" />
This guide describes Identity Reporting for Identity Governance and how you can use the features it offers. It also includes brief descriptions of Identity Governance reports.
Identity Reporting provides a set of predefined report definitions you can use to generate reports. In addition, it gives you the option to import custom reports. The user interface for Identity Reporting makes it easy to schedule reports to run at off-peak times to optimize performance.
You can launch Identity Reporting from the Identity Governance application or access it directly from a browser.
By default, Identity Governance uses One SSO Provider (SSO) for single sign-on. When you install Identity Reporting, you specify the basic settings for user authentication. However, you can also configure the OSP authentication server to accept authentication from the Kerberos ticket server or SAML IDP. For example, you can use SAML to support authentication from NetIQ Access Manager.
NOTE:To access Identity Reporting, you must be a Global Administrator or Report Administrator within Identity Governance.
If your administrator has enabled Identity Reporting, you can click the icon in the upper right-hand corner of the Identity Governance page.
To access Identity Reporting directly, open a web browser and go to the address (URL) for the module (as supplied by your system administrator). The URL will follow this pattern: http://server:8080/IDMRPT/
The Overview page is the first page you see when you log in to Identity Reporting. At the top of the page there is a dismissible message (located under the page title) directing users to the NetIQ Identity Reporting Quick Start Guide.
The top of the page includes summary information, such as the number of report definitions and the number of started, failed, and completed reports.
Below the report summary area there is a section that lists the most recently completed reports. To download the report, click the report name.
The Scheduled Reports section lists the next five reports that are scheduled to run. To download a particular scheduled report on the Calendar page, click the date the report is scheduled to run.
The Overview page also includes a search field that provides a quick way to find report definitions by name.
The search facility allows you to pass in search strings for any of the items in the following table.
Table 1 Overview Page Search Filters
Filter Value |
Description |
---|---|
Name |
Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user. |
Description |
Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user. |
Tags |
Performs an exact string search. The search is case-insensitive. Pass in only a single tag. |
You can enter one or more words in the Search field, with or without quotes:
If you enter multiple words without quotes, the search results include reports that contain all of the words anywhere in the Name or Description, or that have all of the words as tags (that match exactly).
For example, suppose you enter the following:
catalog users
In this case, the following report definitions are in the results:
Reports with a Name containing the words catalog and users anywhere in the string
Reports with a Description containing the words catalog and users anywhere in the string
Reports with Tags having both catalog and users as exact tags
If you enter multiple words surrounded by double quotes, the search results include reports that include the entire phrase anywhere in the Name or Description, or that have a tag that matches the entire phrase.
For example, suppose you enter the following:
"catalog users"
In this case, the following report definitions are in the results:
Reports with Name containing the phrase catalog users
Reports with Description containing the phrase catalog users
Reports with a Tag that exactly matches catalog users
When you click Repository in the top navigation menu, the Repository shows the list of reports that have been imported into Identity Reporting.
For each report definition, the list shows the report name and description, as well as any tags that have been specified for the report.
Identity Reporting does not install with a set of predefined reports. For information on how to install reports, see Using the Import Page and Using the Download Page.
You can define a new report by editing one of the predefined report definitions and saving it with a new name using the Save As command.
You cannot create a new report from scratch on the Repository page. To create a new report definition from scratch, you must design it outside of Identity Reporting and then import it.
For more information about using the features on the Repository page, see the following topics:
To modify a report definition:
Select the name of the report definition in the list on the Repository page.
Mouse over the report definition name and click Edit. When you edit a report definition, a page opens to allow you to make changes to the definition.
The fields at the top of the page allow you to modify the name, description, tags, comments, and output format (PDF, Complex CSV, or CSV Data Table) for the report. Use tags to organize reports according to common words or phrases that suggest how the reports are related. Tag names share a common namespace for all users, so specify tag names that make sense for all users. Tag names cannot be localized.
You can specify one or more tags for a report definition. If you specify multiple tags, separate them with commas. Defined tags are shown in the list displayed on the Repository page, and in the Detail dialog box for a report listed on the Completed and Running Reports page. In the list displayed on the Repository page, the tags are alphabetized to allow for sorting.
NOTE:The next time you edit the report definition, the tags appear in alphabetical order, regardless of how they were originally entered. The tags are also alphabetized in the Repository list, even if you did not alphabetize them when you first entered them.
The other fields on the page are organized into the following sections:
Criteria
Default Notifications
Schedule
To edit the criteria for the report, open the Criteria section and make changes as necessary. The Criteria section does not appear unless the imported definition included one or more report parameters.
The number of fields displayed in the Criteria section and the way these fields behave depend on how they were specified in the original report definition object imported into Identity Reporting.
Identity Reporting supports the following data types for criteria fields:
String
String with Options
Date
Integer
Boolean
Lookup
The control displayed for each data type varies depending on how the parameter is defined in the report definition. For multivalued options, a multiselect control is displayed, but a single value control is displayed for a parameter that accepts only a single value.
Some criteria fields are required by the report definition, but others are optional. If you do not provide a value for a required field, the user interface displays an error message.
The criteria parameters in the following table are available with most of the reports installed with Identity Reporting.
Table 2 Report Definition Parameters
Parameter |
Description |
---|---|
Data Source |
Defines the data source on which you want to report. This parameter is required for all reports. To run a report on multiple data sources, edit the report, select the desired data source when you define the report criteria, and then save as a new report. For a data source to be available for reports, you must first add it on the Data Sources page. For more information, see Using the Data Sources Page. |
Language |
Defines the target language for the report. |
Date Range |
Allows you to define a range of dates for the data included in the report. The following choices are available:
|
From Date |
Allows you to specify a fixed start date for the report data. This parameter is enabled only if you selected Custom Data Range for the Data Range parameter. |
To Date |
Allows you to specify a fixed end date for the report data. This parameter is enabled only if you selected Custom Data Range for the Data Range parameter. |
Limit Results To |
Limits the record types relevant to the report or sections within the report. |
Time Zone |
Allows you to specify the time zone to which date/time information returned in the report will be oriented. |
If a report definition includes one or more fields for defining dates, such as Date Range, From Date, and To Date, be aware that the date range you specify affects the data returned with the report, not the dates on which the report is run. Therefore, if a report is run monthly, do not define a custom date range that fixes the dates in the From Date and To Date fields. It does not make sense for a monthly scheduled report to report on a fixed date range (such as 3/10/2010 - 3/17/2010). To report on a fixed date range, schedule the report to run only once. For a monthly report, use one of the relative date range settings included in the Date Range field, such as Month to Date. This ensures that the data in the report is updated each month.
