Previous      Contents      Index      Next
Sun Java[TM] System Identity Manager 7.1 Admininstration

Chapter 7
Reporting

Identity Manager reports on automated and manual system activities. A robust set of reporting features lets you capture and view important access information and statistics on Identity Manager users at any time.

In this chapter, you will learn about the Identity Manager report types, how to create, run, and email reports, and how to download report information.

This chapter is organized in the following sections:

Working with Reports
Report Types
Risk Analysis
System Monitoring
Working with Dashboards

---

Working with Reports

In Identity Manager, reports are considered a special category of task. As a result, you work with reports in two areas of the Identity Manager Administrator interface:

Reports — Use this area to define, run, delete, and download reports. You can also manage scheduled reports.
Tasks — After you define reports, go to the Tasks area to schedule and manipulate report tasks.

Reports

You perform most report-related activities from the Run Reports page, which allows you to accomplish the following report activities:

Create, modify, and delete reports
Run reports
Download report information for use in another application, such as StarOffice.

To view this page, select Reports from the menu bar. The Run Reports page appears, showing a list of available reports.

By default, the following reports are run on the set of organizations controlled by the logged-in administrator, unless overridden by selecting one or more organizations against which the report will be run.

Admin Role Summary
Administrator Summary
Role Summary
User Questions Summary
User Summary

Figure 7-1 shows an example of the Run Reports page.

Figure 7-1  Run Reports Selection

Begin defining reports by using one of these methods:

Create a report.
Select a report to modify and save with a new name (also known as report cloning).

Creating Reports

To create a report, use the following steps:

Select Reports from the menu bar.
Select the report category: Identity Manager Reports or Auditor Reports, and then select a report type from the New list of options.

Identity Manager displays the Define a Report page, where you select and save options to create the report.

Cloning Reports

To clone a report, select a report from the list. Enter the new report name and optionally adjust report parameters, and then click Save to save it with the new name.

Emailing Reports

When creating or editing a report, you can select an option to email the report results to one or more email recipients. When you select this option, the page refreshes and prompts for email recipients. Enter one or more recipients, separating addresses with a comma.

You also can choose the format of the report to be attached to the email:

Attach CSV Format — Attaches report results in comma-separated value (CSV) format.
Attach PDF Format — Attaches report results in Portable Document Format (PDF).

Running Reports

After entering and selecting report criteria, you can:

Run the report without saving — Click Run to run the report. Identity Manager does not save the report (if you defined a new report) or the changed report criteria (if you edited an existing report).
Save the report — Click Save to save the report. Once saved, you can run the report from the Run Reports page (the list of reports).

Scheduling Reports

Depending on whether you want to immediately run a report or schedule it to run at regular intervals, you make different selections:

Reports > Run Reports — Allows you to run saved reports immediately. From the list of reports, click Run. Identity Manager runs the report and then displays the results in summary and detailed formats.
Tasks > Schedule Tasks — Schedules report tasks to be run. After selecting a report task, you can set report frequency and options. You also can adjust specific report details (as in the Define a Report page in the Reports area).

Downloading Report Data

From the Run Reports page, click Download in one of these columns:

Download CSV Report — Downloads report output in CSV format. Once saved, you can open and work with the report in another application, such as StarOffice.
Download PDF Report — Downloads report output in Portable Document Format, which can be viewed with Adobe Reader.

Figure 7-2  Download Reports

Configuring Fonts for Report Output

For reports generated in portable document format (PDF), you can make selections to determine the fonts to be used in the report.

To configure report font selections, click Reports, and then select Configure. These selections are available:

PDF report options
PDF Font Name — Select the font to use when generating PDF reports. By default, only fonts available to all PDF viewers are shown. However, additional fonts (such as those needed to support Asian languages) can be added to the system by copying font definition files into the product's fonts/ directory and restarting the server.

Accepted font definition formats include .ttf, .ttc, .otf, and .afm. If you select one of these fonts, then it must be available at the computer system where the report is viewed. Alternatively select the Embed Font in PDF Documents option.

Embed Font in PDF Documents — Select this option to embed the font definition in the generated PDF report. This ensures that the report is viewable in any PDF viewer.

Note	Embedding the font can greatly increase the size of the document.

CSV Report Options — Select the character set to use when generating reports.

Click Save to save report configuration options.

