Chapter 8 Reporting

Identity Manager reports on automated and manual system activities. A robust set of reporting features lets you capture and view important access information and statistics on Identity Manager users at any time.

In this chapter, you will learn about the Identity Manager report types, how to create, run, and email reports, and how to download report information.

This chapter is organized into the following topics:

• Working with Reports

• Identity Manager Reports

• Auditor Reports

• Working with Graphs

• Working with Dashboards

• System Monitoring

• Risk Analysis

Working with Reports

In Identity Manager, reports are considered a special task category. As a result, you work with reports in two areas of the Identity Manager Administrator interface:

• Reports (Run Reports). Use the Run Reports area to define, run, delete, and download reports. Only administrators with sufficient capabilities can define, run, delete, and download reports. See Appendix D, Capabilities Definitions for more information.

• Server Tasks. After you define reports, go to the Scheduled Tasks area (Server Tasks -> Manage Schedule) to schedule and modify report tasks. TaskDefinition objects must contain visibility=schedule in order to be scheduled. Use the debug pages to make this change. See Editing Identity Manager Configuration Objects for more information.

Report Types

Reports are organized into two categories:

• Identity Manager Reports. Includes a variety of report types, including real-time, summary, audit log, system log, and usage reports.

• Auditor Reports. Provides information that helps you manage user compliance based on criteria defined in audit policies.

Within these two categories, reports are further divided into a variety of report types. Report types are discussed in greater detail later in this chapter. Identity Manager reports are discussed starting on Identity Manager Reports and Auditor reports on Auditor Reports.

For instructions on how to view Identity Manager Reports and Auditor Reports, see Viewing Reports.

Running Reports

To Run a Report

1. In the Administrator interface, click Reports in the main menu.

   The Run Reports page opens.

2. To view a list of available Identity Manager Reports, select Identity Manager Reports in the Report Type drop-down menu. (This option is selected by default.)

   To view a list of available Auditor Reports, select Auditor Reports in the Report Type drop-down menu. See Working with Auditor Reports in Chapter 15, Auditing: Monitoring Compliance for more information.

   Figure 8–1 shows an example of the Run Reports page. Auditor Reports are selected in the Report Type drop-down menu.

   Figure 8–1 Run Reports Selection

   
   

3. Click Run to run a report.

   ---

   Note –

   To allow multiple instances of the same report to run at the same time, edit the report and select the Allow Reports to Execute Concurrently option. Enabling this option allows multiple administrators to run the same report at the same time.

   If two or more instances of the same report run concurrently, each report will have the administrator’s ID followed by a timestamp appended to the report name.

   ---

Viewing Reports

After running a report from the Run Reports page, you can view the output immediately or at a later time.

To View a Report

1. In the Administrator interface, click Reports in the main menu.

   The Run Reports page opens.

2. Click the View Reports tab.

   The View Reports page opens.

3. Click a report to view it.

Creating Reports

This section describes how to create a new Identity Manager or Identity Auditor report that is not based on an existing report.

---

Note –

To modify an existing report and save it with a new name, see Editing and Cloning Reports in the next section.

---

To Create a New Report

1. In the Administrator interface, click Reports in the main menu.

   The Run Reports page opens.

2. Use the Report Type drop-down menu to select a report category.

   There are two report categories:

   • Identity Manager Reports

   • Identity Auditor Reports

3. Use the next drop-down menu to select a specific report type to create. (This menu says New at the top.)

   Identity Manager displays the Define a Report page, where you choose options to create the report, run it, or save it.

   After entering and selecting report criteria, you can:

   • Run the report without saving. Click Run to run the report. Identity Manager does not save the report (if you defined a new report) or the changed report criteria (if you edited an existing report).

   • Save the report. Click Save to save the report. Once saved, you can run the report from the Run Reports page (the list of reports).

   For more information on running reports, see Running Reports.

Editing and Cloning Reports

This section describes how to modify or clone an existing report and save it with a new name.

To Edit or Clone a Report

1. In the Administrator interface, click Reports in the main menu.

   The Run Reports page opens.

2. Use the Report Type drop-down menu to select a report category.

   There are two report categories:

   • Identity Manager Reports

   • Auditor Reports

     The table of reports shows the existing reports in the category selected.

3. Click a report name to edit it.

4. To edit a report, adjust the report parameters as needed and click Save.

   To clone a report, enter a new report name. adjust the report parameters as needed, and click Save to save it with the new name.

Sending Email Reports

When creating or editing a report, you can select an option to email the report results to one or more email recipients. When you select this option, the page refreshes and prompts for email recipients. Enter one or more recipients, separating addresses with a comma.

You also can choose one of the following formats for the report to be attached to the email:

• Attach CSV Format. Attaches report results in comma-separated value (CSV) format.

• Attach PDF Format. Attaches report results in Portable Document Format (PDF).

Scheduling Reports

You can immediately run a report or schedule it to run at regular intervals by choosing one of the following selections:

• Select Reports -> Run Reports to run saved reports immediately. From the list of reports, click Run. Identity Manager runs the report and then displays the results in summary and detailed formats.

• Select Server Tasks -> Manage Schedule to schedule when report tasks are run. After selecting a report task, you can set report frequency and options. You also can adjust specific report details (as in the Define a Report page in the Reports area).

  For a report TaskDefinition to show up in this list, you must set the visibility attribute in the TaskDefinition object to schedule.

Downloading Report Data

From the Run Reports page you can download report information for use in another application, such as Acrobat Reader or StarOffice.

Open the Run Reports page and click Download in one of these columns:

• Download CSV Report. Downloads report output in CSV format. Once saved, you can open and work with the report in another application, such as StarOffice.

• Download PDF Report. Downloads report output in Portable Document Format, which can be viewed with Adobe Reader.