Some criteria fields support automatic completion, which allows you to type several characters and then select an item from a list of possible choices. For example, the user(s) field might allow you to type the first few characters of a user’s name and then select the user from a list of users whose names contain the characters you have typed.
To edit the email settings associated with the report definition, open the Default Notifications section and make changes as necessary.
To add a new schedule for the report definition, click the + button on the left side of the Schedule section.
Provide a name for the schedule in the Schedule Name field. The name for a schedule must be unique within the report definition, but does not need to be unique within Identity Reporting as a whole.
(Conditional) If you want the name of the report definition to be added to the beginning of the schedule name, click Prepend Report Definition Name. This option allows you to see which report has been scheduled with each schedule instance in the Calendar page. This option is enabled by default.
Click in the Date range field or select the calendar control to display calendar for selecting dates.
Select the date in the left calendar on which you want to initiate the first run of the report.
Select the approximate start time of day for each run. The time of day is based on the clock on the server where the report is executed. The actual execution time depends on server activity.
Select the date in the right calendar after which no more runs should occur. Note that the last report run may not actually occur on this date. For example, if you select October 15 as the start date, and specify a repeat interval of two weeks and an end date of November 1, the report will be run on October 15 and October 29. In this case, October 29 is the last run. The report runs at its scheduled time, regardless of whether the data collection completed successfully.
Select the approximate end time of day for each run.
Select Apply.
In the Frequency field, type the repeat interval (a number that specifies how often the report will run) and select the time period for report runs, such as Month(s), Week(s), or Day(s).
Use the default notifications or deselect Use default notifications and enter emails, subject, and a custom message.
(Conditional) To save the report definition and schedule, click Save or click Save As to distinguish it from the default report.
(Conditional) To queue a report to run immediately, click Run Now.
(Optional) To edit an existing schedule, see Editing a Schedule Instance.
To export a report definition, mouse over the report definition and click Edit. In the edit page top right corner, click Export report definition.
To queue a report to run immediately from the Repository list view, mouse over the report definition and click Run Now.
To delete a report definition, mouse over the report definition and click Delete.
To run or delete several reports at once:
Click the check box to the left of each report definition you want to run or delete.
In the Bulk Actions drop-down list, click Run Now or Delete.
Click Apply.
Bulk actions apply only to the current page. If you select several items on one page, then navigate to the next page to select some additional items, a subsequent attempt to perform a bulk action such as Run Now or Delete applies only to the second set of items you selected. The previous selections are retained and still appear selected if you navigate back to the first page. However, the bulk action is not performed on these items.
The search facility allows you to use any of the items in the following table to search for a report definition in the Repository.
Table 3 Report Definition Search Filters
Filter Value |
Description |
---|---|
Name |
Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user. |
Description |
Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user. |
Tags |
Performs an exact string search. The search is case-insensitive. Pass in only a single tag. |
You can enter one or more words in the Search field, with or without quotes:
If you enter multiple words without quotes, the search results include reports that contain all of the words anywhere in the Name or Description, or that have all of the words as tags (that match exactly).
For example, suppose you enter the following:
catalog users
In this case, the following report definitions are in the results:
Reports with a Name containing the words catalog and users anywhere in the string
Reports with a Description containing the words catalog and users anywhere in the string
Reports with Tags having both catalog and users as exact tags
If you enter multiple words surrounded by double quotes, the search results include reports that include the entire phrase anywhere in the Name or Description, or that have a tag that matches the entire phrase.
For example, suppose you enter the following:
"catalog users"
In this case, the following report definitions are in the results:
Reports with Name containing the phrase catalog users
Reports with Description containing the phrase catalog users
Reports with a Tag that exactly matches catalog users
To sort the list of reports, click the header for the column on which you want to sort. The sort indicator shows you which column is the new primary sort column.
You can control how many rows are displayed on the Repository page. Type the number of rows to display in the rows per page field at the bottom of the page and press Enter. The number you enter must be greater than zero. This preference is saved across sessions, and applies to all users. It affects both the Repository and Reports lists.
By default, reports for all supported products (Identity Manager and Identity Governance) appear on the Download Report Definitions page. If present, select the Identity Governance Reports tab to display its report. Reports are listed in one of three sections on the page:
Updated reports, which are newer versions of the reports already installed
New reports, which are not currently installed on your server
Up to date reports, which are the latest versions of the reports that are already installed on your server
There are potentially three types of download content for each report:
Report definition archive (*.rpz) that is a compiled version of the report, ready to be imported and run
Report definition source (*_src.zip) that contains all the Jaspersoft source files for the report
Additional downloads (*.zip) that contain SQL files for new or updated database schema upon which the new or updated report relies
The report definition archive and the report definition source download files are always present. New or updated SQL files are present only when they are required. A ReadMe.html file within the additional downloads zip file contains instructions on installing the schema updates.
You can acquire download files one at a time per report or by bulk action.
The server that runs Identity Reporting must have internet access to be able to access and download the most current reports for Identity Governance from the Micro Focus Reporting Content Delivery Network (CDN).
If your Identity Reporting server does not have internet access, you must have a proxy server that can access and download the most current reports for Identity Governance from the Micro Focus Reporting CDN, and is also configured to access and send updated reports to the Identity Reporting server. This configuration allows you to isolate the Identity Reporting server from the internet while ensuring reports are up to date. For more information, see Configuring a Proxy Server for the Identity Reporting Server
in the Identity Governance Installation and Configuration Guide.
To download report updates:
(Conditional) If you want to download report updates one at a time, click one of the icons under the Download column header.
