Sun[TM] Identity Manager 8.0 Administration |
Chapter 8
ReportingIdentity Manager reports on automated and manual system activities. A robust set of reporting features lets you capture and view important access information and statistics on Identity Manager users at any time.
In this chapter, you will learn about the Identity Manager report types, how to create, run, and email reports, and how to download report information.
This chapter is organized in the following sections:
Working with ReportsIn Identity Manager, reports are considered a special category of task. As a result, you work with reports in two areas of the Identity Manager Administrator interface:
- Reports (Run Reports) — Use the Run Reports area to define, run, delete, and download reports. Only administrators with sufficient capabilities can define, run, delete, and download reports. See Appendix D, "Capabilities Definitions" for more information.
- Server Tasks — After you define reports, go to the Scheduled Tasks area (Server Tasks > Manage Schedule) to schedule and modify report tasks. TaskDefinition objects must contain visibility=schedule in order to be scheduled. Use the debug pages to make this change. See Editing Identity Manager Configuration Objects for more information.
Report Types
Reports are organized into two categories:
Within these two categories, reports are further divided into a variety of report types. Report types are discussed in greater detail later in this chapter. Identity Manager reports are discussed starting on (more...) and Auditor reports on (more...) .
For instructions on how to view Identity Manager Reports and Auditor Reports, see Viewing Reports.
Running Reports
To run a report, follow these steps:
- In the Administrator interface, click Reports in the main menu.
The Run Reports page opens.
- To view a list of available Identity Manager Reports, select Identity Manager Reports in the Report Type drop-down menu. (This option is selected by default.)
To view a list of available Auditor Reports, select Auditor Reports in the Report Type drop-down menu. See Working with Auditor Reports for more information.
Figure 8-1 shows an example of the Run Reports page. Auditor Reports are selected in the Report Type drop-down menu.
Figure 8-1 Run Reports Selection
- Click Run to run a report.
Viewing Reports
After running a report from the Run Reports page, you can view the output immediately or at a later time.
To view a report, follow these steps:
Creating Reports
To modify an existing report and save it with a new name, see Editing and Cloning Reports in the next section.
To create a new Identity Manager report or Auditor report not based on an existing report, use the following steps:
Identity Manager displays the Define a Report page, where you choose options to create the report, run it, or save it.
After entering and selecting report criteria, you can:
- Run the report without saving — Click Run to run the report. Identity Manager does not save the report (if you defined a new report) or the changed report criteria (if you edited an existing report).
- Save the report — Click Save to save the report. Once saved, you can run the report from the Run Reports page (the list of reports).
For more information on running reports, see Running Reports.
Editing and Cloning Reports
To clone a report, modify an existing report and save it with a new name,
To edit or clone a report, follow these steps:
- In the Administrator interface, click Reports in the main menu.
The Run Reports page opens.
- Use the Report Type drop-down menu to select a report category. There are two report categories:
- Click a report name to edit it.
- To edit a report, adjust the report parameters as needed and click Save.
To clone a report, enter a new report name. adjust the report parameters as needed, and click Save to save it with the new name.
Emailing Reports
When creating or editing a report, you can select an option to email the report results to one or more email recipients. When you select this option, the page refreshes and prompts for email recipients. Enter one or more recipients, separating addresses with a comma.
You also can choose the format of the report to be attached to the email:
Scheduling Reports
Depending on whether you want to immediately run a report or schedule it to run at regular intervals, you make different selections:
- Reports > Run Reports — Allows you to run saved reports immediately. From the list of reports, click Run. Identity Manager runs the report and then displays the results in summary and detailed formats.
- Server Tasks > Manage Schedule — Schedules report tasks to be run. After selecting a report task, you can set report frequency and options. You also can adjust specific report details (as in the Define a Report page in the Reports area).
Downloading Report Data
From the Run Reports page you can download report information for use in another application, such as Acrobat Reader or StarOffice.
Open the Run Reports page and click Download in one of these columns:
Configuring Report Output
To configure report output, click Reports, and then select Configure Reports.
These selections are available on the Configure Reports page:
For reports generated in portable document format (PDF), you can make selections to determine the fonts to be used in the report.
- PDF Font Name — Select the font to use when generating PDF reports. By default, only fonts available to all PDF viewers are shown. However, additional fonts (such as those needed to support Asian languages) can be added to the system by copying font definition files into the product's fonts/ directory and restarting the server.
- CSV Report Options
- Tracked Event Configuration
- Enable event collection — This option is used to configure reports for system monitoring and does not apply to customizing report formatting. For more information, see Tracked Event Configuration.
