![]() | |
Sun Java[TM] System Identity Manager 7.1 Admininstration |
Chapter 7
ReportingIdentity Manager reports on automated and manual system activities. A robust set of reporting features lets you capture and view important access information and statistics on Identity Manager users at any time.
In this chapter, you will learn about the Identity Manager report types, how to create, run, and email reports, and how to download report information.
This chapter is organized in the following sections:
Working with ReportsIn Identity Manager, reports are considered a special category of task. As a result, you work with reports in two areas of the Identity Manager Administrator interface:
Reports
You perform most report-related activities from the Run Reports page, which allows you to accomplish the following report activities:
To view this page, select Reports from the menu bar. The Run Reports page appears, showing a list of available reports.
By default, the following reports are run on the set of organizations controlled by the logged-in administrator, unless overridden by selecting one or more organizations against which the report will be run.
Figure 7-1 shows an example of the Run Reports page.
Figure 7-1 Run Reports Selection
Begin defining reports by using one of these methods:
Creating Reports
To create a report, use the following steps:
Identity Manager displays the Define a Report page, where you select and save options to create the report.
Cloning Reports
To clone a report, select a report from the list. Enter the new report name and optionally adjust report parameters, and then click Save to save it with the new name.
Emailing Reports
When creating or editing a report, you can select an option to email the report results to one or more email recipients. When you select this option, the page refreshes and prompts for email recipients. Enter one or more recipients, separating addresses with a comma.
You also can choose the format of the report to be attached to the email:
Running Reports
After entering and selecting report criteria, you can:
- Run the report without saving — Click Run to run the report. Identity Manager does not save the report (if you defined a new report) or the changed report criteria (if you edited an existing report).
- Save the report — Click Save to save the report. Once saved, you can run the report from the Run Reports page (the list of reports).
Scheduling Reports
Depending on whether you want to immediately run a report or schedule it to run at regular intervals, you make different selections:
- Reports > Run Reports — Allows you to run saved reports immediately. From the list of reports, click Run. Identity Manager runs the report and then displays the results in summary and detailed formats.
- Tasks > Schedule Tasks — Schedules report tasks to be run. After selecting a report task, you can set report frequency and options. You also can adjust specific report details (as in the Define a Report page in the Reports area).
Downloading Report Data
From the Run Reports page, click Download in one of these columns:
Configuring Fonts for Report Output
For reports generated in portable document format (PDF), you can make selections to determine the fonts to be used in the report.
To configure report font selections, click Reports, and then select Configure. These selections are available:
- PDF report options
- PDF Font Name — Select the font to use when generating PDF reports. By default, only fonts available to all PDF viewers are shown. However, additional fonts (such as those needed to support Asian languages) can be added to the system by copying font definition files into the product's fonts/ directory and restarting the server.
- CSV Report Options — Select the character set to use when generating reports.
Click Save to save report configuration options.
Report TypesIdentity Manager provides several report types:
These reports may be accessed through one or both of the following report categories:
Auditor
Auditor reports provide information that help you manage user compliance based on criteria defined in audit policies. For more information about audit policies and the auditor reports, see Chapter 11, "Identity Auditing."
Identity Manager provides the following auditor reports:
To define an auditor report, select the Auditor Reports option on the Run Reports page, and then select the report from the list of Auditor Reports. For more information about the auditor reports, see Chapter 11, "Identity Auditing."
The AuditLog
Audit reports are based on events captured in the system audit log. These reports provide information about generated accounts, approved requests, failed access attempts, password changes and resets, self-provisioning activities, policy violations, and service provider (extranet) users, among others.
Note
Before running audit logs, you must specify the types of Identity Manager events you want to capture. To do this, select Configure from the menu bar, and then select Audit. Select one or more audit group names to record successful and failed events for each group. For more information about setting up audit configuration groups, see Configuring Audit Groups and Audit Events.
You can run the AuditLog Report by selecting it from the list of report options on the Run Reports page. The report is available from both the Identity Manager Reports and Auditor Reports categories.
Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria. Included in the report are the date an event occurred, the action performed, and the result of the action.
Real Time
Real Time reports poll resources directly to report real-time information. Real time reports include:
To define a Real Time report, select one of the report options from the Identity Manager Reports list on the Run Reports page.
Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria.
Summary Reports
Summary report types include the following reports available from the Identity Manager Reports list:
- Account Index – Report on selected resource accounts according to reconciliation situation.