Tooltips for each icon identify the type of each download object. Left to right, they are arranged as report definition archive, report definition source, and addition downloads (SQL).
(Conditional) If you want to download report updates in a bulk operation, click the check boxes beside the report names for which you want to download updates. Then select the Bulk Actions operation (at the top of the page on the left) that you want to use.
Click Apply to take the action on the selected reports.
(Conditional) If you opt to save the files to the local file system, you must also go to the Import page and follow the workflow there. For more information, see Using the Import Page.
On the other hand, there is an install option available in both single and bulk import workflows that will download the report definition archive and import it in a single operation.
For reports that have the third, additional download file available that contains schema updates, the schema updates must be installed in the Identity Governance database for the associated report to work correctly.
IMPORTANT:For enhanced security, import capability is disabled by default. Global Administrator in an on-premises environment may enable import by adding and setting the com.opentext.report.import.allowed property to true using Identity Governance Advanced Global Configuration menu. However, we recommend that you assess the security risks and proceed with caution when you import any file. Be aware that you will be liable for security issues related to imported files.
When import is enabled, the Import page lets you import downloaded report definitions (RPZs) from the local drive into Identity Reporting. After the definition has been imported, it is available for use throughout Identity Reporting.
NOTE:The report packager gives report definition archive files (RPZs) file names in the form REPORT-NAME_VERSION.rpz. The actual report name is stored within a component inside the RPZ so renaming the RPZ file has no effect on the name of the report when it is imported into Identity Reporting.
To import a report definition:
Click Import in the top navigation menu.
Select the RPZ file to import and click Open.
The Import page now displays the file to import in the Report Definitions To Import section.
Click Select File again to include additional RPZs to import.
To remove a file from the import procedure, click the delete icon to the left of the file name.
Specify whether you want to overwrite the contents of any existing report definitions with the same names as those being imported by selecting or deselecting the Overwrite existing reports option.
NOTE:When you select this option, the import operation overwrites the contents of existing report definitions that have the same names as those imported. However, some of the fields associated with an existing report definition are retained:
The email addresses to send the report to
Comments added to the report definition
Default report format (CSV or PDF)
Categories defined for the report definition
Click Import to begin the import procedure.
If you want to cancel the import procedure, click Clear All to the right of the progress bar.
NOTE:After importing one or more report definitions, you can see the reports and make changes to them on the Repository page.
The Calendar page displays scheduled reports, as well as reports that have been initiated with the Run Now button. In addition, the page displays finished reports, reports that are still in progress, and reports that failed during execution. Finished reports, reports that are still in progress, and failed reports appear with a gray background, and reports that have not been executed yet appear with a white background. All days that have already passed appear with a gray background.
The Calendar page shows scheduled runs in the user’s time zone, not the server’s time zone. However, scheduled runs are executed according to the server’s time zone, and the time stamp on an executed report reflects the time on the server at the time of the run.
The scroll bar for the browser lets you scroll within the current view, but does not move forward to show additional weeks in the calendar.
When you first display the Calendar page, today’s report runs are displayed. If you scroll away from today’s schedule, you might need to return to it later. If so, click the Today button.
For more information about using the features on the Calendar page, see the following topics:
To check the status of a particular schedule instance in the calendar, mouse over the schedule name. If the schedule instance is still running, the Calendar shows In Progress under the schedule name. If the schedule instance has completed processing, the Download and Delete links appear under the schedule name. If the schedule instance has not run yet because it is scheduled for some time in the future, the Edit and Delete links appear under the schedule name. If the report failed during execution, only the Delete link appears under the schedule name.
To edit a schedule instance for a report that has not been run yet:
On the Calendar page, click Edit under the schedule name.
Identity Reporting displays a page that lets you edit the report definition and schedule. In addition, you can create a new schedule from the editing page.
The report definition has a one-to-many relationship with schedules. This means that a report definition can have one or more schedules, but a schedule can only be associated with a single report definition.
To edit the settings for the schedule, scroll down to the Schedule section of the page and open the section for the scheduled run you want to edit.
Make changes as necessary to the scheduled run. The following table describes the schedule properties you can change.
Table 4 Schedule Properties
Schedule Property |
Description |
---|---|
From date |
Specifies the date in the calendar on which you want to initiate the first run of the report. This property also determines the date for all subsequent runs. You can change the start date for a schedule after it has been created, even if the calendar already includes one or more scheduled runs. If you change the start date for a schedule, all of the runs for that schedule shift to the new date. |
Time of day |
Specifies the approximate time of day for each report run. The time of day is based on the clock on the server where the report is executed. The actual execution time depends on server activity. The run time specified for each schedule instance is set to the hour or the half hour - for example, 1:00 AM or 1:30 PM. You can change the time of day for a schedule after it has been created. If you change the time of day, all of the runs for that schedule execute at the new time. |
Frequency |
Specifies the repeat interval (a number that specifies how often the report will run) and the time period for report runs: Month(s), Week(s), or Day(s). You cannot modify the frequency for a schedule after the schedule has been created. |
To date |
Specifies the date in the calendar after which no more runs should occur. Note that the last report run may not actually occur on this date. For example, if you choose October 15 as the start date, and specify a repeat interval of two weeks and an end date of November 1, the report will run on October 15 and October 29. In this case, October 29 is the last run. You can change the end date for a schedule after it has been created. |
Use default notifications |
Specifies the email settings associated with the schedule instance. |
Click Save.
To delete a particular scheduled instance, mouse over the scheduled instance and click Delete. If you delete the first run in a schedule, the Start date for the schedule is changed to the next upcoming run date. If you delete the last run, the End date for the schedule is not modified.
The Calendar page allows you to move a single schedule instance by dragging and dropping the item from one date to another within the calendar. However, when you move a single schedule instance, the Calendar page automatically creates a new schedule with a new name and places the moved schedule instance on the new date that you selected as the target for the move operation.
After you have moved a schedule instance, this run is effectively deleted from the original schedule definition, and is now added to the new schedule definition. All of the text-based attributes from the original schedule instance are copied to the new schedule instance.
The name you specify for the new schedule need not be unique across all of the report definitions within Identity Reporting. However, it does need to be unique within the list of schedules for the report definition.
