one of the configured Auditor query domains as the preferred domain.
This step is mandatory. This setting can be modified later in the Properties page of the Auditor.
Configure one or more NAAS Servers that the Auditor can contact.
The servers configured here must have the Read right to the NaasSelectedDomain attribute of this user. Also, the servers must have the Read right for the Auditor query domains configured in Step 4.
Grant the Auditor the Read right to the naasPortNumber, naasKMO and HostDevice attributes of the NAAS Server objects to be contacted.
Grant the Auditor the Read right to the NetworkAddress attribute of the NetWare server objects hosting the NAAS Servers to be contacted.
Grant the user the Read and Write rights to the naasDomainList, naasSelectedDomain and naasServersList attributes on the user object set as the auditor.
Assign the Read right to Auditor for naasTrail attribute on the NAAS Server object.
The NAAS Server supports fine-grained access control to the Audit data based on eDirectory rights. Every audit record contains a Target Object Name that corresponds to the name of the object in eDirectory, on which the audited event was generated.To view the audit records, a user must have Audit rights to the eDirectory object that is set as the Target object. Having Audit rights to an object means having Read rights to the naasTrail attribute on that object.
The normal eDirectory Rights granting mechanism can be used for this purpose. All the normal rules of rights flowing down the tree are applicable here.
A domain is essentially a subset of the eDirectory tree. When the Auditor connects to a NAAS Server, the server queries all objects in the Auditor's domain and builds a list of objects to which the Auditor has Audit rights. Auditor Query domains specify the boundaries within which the NAAS Server should query objects.
Name: Name of the Auditor Query Domain.
Context: eDirectory context of the tree in which NAAS is installed.
Domain Roots: Adds a list distinguished name (DN) that are roots of the subtrees that make up the domain.
Partition Boundary: Optional. Binds each subtree in the domain to the partition boundary of the eDirectory partition containing the sub tree root.
Depth: Optional. Restricts the number of tree levels where the domain can extend below the subtree roots.
Maximum Depth: The maximum number of tree levels for extending the associated domain below the sub tree roots. This can be enabled only if Depth is enabled.
Specific Objects: Optional. Limits the domain at specific objects. If one of the specified DN is present in a subtree, then that DN and the subtrees below it are excluded from the domain.
IMPORTANT: Only those NAAS reports that belong to the object in the preferred domain will be displayed to the Auditor. To retrieve reports of objects that are outside the preferred domain, the Auditor must reset the preference to the domain to be queried.