- Administrator – View Identity Manager administrators, the organizations they manage, and assigned capabilities. When defining an administrator report, you can select administrators to include by organization.
- Admin Role – List users assigned to admin roles.
- Role – Summarize Identity Manager roles and associated resources. When defining a role report, you can select the roles to include by associated organization.
- Task – Report on pending and finished tasks. You determine the depth of information to include by selecting from a list of attributes such as approver, description, expiration date, owner, start date, and state.
- User – View users, the roles to which they are assigned, and the resources they can access. When defining a user report, you can select which users to include by name, assigned manager, role, organization, or resource assignment.
- User Question – Allows administrators to find users who have not answered the minimum number of authentication questions, as specified by their account policy requirements. The results indicate user name, account policy, the interface associated with the policy, and the minimum number of questions that require answers.
As shown in the following illustration, the administrator report lists Identity Manager administrators, the organizations they manage, and their assigned capabilities and admin roles.
Figure 7-3 Administrator Summary Report
SystemLog
A SystemLog report shows system messages and errors that are recorded in the repository. When setting up this report, you can specify to include or exclude:
You also set the maximum number of records you want to display (by default, 3000), and whether you want to display the oldest or newest records if available records exceed the specified maximum.
When running a SystemLog Report, specific Syslog entries can be retrieved by specifying the syslog ID of the target entry. For example, to view specific entries in the Recent Systems Messages report, edit the report and select the Event field; then enter the requested syslog ID and click Run.
Note
You also can run the lh syslog command to extract records from the system log. For detailed command options, read syslog command in Appendix A, "lh Reference."
To define a SystemLog report, select SystemLog Report from the list of report options on the Run Reports page.
Usage Reports
Create and run usage reports to view graphical or tabular summaries of system events related to Identity Manager objects such as administrators, users, roles, or resources. You can display output in pie chart, bar graph, or tabular format.
To define a usage report, select Usage Report from the list of report options on the Run Reports list page.
Once you have set and saved report parameters, run the report from the Run Reports list page.
Usage Report Charts
In the following illustration, the table at the top shows events comprising the report. The chart below shows the same information in graphical format. As you move the mouse pointer over each portion of the chart, the value of that portion appears.
Figure 7-4 Usage Report (Generated User Accounts)
You can manipulate portions of a pie chart to highlight them. Right-click and hold a data slice, and then drag it away from center to visually separate it from the other data slices. You can do this with one or more portions of the chart. For most control, click the slice near the center; this allows you to drag it a longer distance from the remaining slices.
You also can rotate the pie chart to your desired view. Click and hold near the edge of the chart, and then move the mouse to right or left to rotate the view.
Risk AnalysisIdentity Manager risk analysis features let you report on user accounts whose profiles fall outside certain security constraints. Risk analysis reports scan the physical resource to gather data and show, by resource, details about disabled accounts, locked accounts, and accounts with no owners. They also provide details about expired passwords. Report details vary depending on the resource type.
Note
Standard reports are available for AIX, HP, Solaris, NetWare NDS, Windows NT, and Windows Active Directory resources.
Risk analysis pages are controlled by a form and can be configured for your environment. You can find a list of forms under the RiskReportTask object on the idm\debug page, and modify these by using the Business Process Editor. See Identity Manager Workflows, Forms, and Views for more information about configuring Identity Manager forms.
To create a risk analysis report, click Risk Analysis from the menu bar, and then select a report from the New list of options.
You can limit the report to scan selected resources; and depending on the resource type, you can scan for accounts:
Once defined, you can schedule risk analysis reports to run at specified intervals.
System MonitoringYou can set up Identity Manager to track events in real-time and monitor the events by viewing them in dashboard graphs. The dashboards allow you to quickly assess system resources and spot abnormalities, to understand historical performance trends (based on time of day, day of week, etc.), and to interactively isolate problems before looking at audit logs. They do not provide as much detail as the audit logs, but they do provide you with hints about where to look for problems in the logs.
You can create graphic dashboard displays to track automated and manual activities at a high level. Identity Manager provides sample resource operations dashboard graphs. The resource operations dashboard graphs enable you to quickly monitor system resources to maintain an acceptable level of service.
You can view sample data for these graphs in the Resource Operations Dashboard. For more information about using dashboards, see Working with Dashboards.
Statistics are collected and aggregated at various levels to present a real-time view based on your specifications.