You cannot move a schedule instance into the past (before the current date and time) or to a day that already has a run scheduled for the same report definition.
To move a single schedule instance to a new date:
Select the schedule instance you want to move and drag it to the desired date.
Click Move This.
The Calendar page also allows you to move all of the scheduled runs for a schedule by dragging and dropping a particular run within the schedule from one date to another within the calendar. When you move all schedule instances for a particular schedule, the Calendar page retains the original repeat pattern specified in the Frequency field, but updates the start date to reflect the new date for execution of the report.
The target date for the move need not be within the original start and end period dates specified for the schedule. If you move outside the original range of the schedule, the schedule start and end dates change accordingly.
To move all of the scheduled runs for a schedule:
Select the schedule instance you want to move and drag it to the desired date.
Click Move All.
The Calendar page shifts all of the scheduled runs to align with the new run date.
You can perform a number of tasks on the Reports page, including searching for, viewing, sorting, and deleting reports.
For more information about using the features on the Reports page, see the following topics:
To view a list of completed and running reports, click Reports in the top navigation menu.
The Completed And Running Reports page shows all reports that have finished processing, as well as reports that are still in progress or have failed during execution. The list of reports includes reports that were scheduled, as well as reports that were initiated with the Run Now button. For each report listed, the page shows the report name, data source on which you ran the report, description, run date, and status icon.
If a report is run multiple times very quickly (each run is within a fraction of a second of the other runs), the time format shows one or more periods after AM or PM. For example, you might see PM. or PM.. after the time the report was run.
To download a completed report, click the Download link below the report that you want to display.
When you download a report, the generated report is downloaded to your local computer. The report is in PDF or CSV format, depending on how the report was defined. CSV format reports that contain very long string values might have those strings truncated or divided across multiple rows depending on the spreadsheet program that you use to view the report and how the spreadsheet program is configured.
The Download link is not available for reports that are still in progress or have failed.
To view the details for a report:
Click the Details link below the report for which you want to see the details. If the report definition includes one or more parameters, a Criteria section is added to the page that shows the parameters. The fields shown in the pop-up window are not editable, because the report has already been submitted to be run.
The Run By user is the logged-in user who creates a schedule or clicks Run Now. For example, if the user cblack creates a schedule, and then mmackenzie logs in and modifies the schedule, the Run By user is still the original creator, cblack. If mmackenzie moves the item by clicking Move This, thereby creating a new schedule, mmackenzie is the creator for the report generated by that one-off schedule.
If the report has completed processing, you can download the generated report from this window by clicking the Download link next to the status icon at the top of the window. This link is not available if the report is still in progress or has failed.
To return to the report list, click the Close icon. You can continue to work outside the window while it is still open.
To delete a generated report, click the Delete link below the report that you want to delete.
If you choose multiple reports by selecting the check box for each report, and then click the Delete link for another report in the list, the delete operation applies only to the report for which you clicked the Delete link.
To delete several reports at once:
Select the check box to the left of each report definition you want to delete.
In the Bulk Actions list, click the Delete operation.
Click Apply.
Bulk actions apply only to the current page. If you select several items on one page, then navigate to the next page to select some additional items, a subsequent attempt to perform a bulk delete applies only to the second set of items you selected. The previous selections are retained and still appear selected if you navigate back to the first page. However, the bulk action is not performed on those items.
To search for a report definition:
Type a search string in the Search text field, which is designated by the magnifying glass at the top right of the page.
The search facility allows you to pass in search strings for any of the items in the following table.
Table 5 Report Search Filters
Filter Value |
Description |
---|---|
Name |
Performs a CONTAINS search. The search is case-insensitive, and it uses the locale of the user. |
Description |
Performs a CONTAINS search. The search is case-insensitive, and it uses the locale of the user. |
Tags |
Performs an exact string search. The search is case-insensitive. You need to pass in only a single tag. |
Run By |
Performs a search on the first name and last name of the creator of the schedule. The creator is the logged-in user who creates a schedule or clicks Run Now. For example, if the user cblack creates a schedule, then mmackenzie logs in and modifies the schedule, the Run By user is still the original creator, cblack. If mmackenzie moves the item by clicking Move This, thereby creating a new schedule, mmackenzie is the creator for the report generated by that one-off schedule. |
You can enter one or more words in the Search field, with or without quotes:
If you enter multiple words without quotes, the search results include reports that contain all of the words anywhere in the Name or Description, or that have all of the words as tags (that match exactly).
For example, suppose you enter the following:
chris black
In this case, the following report definitions are in the results:
Reports with a Name containing the words chris and black anywhere in the string
Reports with a Description containing the words chris and black anywhere in the string
Reports with Tags having chris and black as exact tags
Reports with Run By having a first name or last name of chris and last name or first name of black
If you enter multiple words surrounded by double quotes, the search results include reports that include the entire phrase anywhere in the Name or Description, or that have a tag that matches the entire phrase.
For example, suppose you enter the following:
"margo mackenzie"
In this case, the following report definitions are in the results:
Reports with Name containing the phrase margo mackenzie
Reports with Description containing the phrase margo mackenzie
Reports with a Tag that exactly matches margo mackenzie
Reports with Run By having margo mackenzie as the first name and last name or last name and first name
Press Enter key on your keyboard.
You can clear the current search criteria and refresh the display by clicking Reports on the top navigation menu, or by emptying the Search field and clicking the Search button again.
To sort the list of reports, click the header for the column on which you want to sort. The sort indicator shows you which column is the new primary sort column.
You can control how many rows are displayed on the Repository page. Type the number of rows to display in the rows per page field at the bottom of the page and press Enter. The number you enter must be greater than zero. This preference is saved across sessions, and applies to all users. It affects both the Repository and Reports lists.
The General Settings page allows you to specify how long completed reports should be retained. Specify the unit of time (days, weeks, or months) and a number in the Delete generated reports after field. Click Save to save your changes.
