Identifying disabled users

system · October 18, 2002, 8:13pm

I am creating a list of users from the repository. I think that the table holding users name and the status (enabled or Disabled) is stored in the obj_m_actor table. In this table it appears I have all of the information I need. But now the challenge I would like to exclude the users that I have disabled in the supervisor. If I am guessing correctly (and this is a guess) the enabled and disabled information is being held in some type of a binary string in the m_actor_n_status field. My guess is that it is a binary 8. Does anyone know if this is a correct assumption? The number is being stored in decimal format. Can anyone think of an easy way to identify, from the tables, if the user is enabled or disabled?

ddecross (BOB member since 2002-08-16)

system · October 18, 2002, 8:17pm

Add 5 extra users: User, Designer, Designer-Supervisor, Supervisor, General Supervisor. Disable each one and see what the values are.

Disable them using Supervisor and note the values. Also disable them by the 3 strikes password issue and note the values then, too.

That should do it.

Steve Krandel (BOB member since 2002-06-25)

system · October 18, 2002, 9:13pm

I did some additional playing around and found that it appears that it is the binary representation of the 256 bit that controls if the user is enabled or not. If the bit string is 100000000 (decimal 256) is on then the user is enabled. I am currently looking at the field and assuming that if the value is >= 256 then I have an enabled user.

I did modify a test users, changing them between user, designer etc and the value of the m_actor_n_status did not change. As I was testing the field I found it interesting that some of the properties when checked on acted in a positive manner and others in a negative manner on what I am assuming is the binary string. Just to make our lives more interesting, I am sure

ddecross (BOB member since 2002-08-16)

system · October 18, 2002, 9:18pm

The type of user isn’t stored on the obj_m_actor table, it’s stored on obj_m_actorlink instead. That’s because a user can have different roles in different groups. I can be a user in one group, a designer in a second group, and a supervisor in a third. So since there is no “single” role for a user, it can’t be stored (normalization, and all that :)) on the obj_m_actor table.

Dave

Dave Rathbun (BOB member since 2002-06-06)

system · October 19, 2002, 5:37pm

Object_M_Actor.M_Actor_N_Status

Enabled= 1
Locked = 2
Offline Prevent = 4
Cannot Change Password = 8
Real Time Security=32
Cannot Delete Doc=64

A user with Status “Locked” and “Cannot Change Password” would have an entry of 2+8=10, because the different status’ flag a bit.

Also, see here for more information on the Object_M_Actor table.

Andreas (BOB member since 2002-06-20)

system · October 21, 2002, 12:24pm

Hey Doug - for those disabled on password violations, the status will be 128 or higher depending on the flags that are set - the flags Andreas said. I have a status report I run a few times a day to check status.

Another status report - I also gave all new users the same password and require them to change password at first login. Even tho the password is encrypted, I was able to figure out what it is encrypted and then filter on that to find users that have login once or not.

scott copeland (BOB member since 2002-08-15)

system · October 21, 2002, 2:32pm

Hi Scott,

I am not sure that >= 128 will give you disabled on password. I do think that the 128 bit is set on when the user is disabled. I came to that conclusion by running the following tests. When I go into the user Properties in supervisor on a test user I get the following results. If I click on (put a check in the check box) Disable Login, Enable Offline Login, Enable Password Modification and Enable Delete Document the result in the m_actor_n_status field is 0. When I remove the check next to the Disable Login (make the user enabled, the value of the m_actor_n_status is now 256. The best guess I have come up with is that the security module is using a binary string. I have not found any values in this field >= 512 so I am assuming that the string is 9 binary characters long. My goal is not to explore binary in this thread but to see if I have a good understanding of what is going on. The decimal 256 is represented in binary as 100000000, 128 as 10000000, 64 as 1000000, 32 as 100000, 16 as 10000, 8 as 1000, 4 as 100, 2 as 10 and 1 as 1. To me it looks like if the user is enabled the 256 bit is on else it is off. If the Enable Offline Login is not checked then the 4 bit is turned on. If the Enable Password Modification is not checked then the 8 bit is turned on. If the Enable Real Time User Rights Update is checked (Reverse logic of the other check boxes) then the 32 bit is turned on. And finally if the Enable Delete Document is not checked then the 64 bit is turned on.