Click Save to save report configuration options.
Identity Manager ReportsIdentity Manager report types can be grouped into six report type categories:
AuditLog Reports
AuditLog reports are based on events captured in the system audit log. These reports provide information about generated accounts, approved requests, failed access attempts, password changes and resets, self-provisioning activities, policy violations, and service provider (extranet) users, among others.
Note
Before running audit logs, you must specify the types of Identity Manager events you want to capture. To do this, select Configure from the menu bar, and then select Audit. Select one or more audit group names to record successful and failed events for each group. For more information about setting up audit configuration groups, see Configuring Audit Groups and Audit Events.
To define an AuditLog report, follow these steps:
- Follow the instructions for Creating a Report on (more...) .
Select Identity Manager Reports from the first Report Type menu, and select AuditLog Report from the second menu.
The Define a Report page opens.
- Complete the form and click Save.
Click Help if you have questions about the form.
Once you have set and saved report parameters, run the report from the Run Reports page. Click Run to produce a report of all results that match the saved criteria. Included in the report are the date an event occurred, the action performed, and the result of the action.
Individual User AuditLog Reports
As with the AuditLog reports, the Individual User AuditLog report is based on events captured in the system audit log. This report, however, prompts you for a user to report on, and returns a list of activities that have been performed on that user. To maximize results, this report searches both the AccountId and ObjectDesc fields in the audit log for the matching user name.
This report can either return a fixed set of columns, or you can select a custom set of columns. Columns are defined in reporttasks.xml and defaultreports.xml. Both files can be found in the sample directory (located in your Identity Manager installation directory).
To define an Individual User AuditLog report, follow these steps:
- Follow the instructions for Creating a Report on (more...) .
Select Identity Manager Reports from the first Report Type menu, and select Individual User AuditLog Report from the second menu.
The Define a Report page opens.
- Complete the form and click Save.
Click Help if you have questions about the form.
Real Time Reports
Real time reports poll resources directly to report real-time information. Real time reports include:
- Resource Group Report — Summarizes group attributes, including user memberships.
- Resource Status Report — Tests the connection status of one or more specified resources by executing the testConnection method against each resource.
- Resource User Report — Lists user resource accounts and account attributes.
To define a real-time report, follow these steps:
- Follow the instructions for Creating a Report on (more...) .
Select Identity Manager Reports from the first Report Type menu, and select Resource Group Report, Resource Status Report, or Resource User Report from the second menu.
The Define a Report page opens.
- Complete the form and click Save.
Click Help if you have questions about the form.
Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria.
Summary Reports
Summary report types include the following reports available from the Identity Manager Reports list:
- Account Index Report – Report on selected resource accounts according to reconciliation situation.
- Administrator Report – View Identity Manager administrators, the organizations they manage, and assigned capabilities. When defining an administrator report, you can select administrators to include by organization.
- Admin Role Report – List users assigned to admin roles.
- Role Report – Report on all aspects of roles and associated resources.
- Task Report – Report on pending and finished tasks. You determine the depth of information to include by selecting from a list of attributes such as approver, description, expiration date, owner, start date, and state.
- User Report – View users, the roles to which they are assigned, and the resources they can access. When defining a user report, you can select which users to include by name, assigned manager, role, organization, or resource assignment.
- User Question Report – Allows administrators to find users who have not answered the minimum number of authentication questions, as specified by their account policy requirements. The results indicate user name, account policy, the interface associated with the policy, and the minimum number of questions that require answers.
As shown in Figure 8-3 the Administrator Report lists Identity Manager administrators, the organizations they manage, and their assigned capabilities and admin roles.
Figure 8-3 Administrator Summary Report
To define a Summary report, follow these steps:
- Follow the instructions for Creating a Report on (more...) .
Select one of the Summary report types (listed above) from the second menu.
The Define a Report page opens.
- Complete the form and click Save.
Click Help if you have questions about the form.
SystemLog Report
A SystemLog report shows system messages and errors that are recorded in the repository. When setting up this report, you can specify to include or exclude the following items:
You also set the maximum number of records you want to display (by default, 3000), and whether you want to display the oldest or newest records if available records exceed the specified maximum.
When running a SystemLog Report, specific Syslog entries can be retrieved by specifying the syslog ID of the target entry. For example, to view specific entries in the Recent Systems Messages report, edit the report and select the Event field. Then enter the requested syslog ID and click Run.
Note
You also can run the lh syslog command to extract records from the system log. For detailed command options, read syslog command in Appendix A, "lh Reference."