The Data Sources page allows you to create, modify, and remove MS SQL, Oracle, PostgreSQL, and Vertica data sources on which you want to run reports. You can select data sources from a predefined list of installed Java Naming and Directory Interface (JNDI) data sources that the reporting server manages or define new, external Java Database Connectivity (JDBC) data sources. For a data source to be available when you run reports, you must first add it on this page.
After you add a predefined JNDI data source, you can use the Data Sources page to modify the display name. For JDBC data sources, you can modify the display name and the password that Identity Reporting uses to connect to the data source.
NOTE:The necessary JDBC driver JAR file must be in the lib directory of the Tomcat install. If you add the JAR, a restart of Tomcat is required.
If you want to create a data source and configure the database to use SSL communication, you must first create and configure the proper global configuration properties for your database platform and for the SSL type -- server authentication or mutual authentication. Use the table below to determine which configuration properties you need to create and the values for each.
Table 6 Global Configuration Properties and Value Types for Database Platforms and SSL Types
Database Platform/SSL Type |
Configuration Property |
Value Type |
---|---|---|
Vertica/Server |
com.netiq.iac.vertica.ssl.truststore.path |
Filename |
Vertica/Server |
com.netiq.iac.vertica.ssl.truststore.password |
Password |
Vertica/Mutual |
com.netiq.iac.vertica.ssl.truststore.path |
Filename |
Vertica/Mutual |
com.netiq.iac.vertica.ssl.truststore.password |
Password |
Vertica/Mutual |
com.netiq.iac.vertica.ssl.keystore.path |
Filename |
Vertica/Mutual |
com.netiq.iac.vertica.ssl.keystore.password |
Password |
Oracle/Server |
com.netiq.iac.oracle.ssl.truststore.path |
Filename |
Oracle/Server |
com.netiq.iac.oracle.ssl.truststore.type |
Type of truststore |
Oracle/Server |
com.netiq.iac.oracle.ssl.truststore.password |
Password |
Oracle/Mutual |
com.netiq.iac.oracle.ssl.truststore.path |
Filename |
Oracle/Mutual |
com.netiq.iac.oracle.ssl.truststore.type |
Type of truststore |
Oracle/Mutual |
com.netiq.iac.oracle.ssl.truststore.password |
Password |
Oracle/Mutual |
com.netiq.iac.oracle.ssl.keystore.path |
Filename |
Oracle/Mutual |
com.netiq.iac.oracle.ssl.keystore.type |
Type of truststore |
Oracle/Mutual |
com.netiq.iac.oracle.ssl.keystore.password |
Password |
PostgreSQL/Server |
com.netiq.iac.postgres.ssl.root.cert |
Contents of the certificate NOTE:Do not use a filename. |
PostgreSQL/Mutual |
com.netiq.iac.postgres.ssl.root.cert |
Contents of the certificate NOTE:Do not use a filename. |
PostgreSQL/Mutual |
com.netiq.iac.postgres.ssl.client.cert |
Contents of the certificate NOTE:Do not use a filename. |
PostgreSQL/Mutual |
com.netiq.iac.postgres.ssl.client.key |
Contents of the key NOTE:Do not use a filename. |
MS SQL/Server |
com.netiq.iac.mssql.ssl.server.cert |
Contents of the certificate NOTE:Do not use a filename. |
MS SQL/Server |
com.netiq.iac.mssql.ssl.password |
Password |
Use the information from this table to create and configure the required configuration properties for the data source you want to create.
NOTE:The configuration properties required for SSL communication could already exist in your environment. In Identity Governance, select Configuration > Advanced, then use the search feature to verify whether the configuration property you need is already configured as a global configuration setting.
To create and configure the proper global configuration properties for your data store type and for the SSL type:
Log in as a Global Administrator.
In Identity Governance, select Configuration > Advanced.
Next to Global Configuration Settings, click the plus sign (+).
Type the name of the configuration property you want to create, then click Add.
Type the value for the configuration property you want to create, then click Create.
Perform Step 3 through Step 5 for each property you need to create.
You can use the Data Source page to create, modify, or delete data sources.
NOTE: Contact your Maintenance and Database Administrator to understand which database your should be using and gather values for related settings such as connection method and credentials.
To create a data source:
In Identity Reporting, click Data Sources in the top navigation menu.
Click the plus sign (+) to add a new data source.
Select the appropriate method for connecting to the data source.
(Conditional) If you are adding a predefined data source, select the source from the list.
(Conditional) If you are defining a new data source, provide the following information for connecting to the data source:
The name of the data source
The database platform
The host - DNS name or IP address of the computer that hosts the data source
Whether to use SSL to connect to the data source
The port the database is listening on
The name of the database. For Oracle this will be the SID/ServiceName.
The user name and password for the data source user account. As a best practice for Identity Governance reports, use the igrptuser account.
(Optional) To test whether Identity Reporting can connect to the data source, click Test Connection.
NOTE:A successful connection is not required to add the data source. It is possible to come back and test the connection at a later time.
Click the Save icon.
To modify a data source:
Click Data Sources in the top navigation menu.
Click the data source name, then modify the information.
To remove a data source:
Click Data Sources in the top navigation menu.
Click the delete icon next to the data source you want to remove.
Identity Reporting offers various administration and customization tools. For more information, see the following topics:
Identity Reporting supports complete REST API functionality.
The REST APIs for reporting use the OAuth2 protocol for authentication.
The installation program deploys a special API WAR file, rptdoc.war, which contains the documentation of REST services needed for reporting. On Tomcat the rptdoc.war file is automatically deployed when Identity Reporting is installed.
The REST API documentation can be found at http://%servername%:8080/rptdoc. If you installed Reporting using https, substitute https for http.
NOTE:As a best practice while working in a staging or production environment, you should manually move or delete the rptdoc.war files and folders from the Tomcat webapps directory in your environment.
Use the following information to enable auditing for Identity Reporting. The steps for enabling auditing are the same whether you installed Identity Reporting and Identity Governance on the same server or on different servers.
If a Global Administrator enables auditing for Identity Reporting, all events in the Identity Reporting Events table are sent to the audit flow channel. For more information about logged events, see Identity Reporting Events.
NOTE:You can view the events in the catalina.timestamp.log file even if you do not enable auditing.