---

Report Types

Identity Manager provides several report types:

Auditor
AuditLog
Real Time
Summary
SystemLog
Usage

These reports may be accessed through one or both of the following report categories:

Identity Manager Reports
Auditor Reports

Auditor

Auditor reports provide information that help you manage user compliance based on criteria defined in audit policies. For more information about audit policies and the auditor reports, see Chapter 11, "Identity Auditing."

Identity Manager provides the following auditor reports:

Access Review Reports
Audit Policy Scan
Audit Policy Summary Report
Audited Attribute Report
AuditPolicy Violation History
User Access Report
Organization Violation History
Resource Violation History
Violation Summary Report
Separation of Duties Report

To define an auditor report, select the Auditor Reports option on the Run Reports page, and then select the report from the list of Auditor Reports. For more information about the auditor reports, see Chapter 11, "Identity Auditing."

The AuditLog

Audit reports are based on events captured in the system audit log. These reports provide information about generated accounts, approved requests, failed access attempts, password changes and resets, self-provisioning activities, policy violations, and service provider (extranet) users, among others.

Note	Before running audit logs, you must specify the types of Identity Manager events you want to capture. To do this, select Configure from the menu bar, and then select Audit. Select one or more audit group names to record successful and failed events for each group. For more information about setting up audit configuration groups, see Configuring Audit Groups and Audit Events.

You can run the AuditLog Report by selecting it from the list of report options on the Run Reports page. The report is available from both the Identity Manager Reports and Auditor Reports categories.

Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria. Included in the report are the date an event occurred, the action performed, and the result of the action.

Real Time

Real Time reports poll resources directly to report real-time information. Real time reports include:

Resource Group — Summarizes group attributes, including user memberships.
Resource Status — Tests the connection status of one or more specified resources by executing the testConnection method against each resource.
Resource User — Lists user resource accounts and account attributes.

To define a Real Time report, select one of the report options from the Identity Manager Reports list on the Run Reports page.

Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria.

Summary Reports

Summary report types include the following reports available from the Identity Manager Reports list:

Account Index – Report on selected resource accounts according to reconciliation situation.
Administrator – View Identity Manager administrators, the organizations they manage, and assigned capabilities. When defining an administrator report, you can select administrators to include by organization.
Admin Role – List users assigned to admin roles.
Role – Summarize Identity Manager roles and associated resources. When defining a role report, you can select the roles to include by associated organization.
Task – Report on pending and finished tasks. You determine the depth of information to include by selecting from a list of attributes such as approver, description, expiration date, owner, start date, and state.
User – View users, the roles to which they are assigned, and the resources they can access. When defining a user report, you can select which users to include by name, assigned manager, role, organization, or resource assignment.
User Question – Allows administrators to find users who have not answered the minimum number of authentication questions, as specified by their account policy requirements. The results indicate user name, account policy, the interface associated with the policy, and the minimum number of questions that require answers.

As shown in the following illustration, the administrator report lists Identity Manager administrators, the organizations they manage, and their assigned capabilities and admin roles.

Figure 7-3  Administrator Summary Report

SystemLog

A SystemLog report shows system messages and errors that are recorded in the repository. When setting up this report, you can specify to include or exclude:

System components (such as Provisioner, Scheduler, or Server)
Error codes
Severity levels (error, fatal, or warning)

You also set the maximum number of records you want to display (by default, 3000), and whether you want to display the oldest or newest records if available records exceed the specified maximum.

When running a SystemLog Report, specific Syslog entries can be retrieved by specifying the syslog ID of the target entry. For example, to view specific entries in the Recent Systems Messages report, edit the report and select the Event field; then enter the requested syslog ID and click Run.

Note	You also can run the lh syslog command to extract records from the system log. For detailed command options, read syslog command in Appendix A, "lh Reference."

To define a SystemLog report, select SystemLog Report from the list of report options on the Run Reports page.

Usage Reports

Create and run usage reports to view graphical or tabular summaries of system events related to Identity Manager objects such as administrators, users, roles, or resources. You can display output in pie chart, bar graph, or tabular format.

To define a usage report, select Usage Report from the list of report options on the Run Reports list page.

Once you have set and saved report parameters, run the report from the Run Reports list page.

Usage Report Charts

In the following illustration, the table at the top shows events comprising the report. The chart below shows the same information in graphical format. As you move the mouse pointer over each portion of the chart, the value of that portion appears.

Figure 7-4  Usage Report (Generated User Accounts)

You can manipulate portions of a pie chart to highlight them. Right-click and hold a data slice, and then drag it away from center to visually separate it from the other data slices. You can do this with one or more portions of the chart. For most control, click the slice near the center; this allows you to drag it a longer distance from the remaining slices.