To define a SystemLog report, follow these steps:
- Follow the instructions for Creating a Report on (more...) .
Select Identity Manager Reports from the first Report Type menu, and select SystemLog Report from the second menu.
The Define a Report page opens.
- Complete the form and click Save.
Click Help if you have questions about the form.
Once you have set and saved report parameters, run the report from the Run Reports list page.
Usage Reports
Create and run usage reports to view graphical and/or tabular summaries of system events related to Identity Manager objects such as administrators, users, roles, or resources. Usage reports display data in a table, and you can also choose to display data in a bar chart, pie chart, or line chart format.
To define a usage report, follow these steps:
- Follow the instructions for Creating a Report on (more...) .
Select Identity Manager Reports from the first Report Type menu, and select Usage Report from the second menu.
The Define a Report page opens.
- Complete the form and click Save.
Click Help if you have questions about the form.
Once you have set and saved report parameters, run the report from the Run Reports list page.
Usage Report Charts
In Figure 8-4, the table at the top shows events comprising the report and the chart below shows the same information in graphical format.
Figure 8-4 Usage Report (Generated User Accounts)
Workflow Report
This report lists workflows by name and provides the following information:
In addition, clicking the workflow name opens a detailed view of the workflow, which will show each activity that was instrumented within the workflow, and its average time to complete.
Workflow Reports are especially useful for capturing performance metrics that can help establish whether Service Level Agreement (SLA) targets are being met.
Identity Manager must be configured to capture workflow timing metrics as a prerequisite to running Workflow Reports. See the next section for more information.
Configuring Workflows to Capture Audit Timing Events
Before you can run Workflow Reports, you must first turn on workflow auditing for each workflow type that you want to report on.
Note
Auditing workflows degrades performance. Consequently, you should only enable workflow auditing for those workflows that you plan to use with Workflow Reports.
Turn on workflow auditing as follows:
- For workflows that you can configure in the Administrator interface using task templates, select the Audit entire workflow checkbox on the Audit tab of the task template configuration form. See Configuring the Audit Tab for instructions.
- For workflows that do not have task templates, refer to Modifying Workflows to Log Timing Audit Events.
Specifying Attributes to Store for the Workflow Report
While it is not necessary to define attributes, to get the most out of Workflow Reports it is important to store attributes that you later plan to filter your reports on.
To define the set of attributes that you want to store for each workflow type, use the Administrator interface’s tabbed task template configuration form. The Audit tab contains an Audit Attributes section, which is located below the Audit entire workflow checkbox. See Configuring the Audit Tab for instructions.
Defining the Workflow Report
To define a Workflow report, follow these steps:
- Follow the instructions for creating a report on (more...) .
Select Identity Manager Reports from the first Report Type menu, and select Workflow Report from the second menu.
The Define a Report page opens.
- Complete the form and click Save. You can define time parameters as well as add any of the attributes that you elected to audit. (See Specifying Attributes to Store for the Workflow Report in the previous section.)
To narrow your results, specify an attribute name (for example, user.global.state ), select a condition, and enter an attribute value. You can enter as many attributes as you need.
Click Help if you have questions about the form.
Once you have set and saved report parameters, run the report from the Run Reports page. Click Run to produce a report of all results that match the saved criteria.
The report will return workflows by name, along with their average time to complete, the number of times the workflow was requested, and how many of those requests were completed.
Click the workflow name to open a detailed view of the workflow, which will show each activity that was instrumented in the workflow. Because processes can have the same named activities, the activities are scoped by process.
Auditor ReportsAuditor reports provide information that help you manage user compliance based on criteria defined in audit policies.
Identity Manager provides the following auditor reports:
- Access Review Coverage Report
- Access Review Detail Report
- Access Review Summary Report
- Access Scan User Scope Coverage Report
- Audit Policy Summary Report
- Audited Attribute Report
- AuditPolicy Violation History
- User Access Report
- Organization Violation History
- Resource Violation History
- Separation of Duties Report
- Violation Summary Report
To define an auditor report, follow the steps in Creating Reports.
For more information about auditor reports, see Working with Auditor Reports.
Working with GraphsYou can perform the following activities related to graphs:
Viewing Defined Graphs
Identity Manager provides some sample graphs. Some use sample data and some do not. You are encouraged to create additional graphs that are applicable to your deployment.
You should remove the sample graphs and sample dashboards before moving a deployment into production. Some of the sample graphs that do not use sample data might appear blank if no applicable data has been collected.
To view a defined graph, follow these steps:
- In the Administrator interface, click Reports in the main menu.
- Click Dashboard Graphs in the secondary menu.
- Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.
All graphs in the selected category display in the graphs list.
- Click a graph name.
- If desired, click Pause refresh to pause the dashboard refresh. Click Resume to renew the view.
Note
For dashboards containing many graphs, it is sometimes helpful to pause the refresh until all of the graphs are initially loaded.
- If desired, click Refresh now to force an immediate refresh.
- Click Done to return to the Dashboard Graphs list page.
Note
If any of the graphs show an error message, open the system configuration object for editing ((more...) ) and set dashboard.debug=true. Once this property is set, return to the graph that generated the error and use the Please include this text script if reporting a problem link to retrieve the graph script. This graph script should be included when reporting the problem.
Creating Graphs
To create a dashboard graph, follow these steps:
- In the Administrator interface, click Reports in the main menu.
- Click Dashboard Graphs in the secondary menu.
- Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.
All graphs in the selected category display in the graphs list.
- Click New to display the Create Dashboard Graph page.
- Enter a Graph Name. Choose a unique, meaningful name because graphs are added to dashboards by name.
- Select a Registry: IDM or SAMPLE.
The sample data selection is provided for you to familiarize yourself with the system. As sample data is not available for all tracked events, this selection is most useful for demos and when experimenting with the various graph options. Delete sample data prior to going to a production environment.
Note
The set of tracked events that use sample data differs from the events that are actually tracked.
- Select the desired type of Tracked Event from the list.
An event is a system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.
Tracked events for the IDM registry are:
- Provisioner Execution Counts — Tracks how many provisioner operations occurred (by operation type).
- Provisioner Execution Duration — Tracks the duration of each provisioner operation (by operation type).
- Resource Operation Count — Tracks the number of resource operations.
- Resource Operation Duration — Tracks the duration of a resource operation.
- Workflow Duration — Tracks how long it takes to execute a workflow.
- Workflow Execution Count — Tracks the number of times each workflow is executed.
- Select a Time Scale from the list.
This controls how often data is aggregated (for example, one hour) and how often it is retained (for example, one month). The system stores tracked event data for progressively larger time scales to allow both a detailed, current view of the system as well as an understanding of historical trends.
- Select a Metric from the list. A default one is selected, either count or average depending on the selected tracked event.
Each graph displays a single metric. The available metrics depend on the selected tracked event. Possible metrics are:
- Count - the total number of times the event occurred in the time interval
- Average - the arithmetic mean of the event values for the time interval
- Maximum - the maximum event value for the time interval
- Minimum - the minimum event value for the time interval
- Histogram - separate counts for discrete ranges of event values for the time interval
- Select Show count as from the list.
The graph count is shown either as a raw total or scaled by various time scales.
- Select a Graph Type from the list.
This controls how the tracked event data is displayed. The available graph types depend on the selected tracked event and can include line graphs, bar charts, and pie charts.
- Base Dimension: If desired, select the following from the list:
- Resource Name. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
- Server Instance. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
- Operation Type. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
After you select the dimension, the page refreshes to display a graph.
- Graph Options: If desired, enter a Graph Subtitle
This produces a subtitle under the main title of the graph.
- Advanced Graph Options: If desired, select Advanced Graph Options. Select this if you wish to set the following:
- Click Save to create the graph.
Editing Graphs
To edit a dashboard graph, follow these steps:
- In the Administrator interface, click Reports in the main menu.
- Click Dashboard Graphs in the secondary menu.
The Dashboard Graphs page opens.
- From the Select Dashboard Graph Type drop-down menu, select a category.
A table listing dashboard graphs opens.
- Click a graph name to edit it.
The graph attributes you can edit vary depending on the graph selected. One or more of the following characteristics are available for editing:
- Graph Name - Graphs are added to a dashboard by name.
- Registry — Specifies the tracked event description defined in the registry. The current selection includes: SAMPLE, Service Provider, and IDM.
- Tracked Event - A system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.
- Time Scale - Controls how often data is aggregated and how often it is retained.
- Metric - Each graph displays a single metric. The available metrics depend on the selected tracked event. Other options may be available for the metric selected.
- Graph type - Controls how the tracked event data is displayed (for example, line graph or bar graph).
- Included Dimension Values - If selected, all values for the dimensions are included in the graph.
- Graph Subtitle - If desired, enter a subtitle under the main title of the graph.
- Advanced Graph Options - select this if you wish to set the following:
- Click Save.
Deleting Graphs
To delete a defined graph, follow these steps:
- In the Administrator interface, click Reports in the main menu.
- Click Dashboard Graphs in the secondary menu.
- Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.
All graphs in the selected category display in the graphs list.
- Use the checkboxes to select the graphs to delete and then click Delete.
Working with DashboardsA dashboard is a collection of related graphs that are viewed on a single page. As with graphs, Identity Manager provides a set of sample dashboards that administrators are encouraged to customize to their own deployment. See Creating Dashboards for instructions.
To view Dashboards, follow these steps:
The following sections provide procedures for working with dashboards:
Creating Dashboards
To create dashboards, follow these steps:
- In the Administrator interface, click Reports in the main menu.
- Click View Dashboards in the secondary menu.
- Click New.
- Enter a name for the new dashboard.
- Enter a summary describing the new dashboard.
- Select a refresh rate in either seconds, minutes, or hours, from the list.
Note
Setting a refresh rate of less than 30 seconds can cause problems with dashboards that contain several graphs.
- To associate a graph style to the dashboard, select the appropriate entry from the list.
- To remove a dashboard graph, select the appropriate entry from the list and click Remove Graphs.
- Click Save.
Editing Dashboards
Use the procedure described in creating a dashboard to edit a dashboard, except instead of selecting New, select the dashboard you want to modify and edit the following attributes:
Figure 8-5 illustrates a sample dashboard edit page.
Figure 8-5 Edit Dashboards
Deleting Dashboards
To delete Service Provider dashboards, from the Service Provider area click Manage Dashboards, then select the desired dashboard and click delete.
Note
The graphs included in the dashboard are not removed using this procedure. Delete graphs using the Manage Dashboard Graphs page (see Deleting Graphs).
System MonitoringYou can set up Identity Manager to track events in real-time and monitor the events by viewing them in dashboard graphs. The dashboards allow you to quickly assess system resources and spot abnormalities, to understand historical performance trends (based on time of day, day of week, and so on), and to interactively isolate problems before looking at audit logs. They do not provide as much detail as the audit logs, but they do provide you with hints about where to look for problems in the logs.
You can create graphic dashboard displays to track automated and manual activities at a high level. Identity Manager provides sample resource operations dashboard graphs. The resource operations dashboard graphs enable you to quickly monitor system resources to maintain an acceptable level of service.
You can view sample data for these graphs in the Resource Operations Dashboard. For more information about using dashboards, see Working with Dashboards.
Statistics are collected and aggregated at various levels to present a real-time view based on your specifications.
Tracked Event Configuration
From the Tracked Event Configuration area of the Configure Reports page, you can determine if statistics collection for tracked events is currently enabled, and enable it. Click Enable event collection to enable the tracked event configuration.
Specify the following options for event collection:
The system stores tracked event data for progressively larger time scales to allow a detailed, current view of the system, as well as an understanding of historical trends.
The following time scales are available. All are selected by default. Clear the selections for the intervals you do not want to collect.
After configuring tracked events, use the dashboards to monitor the tracked events. Where present, use the sliders to zoom in on a section of the chart.
Risk AnalysisIdentity Manager risk analysis features let you report on user accounts whose profiles fall outside certain security constraints. Risk analysis reports scan the physical resource to gather data and show, by resource, details about disabled accounts, locked accounts, and accounts with no owners. They also provide details about expired passwords. Report details vary depending on the resource type.
Note
Standard reports are available for AIX, HP, Solaris, NetWare NDS, and Windows Active Directory resources.
Risk analysis pages are controlled by a form and can be configured for your environment. You can find a list of forms under the RiskReportTask object on the idm\debug page ((more...) ), and modify these by using the Identity Manager IDE ((more...) ). See Identity Manager Workflows, Forms, and Views for more information about configuring Identity Manager forms.
Creating Risk Analysis Reports
To create a Risk Analysis report, use the following steps:
- In the Administrator interface, click Reports in the main menu.
- Click Run Risk Analysis in the secondary menu.
- In the New... drop-down menu, select a report to create.
A Risk Analysis Report Settings page opens.
- Complete the form.
You can limit the report to scan selected resources and, depending on the resource type, you can scan for accounts that meet these criteria:
- Click Save.
Scheduling Risk Analysis Reports
Once defined, you can schedule risk analysis reports to run at specified intervals.
To schedule risk analysis reports, follow these steps:
- In the Administrator interface, click Server Tasks in the main menu.
- Click Manage Schedule in the secondary menu.
The Scheduled Tasks page opens.
- Select a risk analysis report to schedule.
The Create New Risk Analysis Task Schedule page opens.
- Enter a name and schedule information, and then optionally adjust other risk analysis selections.
- Click Save to save the schedule.