To enable and configure auditing:
(Conditional) If you enabled auditing during the installation, proceed to Step 3.
(Conditional) If you want to enable auditing after the installation, complete the following steps:
Create an audit directory to store the audit information.
Linux: /opt/netiq/idm/apps/audit
Windows: C:\netiq\idm\apps\audit
Create the Identity Reporting log file.
Linux: ../tomcat/conf/idmrptcore_logging.xml
Windows: C:\netiq\idm\apps\tomcat\conf\idmrptcore_logging.xml
(Linux only) Assign ownership to the audit directory.
chown -R novlua.users /opt/netiq/idm/apps/audit
NOTE:The novlua.users is the same ownership as the tomcat directory. It allows the Tomcat service to modify files within the audit logs directory.
Modify the Identity Governance logging file to enter the syslog server information.
Open the logging file in a text editor.
Linux: /opt/netiq/idm/apps/tomcat/conf/idmrptcore_logging.xml
Windows: C:\netiq\idm\apps\tomcat\conf\idmrptcore_logging.xml
Make the following changes specific for your syslog server:
<enabled>${com.netiq.ism.audit.cef.enabled:true/false}</enabled> <protocol>${com.netiq.ism.audit.cef.protocol:TCP/TLS}</protocol> <host>${com.netiq.ism.audit.cef.host:123.456.78.90}</host> <port>${com.netiq.ism.audit.cef.port:6514}</port> <cache-dir>${com.netiq.ism.audit.cef.cache-file-dir:/opt/netiq/idm/apps/audit}</cache-dir> <cache-file>idm-rpt.txt</cache-file> <application>Reporting Core</application> <vendor>Micro Focus</vendor> <version>6.6.0</version>
NOTE:To disable auditing, ensure that the <enabled> line is set to false. For example:
<enabled>false</enabled>
(Conditional) If you are using TLS, add the certificate (public key) for the syslog server (at the provided port) to the Identity Governance and Identity Reporting trusted certificates files.
Restart Tomcat. For more information, see the User Guide on the Identity Governance documentation website.
The events listed in the following table are logged for Identity Reporting. For more information about event auditing in Identity Reporting, see Enabling and Configuring Auditing for Identity Reporting.
Table 7 Identity Reporting Events
Event ID |
Process |
NetIQ Identity Audit Event |
Severity |
---|---|---|---|
31771 |
Report definition created |
Report_Defn_Created |
Info |
31772 |
Report definition modified |
Report_Defn_Modified |
Info |
31773 |
Report definition deleted |
Report_Defn_Deleted |
Info |
31774 |
Schedule created |
Schedule_Created |
Info |
31775 |
Schedule modified |
Schedule_Modified |
Info |
31776 |
Schedule deleted |
Schedule_Deleted |
Info |
31777 |
Report generated |
Report_Generated |
Info |
31778 |
Report delivered |
Report_Delivered |
Info |
|
Data cleanup requested |
Data_Cleanup_Requested |
Info |
|
Data collection activated |
Data_Collection_Activated |
Info |
|
Data collection failed |
Data_Collection_Failed |
Info |
|
Data collection requested |
Data_Collection_Requested |
Info |
|
Data collection started |
Data_Collection_Started |
Info |
|
Data collection suspended |
Data_Collection_Suspended |
Info |
|
Data source modified |
Data_Source_Modified |
Info |
|
Data source registered |
Data_Source_Registered |
Info |
|
Data source removed |
Data_Source_Removed |
Info |
|
Data Collection Service (DCS) driver collection disabled |
DCS_Driver_Collection_Disabled |
Info |
|
DCS collection enabled |
DCS_Driver_Collection_Enabled |
Info |
|
DCS driver registeration add |
DCS_Driver_Registration_Add} |
Info |
DCS driver registeration modify |
DCS_Driver_Registration_Modify |
Info |
|
|
Service started |
Service Started |
Info |
|
Service stopped |
Service Stopped |
Info |
Report Packaging Tool: Facilitates the process of creating new reports.
Custom header/footer tool: Tool to customize the report header and footer. There is help embedded in the tool.
Identity Reporting requires a web browser to present information and allow users to perform actions.
The reporting client WAR supports customization through the custom.css file. To customize the user interface, set the location of the custom.css file using the com.netiq.rpt.css.custom.dir property.
NOTE:The Identity Governance server process must have read permissions on the custom.css file.
You can customize the strings for Identity Reporting into any of several supported languages by customizing the appropriate language-specific properties JAR file.
NOTE:As a best practice, copy only the property or properties that need to be translated.
The following table lists the supported languages.