Tracked Event Configuration
From the Tracked Event Configuration area of the Configure Reports page, you can determine if statistics collection for tracked events is currently enabled, and enable it. Click Enable event collection to enable the tracked event configuration.
Specify the following options for event collection:
The system stores tracked event data for progressively larger time scales to allow a detailed, current view of the system, as well as an understanding of historical trends.
The folllowing time scales are available. All are selected by default. Clear the selections for the intervals you do not want to collect.
After configuring tracked events, use the dashboards to monitor the tracked events.
Working with GraphsYou can perform the following activities related to graphs:
View Defined Graphs
Identity Manager provides some sample graphs. Some use sample data and some do not. You are encouraged to create additional graphs that are applicable to your deployment.
You should remove the sample graphs and sample dashboards before moving a deployment into production. Some of the sample graphs that do not use sample data might appear blank if no applicable data has been collected.
- Click Reports from the menu bar.
- Click Dashboard Graphs.
- Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.
All graphs in the selected category display in the graphs list.
- Click a graph name.
- If desired, click Pause refresh to pause the dashboard refresh. Click Resume to renew the view.
Note
For dashboards containing many graphs, it is sometimes helpful to pause the refresh until all of the graphs are initially loaded.
- If desired, click Refresh now to force an immediate refresh.
- Click Done to return to the Dashboard Graphs list page.
Create Graphs
Use the following procedure to create a Dashboard graph:
- Select Reports from the menu bar.
- Select Dashboard Graphs.
- Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.
All graphs in the selected category display in the graphs list.
- Click New to display the Create Dashboard Graph page.
- Enter a Graph Name. Choose a unique, meaningful name since graphs are added to dashboards by name.
- Select a Registry: IDM or SAMPLE.
The sample data selection is provided for you to familiarize yourself with the system. As sample data is not available for all tracked events, this selection is most useful for demos and when experimenting with the various graph options. Delete sample data prior to going to a production environment.
Note
The set of tracked events that use sample data differs from the events that are actually tracked.
- Select the desired type of Tracked Event from the list.
An event is a system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.
Tracked events for the IDM registry are:
- Provisioner Execution Counts — Tracks how many provisioner operations occurred (by operation type).
- Provisioner Execution Duration — Tracks the duration of each provisioner operation (by operation type).
- Resource Operation Count — Tracks the number of resource operations.
- Resource Operation Duration — Tracks the duration of a resource operation.
- Workflow Duration — Tracks how long it takes to execute a workflow.
- Workflow Execution Count — Tracks the number of times each workflow is executed.
- Select a Time Scale from the list.
This controls how often data is aggregated (for example, one hour) and how often it is retained (for example, one month). The system stores tracked event data for progressively larger time scales to allow both a detailed, current view of the system as well as an understanding of historical trends.
- Select a Metric from the list. A default one is selected, either count or average depending on the selected tracked event.
Each graph displays a single metric. The available metrics depend on the selected tracked event. Possible metrics are:
- Count - the total number of times the event occurred in the time interval
- Average - the arithmetic mean of the event values for the time interval
- Maximum - the maximum event value for the time interval
- Minimum - the minimum event value for the time interval
- Histogram - separate counts for discrete ranges of event values for the time interval
- Select Show count as from the list.
The graph count is shown either as a raw total or scaled by various time scales.
- Select a Graph Type from the list.
This controls how the tracked event data is displayed. The available graph types depend on the selected tracked event and can include line graphs, bar charts, and pie charts.
Base Dimension
- If desired, select the following from the list:
- Resource Name. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
- Server Instance. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
- Operation Type. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.
After you select the dimension, the page refreshes to display a graph.
Graph Options
Advanced Graph Options
Edit Graphs
Edit graphs by selecting the Reports tab, selecting a category of dashboard graphs from the Select Dashboard Graph Type options list, and then selecting the graph name from the list.
The graph attributes you can edit vary depending on the graph selected. One or more of the following charactistics are available for editing:
- Graph Name - Graphs are added to a dashboard by name.
- Registry — Specifies the tracked event description defined in the registry. The current selection includes: SAMPLE, SPE (service providers), and IDM.
- Tracked Event - A system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.
- Time Scale - Controls how often data is aggregated and how often it is retained.
- Metric - Each graph displays a single metric. The available metrics depend on the selected tracked event. Other options may be available for the metric selected.
