Transitive Trust Analysis
Transitive trust analysis provides information about the trust network created by the authorizations of users, as a text list and a PDF format graph. Key Manager creates a global graph that is split into separate subgraphs of users connected to each other and each subgraph is analyzed individually.
Users are classified into three categories:
-
Source users, who only have outgoing authorizations
-
Destination users, who only have incoming authorizations
-
Transitive users, who have both outgoign and incoming authorizations, thus creating chains of authorizations
Subgraphs with transitive users are logged, subgraphs with only source and destination users, and thus no transitive trust chains, are ignored.
The graph-analysis job lists all found relationships in the following format:
#internal_ukm_id (user@host/uid/application/classification)
By default, lists of users are cut off at 20; this can be modified in settings.
PDF graphs generated by the graph-analysis job display the transitive trust chains in graphical format. Transitive trust chains are plotted out in black, simple source and destination relationships in light grey. Users are labelled with the internal Key Manager ID, username, and hostname. Superusers are shown as octagons, regular users as circles. The users can be colour coded according to the application they belong to, or by their classification. By default the graph is only plotted out if it contains 64 users or less.
To get trust information in text, navigate to Logs→Jobs page, and perform Download log action on a graph-analysis job of your choice. To download a PDF with trust analysis graphs, perform the Download result data action instead.
Key Manager runs graph-analysis job periodically. The interval is affected by the setting How often to perform graph analysis. The setting Graph analysis parameters allows specifying the user list cutoff, maximum users to plot, plotting layout, and coloring parameter. For more information about these settings, see Global Settings.