Table 8 Supported Languages
Language |
Locale Code |
---|---|
Chinese – Simplified |
zh_cn |
Chinese – Traditional |
zh_tw |
Danish |
da |
Dutch |
nl |
English |
en |
French |
fr |
German |
de |
Italian |
it |
Japanese |
ja |
Polish |
pl |
Portuguese |
pt |
Russian |
ru |
Spanish |
es |
Swedish |
sv |
The strings for Identity Reporting are contained with a set of language-specific JAR files that are associated with the two main WARs used by Reporting:
Client WAR
Core WAR
The language-specific JAR files follow this pattern:
RPTCORE-CLIENT_language.jar
RPTCORE-SERVER_language.jar
For example, the following JAR files apply to strings in French:
RPTCORE-SERVER_fr.jar
Identity Reporting provides the following reports for Identity Governance:
Table 9 Identity Governance Reports
Name |
Description |
---|---|
Access Request Approval Policy Definitions - CSV |
This report gives a high-level overview of access request approval policies and their steps. |
Access Request Policies - CSV |
This report lists a brief overview of access request policies made in Identity Governance. |
Access Requests |
This report displays information regarding the access requests in the catalog. |
Access Requests Details - CSV |
This report lists full information for access requests made in Identity Governance. |
Access Requests with Deleted Approvers |
This report lists all the Access Requests or Potential SoD Violation approvers that have been deleted from the catalog along with the Access Request items with which they were associated. |
Access Requests with Deleted Approvers - CSV |
This report lists all the Access Requests or Potential SoD Violation approvers that have been deleted from the catalog along with the Access Request items with which they were associated. Select CSV as the output format. |
Account Access Reviews |
This report lists all permissions assigned to accounts. |
Account Access Reviews - CSV |
This report lists all permissions assigned to accounts in a downloadable CSV file that can be opened with spreadsheet software and enables user manipulation of the data. Select CSV as the output format. |
Account Ownership Statistics (Formerly Account Ownership) |
This report shows the average number of accounts owned by identities across all applications. Optionally, it shows average numbers broken down by all applications or specified applications. Averaging across all applications supersedes specific application selection. |
Accounts in Review - CSV |
This report lists all account reviews and displays details such as application sources, reviewers, review status, and final decisions for each review in a downloadable CSV file that can be opened with spreadsheet software and enables user manipulation of the data. Select CSV as the output format. |
Ad Hoc Audit Report - CSV |
This report displays the information in the Identity Governance audit event table. The report must be run using a data source connected to the audit database. |
Application Delta - CSV |
This report lists changes to an application over a specified date range. |
Authorization Assignments |
This report displays groups and users assigned to administrative roles within Identity Governance. Group memberships can optionally be displayed. |
Authorization Changes by User |
This report shows the changes to user authorizations caused by individual Business Roles. |
Auto Change Requests by Business Roles - CSV |
This report lists all changes made by either Auto Revoke or Auto Grant Requests by Business Roles |
Auto Grant Requests by Business Roles |
This report shows permissions and applications auto granted by business roles. |
Auto Revoke Requests by Business Roles |
This report shows permissions and applications auto revoked by business roles. |
Bulk Data Update Details |
This report provides details of bulk data update operations for identity and application sources. |
Bulk Data Update Overview |
This report provides an overview of bulk data update operations for identity and application sources. |
Business Role Assignment Coverage |
This report shows the changes to user authorizations caused by individual Business Roles. |
Business Role Assignment Coverage - CSV |
This report shows the changes to user authorizations caused by individual Business Roles. |
Business Role Certification Status |
This report provides information about the certification status of Business roles, including associated Certification Policies. |
Business Role Definition Reviews |
This report lists details for all Business Role Definition Reviews. |
Business Role Membership |
This report displays membership information for published business roles. |
Business Role Membership Delta |
This report shows membership changes for the specified business role within the given date range. |
Business Roles Details |
This report provides detailed information about Business roles, including memberships and associated permissions. |
Business Roles Overview |
This report provides a summary of business roles. |
Catalog Accounts Details |
This report displays information about specified applications including associated accounts with their permissions, and Identity Manager System information. |
Catalog Accounts Overview |
This report provides high-level information about accounts in the catalog. |
Catalog Applications Details |
This report displays information about specified applications including associated permissions, accounts, and Identity Manager System information. |
Catalog Applications Details - CSV |
This report displays information about specified applications including associated permissions, accounts, and Identity Manager System information. |
Catalog Applications Overview |
This report displays high-level information about each application in the catalog. |
Catalog Curated Data Details |
This report provides details of attribute data curated for users, accounts, and permissions, comparing effective values with the most recently collected and published values. |
Catalog Curated Data Overview |
This report provides an overview of collected verses curated data for users, accounts, and permissions. |
Catalog Groups Details |
This report displays information about the specified groups in the catalog, including group membership. |
Catalog Groups Overview |
This report displays high-level information about each group in the catalog. |
Catalog Permissions Details |
This report displays information about specified permissions, their associated users, and their affiliated permissions. |
Catalog Permissions Overview |
This report displays high-level information about each permission in the catalog, grouped by application, and which business roles has authorized it. |
Catalog Users Ad Hoc |
This report provides user-specified ad hoc information about catalog users as well as their associated permissions and applications. |
Catalog Users Overview |
This report displays high-level information about each user in the catalog. |
Catalog Users by Supervisor |
This report provides information about each user in the catalog, grouped by supervisor. Optionally, it includes users without a supervisor. |
Certification Policy Violations - CSV |
This report shows violations generated from certification policies including review information and remediation type. |
Collection Details |
This report lists all collection and publication instances from each identity and application source with status and details. |
Collection Overview |
This report lists all identity sources and applications and when they are collected and published in the system. |
Current User Access |
This report displays information about specified users in the catalog, including group membership, permissions held, associated accounts, direct reports, and separation of duties violations. |
Current User Access - CSV |
This report displays information about specified users in the catalog, including group membership, permissions held, associated accounts, direct reports, and separation of duties violations. |
Custom Form Changes - CSV |
This report shows when changes were made to application and permission forms. |
Data Policies and Controls Details - CSV |
This provides detailed information about Data Policies and their detected items. |
Data Policies and Controls Overview - CSV |
This Report List a Brief Overview of Data Policies and their Detected Items. |
Data Source Changes |
This report lists changes made to data source definitions over a given date range. |
Database Statistics for Identity Governance |
This report displays Identity Governance database statistics for the selected data source. Administrator-level access to the Identity Governance database and specific rights (View any definition on MS SQL and SELECT_CATALOG_ROLE on Oracle) are required to retrieve the statistics from the database. |
Delegate Mappings - CSV |
This report displays delegate mappings for reviews and access request approvals. |
Delegation Assignments - CSV |
This report shows detailed information about items delegated during reviews within a given date range. |
Deleted Application and Permission Owners |
This report displays application and permission owners that have been deleted from the catalog. |
Deleted Items under Review |