- Graph type - Controls how the tracked event data is displayed (for example, line graph or bar graph).
- Included Dimension Values - If selected, all values for the dimensions are included in the graph.
- Graph Subtitle - If desired, enter a subtitle under the main title of the graph.
- Advanced Graph Options - select this if you wish to set the following:
- Click Save.
Delete Graphs
Delete graphs by selecting them from the list, and then clicking Delete.
Working with DashboardsA dashboard is a collection of related graphs that are viewed on a single page. As with graphs, Identity Manager provides a set of sample dashboards that administrators are encouraged to customize to their own deployment. See Creating Dashboards for instructions.
The following areas in the Reports menu allow you to work with dashboards.
You can view existing dashboards from the Reports area of the Identity Manager interface. Click View Dashboards Dashboard Graphs to list currently defined dashboards, and then click Display next to the dashboard you wish to view.
The following sections provide procedures for working with dashboards:
Creating Dashboards
To create dashboards, use the following procedure:
- Click Reports from the menu bar.
- Click View Dashboards.
- Click New.
- Enter a name for the new dashboard.
- Enter a summary describing the new dashboard.
- Select a refresh rate in either seconds, minutes, or hours, from the list.
Note
Setting a refresh rate of less than 30 seconds can cause problems with dashboards that contain several graphs.
- To associate a graph style to the dashboard, select the appropriate entry from the list.
- To remove a dashboard graph, select the appropriate entry from the list and click Remove Graphs.
- Click Save.
Edit Dashboards
Use the procedure described in creating a dashboard to edit a dashboard, except instead of selecting New, select the dashboard you want to modify and edit the following attributes:
Figure 7-5 illustrates a sample dashboard edit page.
Figure 7-5 Edit Dashboards
Deleting Dashboards
To delete Service Provider dashboards, from the Service Provider area click Manage Dashboards, then select the desired dashboard and click delete.
Note
The graphs included in the dashboard are not removed using this procedure. Delete graphs using the Manage Dashboard Graphs page (see Delete Graphs).
Searching Transactions
A transaction encapsulates a single provisioning operation, for example creating a new user or assigning new resources. To ensure that these transactions complete when resources are unavailable, they are written to the Transaction Persistent Store.
The Search Transactions page allows you to search for transactions in the Transaction Persistent Store. This includes transactions that are still being retried, as well as transactions that have already completed. Transactions that have not completed can be cancelled preventing any further attempts.
To search transactions:
- Log in to Identity Manager.
- Click Service Provider from the menu bar.
- Click Search Transations.
The Search Conditions page appears.
Note
The search returns only transactions that match all of the conditions selected below. This is similar to the Accounts->Find Users page in Identity Manager.
- If desired, select User Name.
This allows you to search for transactions that apply only to users with the accountId that you enter.
- If desired, select search for Type.
This allows you to search for transactions of the selected type or types.
- If desired, select search for State.
This allows you to search for transactions in the following selected state or states:
- Unattempted transactions have not yet been attempted.
- Pending retry transactions have been attempted one or more times, have had one or more errors, and are scheduled to be retried up to the retry limits configured for the individual resources.
- Success transactions have completed successfully.
- Failure transactions have completed with one or more failures.
- If desired, select to search for Attempts.
This allows you to search for transactions based on how many times they have been attempted. Failed transactions are retried up to the retry limits configured for the individual resources.
- If desired, select to search for Submitted.
This allows you to search for transactions based on when they were initially submitted in increments of hours, minutes, or days.
- If desired, select to search for Completed.
This allows you to search for transactions based on when they were completed in increments of hours, minutes, or days.
- If desired, select to search for Cancelled Status.
This allows you to search for transactions based on whether or not they have already been cancelled.
- If desired, select to search for Transaction ID.
This allows you to search for transactions based on their unique id. Use this option to find a transaction based on the id value you enter, which appears in all audit log records.
- If desired, select to search for Running On (which Server.)
This allows you to search for transactions based on the Service Provider Edition server where they are running. The server's identifier is based on its machine name unless it has been overridden in the Waveset.properties file.
- Limit the search to results to first number of entries selected from the list.
Only results up to the specified limit are returned. No indication is made if additional results are available.
Figure 7-6
Search Transactions- Click Search.
The search results are displayed.
- If desired, click Download All Matched Transactions at the bottom of the results page. This saves the results to an XML formatted file.