9 Reporting

This chapter provides an overview of reporting features, the information each feature presents, the types of output available, and possible uses for these reports. This chapter covers the following topics:

About Reporting
Summary of Reporting Features

9.1 About Reporting

Oracle Access Manager can collect and present a wide range of information related to the following:

Users and resources in your Oracle Access Manager directory
Activities on the Access and Identity Systems
The operation, administration, and maintenance of your system

To help distinguish among the many report-related features built into Oracle Access Manager, this chapter reserves certain terms to describe specific functional areas, as explained in the following table:

Table 9-1 Reserved Terms Used for Reporting

Feature	Description
Monitoring	Refers exclusively to the SNMP data collected so that you can monitor the health and performance of the network components that host your system. For a complete discussion of SNMP Monitoring, see "SNMP Monitoring".
Logging	Refers exclusively to program execution data collected so that you can diagnose the health of the components that make up your system, troubleshoot execution errors, and debug custom AccessGates and other plug-ins. For a complete discussion of logging, see "Logging".
Auditing	Refers to two types of data: Dynamic audit data is collected from Access Servers and Identity Servers. It encompasses Oracle Access Manager system events such as resource requests, password changes, and account revocation. Static audit data is collected from the directory server. It encompasses policy and profile information. For a general discussion of static and dynamic reports, see "Report Types". For a complete discussion of auditing, see "Auditing".
Diagnostics	The Access Server and Identity Server provide diagnostic tools to help you work with an Oracle Technical Support representative to troubleshoot problems. See "Capturing Diagnostic Information" for details. You can also collect information about parameter settings and states for Access Servers, Identity Servers, and their connections to the Oracle Access Manager directory components. See Table 11-1 for details.
Access Testing	Refers exclusively to the on-screen display that provides a quick way of determining whether a given user has access to a given resource at a given time. For more on access testing, see Table 11-1.
Filtered Queries	Refers to the advanced searches of the directory conducted through various Oracle Access Manager applications to generate lists of users or resources that share certain combinations of profile or policy attributes. For more on advanced filtered queries, see: Table 11-1.
Audit Reports	Refers exclusively to data that is collected from the Oracle Access Manager servers and directory server, stored in the audit database, then extracted, compiled, and formatted by preconfigured Crystal Reports presentation templates. For a complete discussion of Audit Reports, see "About Audit Reports" and "Setting up Audit Reports".

9.1.1 Report Types

The information collected and reported by the various reporting features falls into two broad categories:

Static reports: Generally compiled from settings stored on Oracle Access Manager components or third-party related components. For example, policy and profile information stored on the Oracle Access Manager directory server is classified as static audit data. Connection settings (and states) fall into the Diagnostic category. Certain Audit Reports use static (stored) policy and profile information to compile a list of resources that are available to specified users during specified times.
Dynamic Reports: Focus on events and changes in state at various levels throughout the Oracle Access Manager system. For example, the logging feature can record each function call (and outcome) originating from a given component. This low-level trace capability can be useful to developers. At the other end of the spectrum, the dynamic audit feature can reveal system intrusion threats by reporting patterns of failed authentication attempts on specific servers during a specific interval.

9.1.2 Data Sources

The reporting features can gather data from a variety of sources, the most important of which are covered in Table 9-2