This report lists all accounts, permissions, users, direct reports and roles that were deleted while under review. They are grouped by review and include the affected users. |
Deleted Reviewers |
This report lists all the reviewers that have been deleted from the catalog along with the review items and reviews with which they were associated. |
Deleted User and Account Assignments - CSV |
This report lists all permissions, technical roles, business roles, and accounts that users had when they were deleted, as well as deleted accounts and their permissions. |
Direct Reports Reviews |
This report shows detailed information about direct report reviews including reviewers, review status, and final decisions for review items for a given date range. |
Extended Attribute Definitions (Formerly Catalog Extended Attributes) |
This report displays high-level information about each extended attribute. |
Fulfillment Status and Closed Loop Verification |
Lists the status of application and business role provisioning requests, identifying which requests have been verified as fulfilled and which remain open. |
Fulfillment Status and Closed Loop Verification - CSV |
Lists the status of application and business role provisioning requests, identifying which requests have been verified as fulfilled and which remain open in a downloadable CSV file that can be opened with spreadsheet software and enables user manipulation of the data. Select CSV as the output format. |
Fulfillment Target Changes |
This report lists an overview of changes made to Fulfillment Targets in Identity Governance. |
Identity Source Merging and Match Rules |
A report that displays the merging rules set for the Identity Sources along with the match rules for each Identity Source. |
Items Covered by Approval Policies - CSV |
This report lists approval policies and their assigned items with the option to include policy step information with each item. |
Performance Log - CSV |
This report lists performance monitor logs in a downloadable CSV file that can be opened with spreadsheet software and enables user manipulation of the data. Select CSV as the output format. |
Permission Assignment Changes by Permission |
This report displays permission holders at the beginning and end of the specified date range, as well as permission assignment additions and removals between the displayed lists of permission holders. |
Permission Definition Changes |
This report displays the collected and curated changes to permissions within a given date range. |
Permissions Delta by User |
This report displays the changes in permissions held by a specified user within a given date range. Permissions are sorted by application. |
Permissions in Review - CSV |
This report lists permissions that are currently in review in a downloadable CSV file that can be opened with spreadsheet software and enables user manipulation of the data. Select CSV as the output format. |
Policies with Deleted Stakeholders - CSV |
This report lists all deleted users and groups that are included in policies. |
Preview Changes |
This report lists changes made to review instances and reassigned review items while in preview mode. Changes made to expected end date, auditor reviewers, review owners, and escalation reviewers will be excluded after the review goes live. This report uses current review definition for comparison, not the definition when the review was started in preview. |
Preview Changes - CSV |
This report lists changes made to review instances and reassigned review items while in preview mode. The information is presented in a downloadable CSV data table file that can be opened with spreadsheet software and enables user manipulation of the data. |
Privileged Account Ownership |
Shows the privileged accounts owned by users across all applications along with the users for each account. Output can be grouped by application. |
Reconciliation - CSV |
This report compares the desired state of access represented by Identity Manager (IDM) with the current state represented by each connected system. The report can be applied to Accounts, Permissions, and Users, and can be used to determine which differences require reconciliation. |
Requestable Items - CSV |
This report can be used to find what items a user can request and for which users they can request those items for. |
Review Activity by User |
This report displays information about specified users reviews, their types and the actions committed on them. |
Review Coverage Overview |
This report shows the accounts, business roles, permissions, roles, and users that are not included in any reviews. |
Review Definitions |
This report lists details for all review definitions. |
Review Details |
This report lists all reviews and displays details such as application sources, permissions, reviewers, review status, and final decisions for each review. |
Review Details - CSV |
This report lists all reviews and displays details such as application sources, permissions, reviewers, review status, and final decisions for each review in a downloadable CSV file that can be opened with spreadsheet software and enables user manipulation of the data. Select CSV as the output format. |
Review Item Exceptions |
This report lists all reviews that contain exception items along with their exception reason and time of exception. |
Review Item Reassignments |
This report lists review item reassignment details, grouped by review. |
Review Overview |
Lists a summary of all reviews, their status, and dates. |
Review Overview - CSV |
Lists a summary of all reviews, their status, and dates. Note that item count might not reflect the total actionable subitems. |
Reviewer Overview - CSV |
This report lists reviewers and aggregates information about their review items within the selected date range. |
Reviewer Status |
This report lists review status information grouped by Supervisor. |
Reviewer Status - CSV |
This report lists review status information per reviewer. |
Reviews with Deleted Stakeholders |
This report displays any deleted stakeholders that are on a review definition or a review instance. This includes deleted owners, reviewers, and auditors. This report also displays the current remaining owners that are not deleted. |
Risk Policy |
This report shows detailed information about the risk policy configuration including risk levels, risk factor settings, and scheduling of risk calculations. |
Separation of Duties Approval Policies Details - CSV |
This report gives a high-level overview of Separation of Duties approval policies and their steps. |
Separation of Duties Open Violations Details |
This report provides detailed information about open separation of duties violations including violators, violations details, and actions taken. |
Separation of Duties Open Violations Overview |
This report displays high-level information about each Separation of Duty open violation. |
Separation of Duties Policies Details |
This report provides detailed conditions and compensating controls for separation of duties policies. |
Separation of Duties Policies Details - CSV |
This report provides detailed conditions and compensating controls for separation of duties policies. |
Separation of Duties Policies Overview |
This report provides a summary of separation of duties policies. |
Technical Role Assignment Coverage - CSV |
This report shows the current coverage status of active Technical Roles assigned to users. |
Technical Roles Details |
This report provides detailed information about Technical Roles, including associated permissions and separation of duties policies. |
Technical Roles Overview |
This report provides a summary of technical roles. |
Unauthorized Permissions by User - CSV |
This report lists user permissions that are not authorized by any business role. Some of the columns in this report, including start time and end time may not be collected from all data sources. |
Unmapped Accounts |
This report lists application accounts along with any permissions they hold that do not have associated users. The accounts are grouped by application. Duplicate account names across multiple applications can also be highlighted. |
User Permission Assignments - CSV |
This report provides a summary of permission assignments. Some of the columns in this report, including start date and end date may not be collected from all data sources. |
User Permissions Snapshot |
This report displays permission information about the specified user on a selected date. Intended for NetIQ Identity Governance. |
User Profile Changes |
This report lists changes made to user profile attributes by collection and curation. |
User Profile Reviews |
This report lists all user profiles and displays details such as reviewers, review status, and final decisions for each review. |
Users in Business Role Grace Period - CSV |
A report to list what users are at risk of being removed from their business role due to recently unmet membership criteria and are in a grace period. |
The only warranties for products and services of Open Text and its affiliates and licensors (“Open Text”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Open Text shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.
Copyright 2024 Open Text.