(This agrees with what Andreas said for the most part, I am not sure what was meant by 1 and 2, I was not able to reproduce them). When I enabled the user in the configuration described above which causes a value of 256 I then went and did the 3 strike password violation on the user and as I would have guessed the value of the m_actor_n_status was changed to 384, 256 + 128. If all of this is correct I still have a problem, the logic is being set up on binary logic and yet the number is being stored as a decimal. I can not do a binary AND on this string to find the condition I am looking for. Also assuming that any value >= 256 is enabled is wrong because the three strike will return a 384. Assuming that any number >= 128 is disabled is not going to work because an enabled user can be any value >= 256 but less then 384 (in increments and combinations 1, 2, 4, 8, 16, 32, 64 and 256). I know that this is a finite number of combinations but again, does anyone know of a simple way to just check the 128 and 256 bit? Is another field available that holds this information? So much fun, so little time.

ddecross (BOB member since 2002-08-16)

system · October 21, 2002, 2:59pm

hold on Doug- I forgot to mention that I created a universe for the repository. I’m running my status reports on that. I never looked to see the binary bits because it comes back as a number for me. Said number I think is the sum of the bits, if I remember correctly. Most of my users are 1 which comes from the default setting for a user profile. A few are as high as 77 because of different settings on their profile. The default user with a status of 1 will be 128 when disabled. I see this everyday. Users with a higher “active status” will have a corresponding higher password-disabled status number. Disabled by Supervisor is 0.

scott copeland (BOB member since 2002-08-15)

system · October 21, 2002, 4:41pm

Scott,
I am becoming convinced that I am looking at something backwards. You and Andreas seem to agree on the fact that a value of 1 is an enabled user. As I mentioned before, if I enable the logon (remove the check in the Disable Login box), Enable Offline Login, Enable Password Modification and Enable Delete Document the result in the m_actor_n_status field is 256. Based on what you and Andreas are saying I would have expected 1. Is there a property that can be set to make this field act differently? Is there possibly some version issue (I am running on supervisor 5.1.6)?

The numbers I am seeing in the m_actor_n_status field are also in decimal. My discussion on the binary code was based on my assumptions on how Business Objects was doing the work internally. I am not positive (although the rules I have identified match my observations) that Business Objects is doing binary processing on the data. I am not seeing any binary numbers nor is this number stored in the table as a binary integer.

ddecross (BOB member since 2002-08-16)

system · October 21, 2002, 5:10pm

You may be right about it being binary in the sense that BO has a series of bit flags that are set for each user profile and that the sum of these in binary is the number that we see stored. sorta what I remember when I tested ages ago. Anyways, I don’t know how you are seeing 256 on a standard default user. Are you sure nothing else has been flagged? Do you see 0 if user is disabled by supervisor?

I’m sure someone else with more knowledge will chime in soon.

scott copeland (BOB member since 2002-08-15)

system · October 21, 2002, 5:53pm

The only way I am able to see a 0 is when I Disable Login, Enable Offline Login, Enable Password Modification and Enable Delete Document the result in the m_actor_n_status field is 0.

I am not sure. I have played with all of the switches on the profile on the Definition tab so I am not sure where else to look

ddecross (BOB member since 2002-08-16)

system · October 21, 2002, 6:27pm

Make sure the user id you are testing against is member of one group only (otherwise you will have to take inheritance etc. into consideration when testing for the bit flags).

Andreas (BOB member since 2002-06-20)

system · October 21, 2002, 6:59pm

Ok Andreas - my turn to ask now
What do you mean by inheritance in this case? Most of my users are in multiple groups and I don’t see any effect of this on status value.

scott copeland (BOB member since 2002-08-15)

system · October 21, 2002, 7:03pm

What I mean is:

If you have one user “U” with create/edit rights in one group A and the same user “U” in another group B with create/edit rights disabled → total user rights: user “U” has no creat/edit rights (most restrictive).