You also can rotate the pie chart to your desired view. Click and hold near the edge of the chart, and then move the mouse to right or left to rotate the view.

---

Risk Analysis

Identity Manager risk analysis features let you report on user accounts whose profiles fall outside certain security constraints. Risk analysis reports scan the physical resource to gather data and show, by resource, details about disabled accounts, locked accounts, and accounts with no owners. They also provide details about expired passwords. Report details vary depending on the resource type.

Note	Standard reports are available for AIX, HP, Solaris, NetWare NDS, Windows NT, and Windows Active Directory resources.

Risk analysis pages are controlled by a form and can be configured for your environment. You can find a list of forms under the RiskReportTask object on the idm\debug page, and modify these by using the Business Process Editor. See Identity Manager Workflows, Forms, and Views for more information about configuring Identity Manager forms.

To create a risk analysis report, click Risk Analysis from the menu bar, and then select a report from the New list of options.

You can limit the report to scan selected resources; and depending on the resource type, you can scan for accounts:

That are disabled, expired, inactive, or locked
That have never been used
Do not have a fullname or password
Do not require a password
With passwords that have expired or have not changed for a specified number of days

Once defined, you can schedule risk analysis reports to run at specified intervals.

Click Schedule Tasks, and then select a report to run.
On the Create Task Schedule page, enter a name and schedule information, and then optionally adjust other risk analysis selections.
Click Save to save the schedule.

---

System Monitoring

You can set up Identity Manager to track events in real-time and monitor the events by viewing them in dashboard graphs. The dashboards allow you to quickly assess system resources and spot abnormalities, to understand historical performance trends (based on time of day, day of week, etc.), and to interactively isolate problems before looking at audit logs. They do not provide as much detail as the audit logs, but they do provide you with hints about where to look for problems in the logs.

You can create graphic dashboard displays to track automated and manual activities at a high level. Identity Manager provides sample resource operations dashboard graphs. The resource operations dashboard graphs enable you to quickly monitor system resources to maintain an acceptable level of service.

You can view sample data for these graphs in the Resource Operations Dashboard. For more information about using dashboards, see Working with Dashboards.

Statistics are collected and aggregated at various levels to present a real-time view based on your specifications.

Tracked Event Configuration

From the Tracked Event Configuration area of the Configure Reports page, you can determine if statistics collection for tracked events is currently enabled, and enable it. Click Enable event collection to enable the tracked event configuration.

Specify the following options for event collection:

Time Zone — This option sets the time zone to use for recording tracked events. This primarily determines when day boundaries occur.

Alternatively, you can set the time zone to the default time zone set on the server.

Time Scales to collect — This option specifies the time intervals for which the data is aggregated (in other words, how often it is collected and persisted). For example, if a one-minute interval is selected, data is collected and persisted every minute.

The system stores tracked event data for progressively larger time scales to allow a detailed, current view of the system, as well as an understanding of historical trends.

The folllowing time scales are available. All are selected by default. Clear the selections for the intervals you do not want to collect.

10 Second Intervals
1 Minute Intervals
1 Hour Intervals
1 Day Intervals
1 Week Intervals
1 Month Intervals

After configuring tracked events, use the dashboards to monitor the tracked events.

---

Working with Graphs

You can perform the following activities related to graphs:

View Defined Graphs
Create Graphs
Edit Graphs
Delete Graphs

View Defined Graphs

Identity Manager provides some sample graphs. Some use sample data and some do not. You are encouraged to create additional graphs that are applicable to your deployment.

You should remove the sample graphs and sample dashboards before moving a deployment into production. Some of the sample graphs that do not use sample data might appear blank if no applicable data has been collected.

Click Reports from the menu bar.
Click Dashboard Graphs.
Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.

All graphs in the selected category display in the graphs list.

Click a graph name.
If desired, click Pause refresh to pause the dashboard refresh. Click Resume to renew the view.

Note	For dashboards containing many graphs, it is sometimes helpful to pause the refresh until all of the graphs are initially loaded.

If desired, click Refresh now to force an immediate refresh.
Click Done to return to the Dashboard Graphs list page.

Note	If any of the graphs show an error message, use the debug pages to set dashboard.debug=true in the System Configuration configuration object. Once this property is set, return to the graph that generated the error and use the Please include this text script if reporting a problem link to retrieve the graph script. This graph script should be included when reporting the problem.