Table 9-2 Primary Data Sources for the Reporting Features

Data Source	Description
Oracle Access Manager directory	Stores several types of static information, including the following: User, group, and organization profile settings Policy settings for protecting resources Connections settings such as those used to connect with Oracle Access Manager components or the various databases used by Oracle Access Manager Certain security settings Schema used to organize the LDAP directory at the heart of the Oracle Access Manager system
Component configuration files	Many key settings reside in configuration files stored within the directory structure of the Oracle Access Manager component they affect. This can range from the path to a database driver to the size of the buffer used for queuing log output.
System configuration files	These settings for the machines that host the various Oracle Access Manager components can be environment variables that make components visible to each other, or they can be protocol settings that enable components to communicate at the same level. Generally, Oracle Access Manager does not report such system-level configurations directly, but it can sometimes report corresponding settings that must match the settings established at the host system level.
Access Servers	In addition to providing configuration information about the settings they maintain to interact with other components, Access Servers can report Access System events such as authorization requests and their outcomes. This information is useful for determining who has gained (or tried to gain) access to what during a certain interval.
Identity Servers	Identity Servers also store certain settings that govern how they interact with other components. Additionally, they report Identity System events such as who attempted to submit credentials at what time, and whether that authentication attempt succeeded.
Other components	Components such as the Policy Manager can report changes to policies and certain other activities and settings.

9.1.3 Data Output

Generally, the various types of reports can send data to one or more of the following destinations:

The Oracle Access Manager graphical user interface
A plain text file on the machine hosting the component that is sending the data
A system file on the machine hosting the component that is sending the data
A central database

Note:
When data is sent to the audit database, it is generally filtered, compiled, and presented using special Crystal Reports templates that generate Audit Reports.

When a report is sent to the graphical user interface, it is likely to be somewhat less extensive than the equivalent type sent to a file or database. For instance, the on-screen Access Tester tool cannot report on the kind of complex user and resource groups that are available through the User Access Privilege tool, which sends output to a plain-text file or the audit database.

9.1.4 Output Configuration

Generally, you can format report output in one or both of the following ways:

Through the Oracle Access Manager graphical user interface
By manually editing a plain-text configuration file.

In a limited number of cases and to a limited extent, you can configure report output through a third-party GUI. For example, you can edit the templates used to generate the Audit Reports through the Crystal Reports interface.

9.1.5 Data Uses

Reports can prove useful to a variety of people, including the following:

Administrators for Oracle Access Manager
Network administrators
Security administrators
Compliance administrators
Custom AccessGate and plug-in developers

9.2 Summary of Reporting Features

Table 9-3 provides an overview the reporting features, the information they present, and potential uses to which these features can be applied.

Table 9-3 Overview of Reporting Features

Feature	Type	Output	Source	Data	Potential uses
Monitoring	Dynamic	File	SNMP monitor	Network component states and events	Monitoring and troubleshooting the network hosting your Oracle Access Manager system
Logging	Dynamic	File	Oracle Access Manager components	Program execution (states and events)	Diagnosing component health and debugging custom AccessGate and plug-in code
Auditing	Dynamic	File, DB	Oracle Access Manager servers	System events	Tracking usage patterns, system performance, component loading, and security compliance
Auditing	Static	File, DB	directory server	Profile and policy attributes	Identifying users and resources that fit specified patterns
Diagnostics	Static or dynamic	GUI or file	directory server, Oracle Access Manager servers	Directory component, server, and connection settings and states; all program and thread calls	Verifying server and directory server settings, states, and connection details; taking stack traces
Access Tests	Static	GUI	directory server	Profile and policy attributes	Quick determination of who has access to what at a given time.
Filtered Queries	Static	GUI, file	directory server	Profile and policy attributes	Reporting on complex combinations of shared profile and policy attributes
Audit Reports (from Crystal Report templates by way of the audit database)
Global Access	Static	GUI, file, hardcopy	directory server by way of audit db	Profile and policy attributes	Advanced reports on user and resource access privileges
Authentication	Dynamic	GUI, file, hardcopy	component servers by way of audit db	Authentication events	Statistics on authentication events
Authorization	Dynamic	GUI, file, hardcopy	component servers by way of audit db	Authorization events	Statistics on authorization events
Activity	Dynamic	GUI, file, hardcopy	component servers by way of audit db	Access and Identity System events	Statistics on and lists of various Oracle Access Manager events
ID history	Dynamic	GUI, file, hardcopy	component servers by way of audit db	Profile attributes and changes to attributes	Statistics on and lists of identity profile changes