So when you test the binary flags against this user “U” and you are only looking at group A then you would get the wrong picture…

ahh supervisor…not my speciality…

Andreas (BOB member since 2002-06-20)

system · October 21, 2002, 10:45pm

Hey Scott,
How do you figure out that when user made the last login. what is the encription of the password?

Gul (BOB member since 2002-09-03)

system · October 21, 2002, 11:30pm

Ok, my conclusion is:

If the user has been disabled via BO supervisor Enable/disable the lowest bit is not set (decimal value = 0/1).

That would mean:

If Object_M_Actor.M_Actor_N_Status is odd --> Lowest bit is set --> User is enabled in BO Supervisor

If Object_M_Actor.M_Actor_N_Status is even --> Lowest bit is not set --> User is disabled in BO Supervisor

I verified this by enabling different rights for a user and then disabling/enabling that user and looking at the BO repository.

Andreas (BOB member since 2002-06-20)

system · October 22, 2002, 6:40pm

I thought we had pretty well beat this subject to death yesterday and I hope Doug figured out what he needed but to clear things up and answer Jai’s question …

When I said I figured out the encrypted password for my default password for new users, by that I meant I just looked at whatever was there - encrypted. To do this, I set the default password for a new user, then looked on my status report for the encrypted value and set up filters and alerters on the various reports where I wanted to differentiate a new user. It’s been very handy to know if someone has logged in the first time or not.
If I had gone with the option in Supervisor where Default Password is User Name, then I couldn’t always be sure if they had logged in without looking at their profile in Supervisor to see if Change Password at First Login was unchecked.

BTW - the encrypted password starts z9ypxLHylxRzHz …

scott copeland (BOB member since 2002-08-15)

system · October 22, 2002, 7:55pm

To EMULATE the checking that BO does (in Oracle) try the following:


select a.*,
         decode(bitand(a.m_actor_n_status,1),0,'X') as "Disable Login",
         decode(bitand(a.m_actor_n_status,2),2,'X') as "Locked",
         decode(bitand(a.m_actor_n_status,4),0,'X') as "Enable Offline",
         decode(bitand(a.m_actor_n_status,8),0,'X') as "Enable Passwd Mod",
         decode(bitand(a.m_actor_n_status,32),32,'X') as "Enable RTR",
         decode(bitand(a.m_actor_n_status,64),0,'X') as "Enable Del Docs",
         decode(bitand(a.m_actor_n_status,128),128,'X') as "3 Strike Fail",
         decode(bitand(a.m_actor_n_status,256),256,'X') as "Disable 415"
from obj_m_actor a

That will emulate all of the Checkboxes… The PASSWORD (Expiry and Validity) are controlled by m_actor_n_ending. A Value of 1 means it must change at first login. A Zero means it does not expire, and any other value is the day that it will expire.

These are PER User, and do not have anything to with groups (other than the Disable 415 or earlier users).

-RM

digpen (BOB member since 2002-08-15)

system · October 23, 2002, 1:43pm

You can find last login defining an object thus:

select: MAX(OBJ_A_EVENT_LOG.A_EVLOG_D_STARTIME)
where: OBJ_A_EVENT_LOG.A_EVLOG_N_TYPEID = 17

As an example, here’s last login and total logins per user (including disabled users):


SELECT
  OBJ_A_EVENT_LOG.A_EVLOG_C_USER,
  MAX(OBJ_A_EVENT_LOG.A_EVLOG_D_STARTIME),
  Count(OBJ_A_EVENT_LOG.A_EVLOG_D_STARTIME)
FROM
  OBJ_A_EVENT_LOG,
WHERE
  OBJ_A_EVENT_LOG.A_EVLOG_N_TYPEID = 17
GROUP BY
  OBJ_A_EVENT_LOG.A_EVLOG_C_USER

Dunno about the encryption.

Blake Sanders

Blake Sanders (BOB member since 2002-08-29)

system · October 23, 2002, 3:28pm

What is the difference between bit 1 “Disable Login” and bit 256 “Disable 415” When I was doing my testing I used Supervisor to disable a user and the value in m_actor_n_status was being set to 256 yet it sounds like most of the people responding to this thread are seeing a 1.

BTW, thanks for the code snippet. It works great!

ddecross (BOB member since 2002-08-16)