Create Graphs

Use the following procedure to create a Dashboard graph:

Select Reports from the menu bar.
Select Dashboard Graphs.
Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.

All graphs in the selected category display in the graphs list.

Click New to display the Create Dashboard Graph page.
Enter a Graph Name. Choose a unique, meaningful name since graphs are added to dashboards by name.
Select a Registry: IDM or SAMPLE.

The sample data selection is provided for you to familiarize yourself with the system. As sample data is not available for all tracked events, this selection is most useful for demos and when experimenting with the various graph options. Delete sample data prior to going to a production environment.

Note	The set of tracked events that use sample data differs from the events that are actually tracked.

Select the desired type of Tracked Event from the list.

An event is a system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.

Tracked events for the IDM registry are:

Provisioner Execution Counts — Tracks how many provisioner operations occurred (by operation type).
Provisioner Execution Duration — Tracks the duration of each provisioner operation (by operation type).
Resource Operation Count — Tracks the number of resource operations.
Resource Operation Duration — Tracks the duration of a resource operation.
Workflow Duration — Tracks how long it takes to execute a workflow.
Workflow Execution Count — Tracks the number of times each workflow is executed.
Select a Time Scale from the list.

This controls how often data is aggregated (for example, one hour) and how often it is retained (for example, one month). The system stores tracked event data for progressively larger time scales to allow both a detailed, current view of the system as well as an understanding of historical trends.

Select a Metric from the list. A default one is selected, either count or average depending on the selected tracked event.

Each graph displays a single metric. The available metrics depend on the selected tracked event. Possible metrics are:

Count - the total number of times the event occurred in the time interval
Average - the arithmetic mean of the event values for the time interval
Maximum - the maximum event value for the time interval
Minimum - the minimum event value for the time interval
Histogram - separate counts for discrete ranges of event values for the time interval
Select Show count as from the list.

The graph count is shown either as a raw total or scaled by various time scales.

Select a Graph Type from the list.

This controls how the tracked event data is displayed. The available graph types depend on the selected tracked event and can include line graphs, bar charts, and pie charts.

Base Dimension

If desired, select the following from the list:
Resource Name. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
Server Instance. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
Operation Type. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.

After you select the dimension, the page refreshes to display a graph.

Graph Options

If desired, enter a Graph Subtitle

This produces a subtitle under the main title of the graph.

Advanced Graph Options

If desired, select Advanced Graph Options. Select this if you wish to set the following:
Grid Lines
Font
Color Palette
Click Save to create the graph.

Edit Graphs

Edit graphs by selecting the Reports tab, selecting a category of dashboard graphs from the Select Dashboard Graph Type options list, and then selecting the graph name from the list.

The graph attributes you can edit vary depending on the graph selected. One or more of the following charactistics are available for editing:

Graph Name - Graphs are added to a dashboard by name.
Registry — Specifies the tracked event description defined in the registry. The current selection includes: SAMPLE, SPE (service providers), and IDM.
Tracked Event - A system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.
Time Scale - Controls how often data is aggregated and how often it is retained.
Metric - Each graph displays a single metric. The available metrics depend on the selected tracked event. Other options may be available for the metric selected.
Graph type - Controls how the tracked event data is displayed (for example, line graph or bar graph).
Included Dimension Values - If selected, all values for the dimensions are included in the graph.
Graph Subtitle - If desired, enter a subtitle under the main title of the graph.
Advanced Graph Options - select this if you wish to set the following:
Grid Lines
Font
Color Palette
Click Save.

Delete Graphs

Delete graphs by selecting them from the list, and then clicking Delete.

Note	Deleting a graph automatically removes it from all dashboards that include it without warning.

---

Working with Dashboards

A dashboard is a collection of related graphs that are viewed on a single page. As with graphs, Identity Manager provides a set of sample dashboards that administrators are encouraged to customize to their own deployment. See Creating Dashboards for instructions.

The following areas in the Reports menu allow you to work with dashboards.

You can view existing dashboards from the Reports area of the Identity Manager interface. Click View Dashboards Dashboard Graphs to list currently defined dashboards, and then click Display next to the dashboard you wish to view.

Note	For dashboards containing many graphs, it's sometimes helpful to pause the refresh until all of the graphs are initially loaded. Click Pause to pause dashboard refresh, or Refresh to renew the view.

