cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Up and running with ARM - Updated February 2020

Level 11

Update: A few new screenshots based on the current version. Full release notes available here.

After four months, it is time again to write another article about another product.
As it happens, we’ve added a new toy to our portfolio:

SolarWinds Access Rights Manager (ARM)

Some of you may know it under its former name, 8MAN.

What exactly does ARM do? And who came up with this TLA?

The tool validates permissions within Active Directory®, Exchange™, SharePoint®, and file servers. So who has access to what, and where does the permission come from?

Users, groups, and effective permissions can be created, modified, or even deleted.

Reports and instant analysis complete the package.

Everything works out of an elegant user interface, and you can operate it—even if you aren’t a rocket scientist.

ARM will be installed on any member server and comes with minimal requirements.
The OS can be anything up from 2008SP1; give it two cores and four gigs of RAM, and you’re golden, even for some production environments. The data is stored on an SQL 2008 or later.

The install process is quick.

01.jpg

02.jpg

03.jpg

Once installed, the first step is to click the configuration icon on the right-hand side. The color is 04C9D7, and according to the internet, it is called “vivid arctic blue,” but let’s call it turquoise.
On that note, let me tell you: I am German and unable to pronounce turquoise, so I am calling it Türkis instead.

04.jpg

The next step is to create an AD and SQL® user and connect to the database:

05.jpg

Don't panic if you see this message, the system is automatically reconnecting:

06.jpg

ARM is now available, but not yet ready to use.

07.jpg

We need to define a data source, so let’s attach AD. The default settings will use the credentials already stored in ARM for directory access.

05.png

In my example, an automated search kicks off in the evening. When you set it up for the first time, I suggest clicking the arrow manually once to get some data to work with.
Attention: Don’t do this with 10,000 users in the early morning.

Alright, that’s it.


Now click the orange—sorry, F99D1C—icon to start the tool.

06.png

Login:

08.jpg

The first thing we see is the dashboard:

09.jpg

Let’s deal with the typical question, “Why was that punk able to access X at all?”
The main reason for this is probably a nested authorization, which isn’t obvious at first glance.
But now ARM comes into play.
Click on Accounts and enter Mr. Punk’s name into the search box above:


09.png

The result is a tree diagram showing the group memberships, and it is easy to see where the permission is coming from.

10.png

If you click on a random icon, you will see more details—give it a try.
You can also export the graphic as a picture.
On the right side, you will find AD attributes:

11.png

Now it is getting comfortable. It is possible to edit any record just from here:

12en.png

Oh yes, I don’t trust vegetarians!

By the way, this box here is mandatory on any change, as proper change management requires the setting of notes.

13.png

And while we’re at it, right-click on an account:

14.png

Let’s walk from AD to file permissions. It’s only a short walk, I promise.
Click Show access rights to resources as seen above.

Now we need to select a file server:

15.png

On the right, we see the permissions in detail:

16.png

We ship ARM with a second GUI in addition to the client—a web interface accessible from anywhere, where you find tools for other tasks.

10.jpg

Typical risks are ready for your review out of the box. Just click on Analyze/Risk Assessment Dashboard. I know you want to do it.

You’ll find some interesting information, like inactive accounts:

18.png

Permanent passwords:

19.png

Or everybody’s darling, the popular “Everyone” permission on folders:

20.png

One does not simply “Minimize Risks,” but give it a try:

21.png

I could initiate changes directly from here – also in bulk.

By the way, any change made via ARM will be automatically logged.
The logbook is at the top of the local client, and we can generate and export reports:

22.png

You may have seen this above already, but you can find more predefined reports directly on the Start dashboard:

23.png

Let’s address one or two specific topics.

Since Server 2016, there is a new feature available called temporary group membership.
It can be quite useful; for example, in the case of an employee working in a project team who requires access to specific elements for the duration of the project. That additional authorization will expire automatically after whatever time has been set.

Practical, isn’t it?

But also consider this: Someone might have used an opportunity and given him- or herself temporary access to a resource with the understanding that the change of membership will disappear again, which makes the whole process difficult—if not impossible—to comprehend.

But not anymore! Here we go:

24.png

If you hover over this box here…

25.png

…you will find objects on the right side:

26.png

For this scenario, these two guys here might be interesting:

27.png

Unfortunately, in my lab, there’s nothing to see right now, so let’s move on.

ARM allows routine tasks to be performed right from the UI; for example, creating new users or groups, assigning or removing permissions, and much more.
This becomes even more interesting when templates, or profiles, are introduced.

Let’s change into the web client. Click the cogwheel on top, then choose Department Profiles:

28.png

At the right side, click Create New.

29.png

The profile needs a shiny name:

30en.png

Always make sure people who operate microwaves receive proper training. But that’s a different story.

More buttons on the left side; I will save it for now:

31.png

Starting now, you can assign new hires to these profiles, and everything else is taken care of by the tool, like assigning group memberships or setting AD attributes.

Of course, these profiles are also baselines, and there is a predefined report available showing any deviations from the standard. Just click Analysis and User Accounts.

32.png

Select a profile and off you go:

33.png

Elyne is compliant; congratulations. But that’s hardly surprising, as she is the only employee in Marketing:

34.png

These are just a few features of ARM. Other interesting topics would be the integration of different sources, or scripts for more complex automation. This is food for future postings.

Have fun exploring.

1 Comment

Thanks for the write up saschg​!

ARM is shaping up to be an extremely potent new member of the SWI family. I would be interested in seeing more of these type of post, around the headline features of ARM. So put that down as one vote for more of the same! An online demo would also be awesome, but I know it's not the easiest of products to expose to the interwebz.

(I know, we MVPs are a demanding bunch!)