The following sections provide procedures for working with dashboards:

Creating Dashboards
Edit Dashboards
Deleting Dashboards

Creating Dashboards

To create dashboards, use the following procedure:

Click Reports from the menu bar.
Click View Dashboards.
Click New.
Enter a name for the new dashboard.
Enter a summary describing the new dashboard.
Select a refresh rate in either seconds, minutes, or hours, from the list.

Note	Setting a refresh rate of less than 30 seconds can cause problems with dashboards that contain several graphs.

To associate a graph style to the dashboard, select the appropriate entry from the list.

Note	A single graph can be used in multiple dashboards.

To remove a dashboard graph, select the appropriate entry from the list and click Remove Graphs.
Click Save.

Edit Dashboards

Use the procedure described in creating a dashboard to edit a dashboard, except instead of selecting New, select the dashboard you want to modify and edit the following attributes:

The name for the dashboard.
The summary describing the new dashboard.
The refresh rate in either seconds, minutes, or hours from the list.
Add or remove graphs associated with a dashbord.

Note	Removing a graph from a dashboard does not delete the graph. The graph is still available for use with other dashboards. A single graph can be used in multiple dashboards.

Figure 7-5 illustrates a sample dashboard edit page.

Figure 7-5  Edit Dashboards

Deleting Dashboards

To delete Service Provider dashboards, from the Service Provider area click Manage Dashboards, then select the desired dashboard and click delete.

Note	The graphs included in the dashboard are not removed using this procedure. Delete graphs using the Manage Dashboard Graphs page (see Delete Graphs).

Searching Transactions

A transaction encapsulates a single provisioning operation, for example creating a new user or assigning new resources. To ensure that these transactions complete when resources are unavailable, they are written to the Transaction Persistent Store.

Note	Using the Edit Transaction Configuration page (see Transaction Management), the administrator can control when transactions are persisted. For instance, they can be persisted immediately, even before they are attempted for the first time.

The Search Transactions page allows you to search for transactions in the Transaction Persistent Store. This includes transactions that are still being retried, as well as transactions that have already completed. Transactions that have not completed can be cancelled preventing any further attempts.

To search transactions:

Log in to Identity Manager.
Click Service Provider from the menu bar.
Click Search Transations.

The Search Conditions page appears.

Note	The search returns only transactions that match all of the conditions selected below. This is similar to the Accounts->Find Users page in Identity Manager.

If desired, select User Name.

This allows you to search for transactions that apply only to users with the accountId that you enter.

Note	If you have configured any Customized queryable user attributes on the Service Provider Edition Transaction Configuration page, then they appear here. For example, you could choose to search based on Last Name or Full Name if these were configured as customized queryable user attributes.

If desired, select search for Type.

This allows you to search for transactions of the selected type or types.

If desired, select search for State.

This allows you to search for transactions in the following selected state or states:

Unattempted transactions have not yet been attempted.
Pending retry transactions have been attempted one or more times, have had one or more errors, and are scheduled to be retried up to the retry limits configured for the individual resources.
Success transactions have completed successfully.
Failure transactions have completed with one or more failures.
If desired, select to search for Attempts.

This allows you to search for transactions based on how many times they have been attempted. Failed transactions are retried up to the retry limits configured for the individual resources.

If desired, select to search for Submitted.

This allows you to search for transactions based on when they were initially submitted in increments of hours, minutes, or days.

If desired, select to search for Completed.

This allows you to search for transactions based on when they were completed in increments of hours, minutes, or days.

If desired, select to search for Cancelled Status.

This allows you to search for transactions based on whether or not they have already been cancelled.

If desired, select to search for Transaction ID.

This allows you to search for transactions based on their unique id. Use this option to find a transaction based on the id value you enter, which appears in all audit log records.

If desired, select to search for Running On (which Server.)

This allows you to search for transactions based on the Service Provider Edition server where they are running. The server's identifier is based on its machine name unless it has been overridden in the Waveset.properties file.

Limit the search to results to first number of entries selected from the list.

Only results up to the specified limit are returned. No indication is made if additional results are available.

Figure 7-6  

Search Transactions

Click Search.

The search results are displayed.

If desired, click Download All Matched Transactions at the bottom of the results page. This saves the results to an XML formatted file.

Note	You can cancel transactions returned in the search results. Select the transaction in the results table and click Cancel Selected. You cannot cancel transactions that have completed or have already been cancelled.

Previous      Contents      Index      Next

---

Part No: 820-0816-10.   Copyright 2007 Sun Microsystems, Inc. All rights reserved.