  

Configuring Report Output

To configure report output, click Reports, and then select Configure Reports.

These selections are available on the Configure Reports page:

• PDF Report Options

  For reports generated in portable document format (PDF), you can make selections to determine the fonts to be used in the report, the page size, and page orientation.

  • PDF Font Name. Select the font to use when generating PDF reports. By default, only fonts available to all PDF viewers are shown. However, additional fonts (such as those needed to support Asian languages) can be added to the system by copying font definition files into the product’s fonts/ directory and restarting the server.

    Accepted font definition formats include .ttf, .ttc, .otf, and .afm. If you select one of these fonts, then it must be available at the computer system where the report is viewed. Alternatively select the Embed Font in PDF Documents option.

  • Embed Font in PDF Documents. Select this option to embed the font definition in the generated PDF report. This ensures that the report is viewable in any PDF viewer.

    ---

    Note –

    Embedding the font can greatly increase the size of the document.

    ---

  • Page Size. Choose the PDF page size by selecting letter (8 ½ by 11 inches) or legal (8 ½ by 14 inches) from the menu. (Default value is letter.)

    ---

    Note –

    You can add other sizes to this menu by using the pdfPageSize field on the Reports Config Library form. The pdfPageSize value must be a value known to the com.lowagie.text.Rectangle class in the itext package.

    ---

  • Orientation. Choose the PDF page orientation by selecting portrait or landscape from the menu. (Default value is portrait.)

• CSV Report Options. Select the Character Set Name option to specify a character set to use when generating CSV reports. Not all applications that import CSV files support the default UTF-8 encoding. Select another character set as needed.

• Tracked Event Configuration. Select the Enable event collection option to configure reports for system monitoring and does not apply to customizing report formatting. For more information, see Tracked Event Configuration.

Click Save to save report configuration options.

Identity Manager Reports

Identity Manager report types can be grouped into the following report type categories:

• AuditLog Reports

• Individual User AuditLog Reports

• Real Time Reports

• Summary Reports

• SystemLog Reports

• Usage Reports

• Workflow Reports

AuditLog Reports

AuditLog reports are based on events captured in the system audit log. These reports provide information about generated accounts, approved requests, failed access attempts, password changes and resets, self-provisioning activities, policy violations, and service provider (extranet) users, among others.

---

Note –

Before running audit logs, you must specify the types of Identity Manager events you want to capture. To do this, select Configure from the menu bar, and then select Audit. Select one or more audit group names to record successful and failed events for each group. For more information about setting up audit configuration groups, see Configuring Audit Groups and Audit Events.

---

To Define an AuditLog Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select AuditLog Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports page. Click Run to produce a report of all results that match the saved criteria. Included in the report are the date an event occurred, the action performed, and the result of the action.

Individual User AuditLog Reports

As with the AuditLog reports, the Individual User AuditLog report is based on events captured in the system audit log. This report, however, prompts you for a user to report on, and returns a list of activities that have been performed on that user. To maximize results, this report searches both the AccountId and ObjectDesc fields in the audit log for the matching user name.

This report can either return a fixed set of columns, or you can select a custom set of columns. Columns are defined in reporttasks.xml and defaultreports.xml. Both files can be found in the sample directory (located in your Identity Manager installation directory).

To Define an Individual User AuditLog Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select Individual User AuditLog Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

Real Time Reports

Real time reports poll resources directly to report real-time information.

Real time reports include:

• Resource Group Report. Summarizes group attributes, including user memberships.

• Resource Status Report. Tests the connection status of one or more specified resources by executing the testConnection method against each resource.

• Resource User Report. Lists user resource accounts and account attributes.

To Define a Real-Time Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select Resource Group Report, Resource Status Report, or Resource User Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria.

Summary Reports

Summary report types include the following reports available from the Identity Manager Reports list:

• Account Index Report. Report on selected resource accounts according to reconciliation situation.

• Administrator Report. View Identity Manager administrators, the organizations they manage, and assigned capabilities. When defining an administrator report, you can select administrators to include by organization.

• Admin Role Report. List users assigned to admin roles.

• Role Report. Report on all aspects of roles and associated resources.

• Task Report. Report on pending and finished tasks. You determine the depth of information to include by selecting from a list of attributes such as approver, description, expiration date, owner, start date, and state.

• User Report. View users, the roles to which they are assigned, and the resources they can access. When defining a user report, you can select which users to include by name, assigned manager, role, organization, or resource assignment.

• User Question Report. Allows administrators to find users who have not answered the minimum number of authentication questions, as specified by their account policy requirements. The results indicate user name, account policy, the interface associated with the policy, and the minimum number of questions that require answers.

---

Note –

By default, the following reports are run on the set of organizations controlled by the logged-in administrator, unless overridden by selecting one or more organizations against which the report will be run.

• Admin Role Summary

• Administrator Summary

• Role Summary

• User Questions Summary

• User Summary

As shown in the following figure, the Administrator Report lists Identity Manager administrators, the organizations they manage, and their assigned capabilities and admin roles.

---

To Define a Summary Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select one of the Summary report types (listed above) from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

SystemLog Reports

A SystemLog report shows system messages and errors that are recorded in the repository.

When setting up this report, you can specify to include or exclude the following items:

• System components (such as Provisioner, Scheduler, or Server)

• Error codes

• Severity levels (error, fatal, or warning)

You also set the maximum number of records you want to display (by default, 3000), and whether you want to display the oldest or newest records if available records exceed the specified maximum.

When running a SystemLog Report, specific Syslog entries can be retrieved by specifying the syslog ID of the target entry. For example, to view specific entries in the Recent Systems Messages report, edit the report and select the Event field. Then enter the requested syslog ID and click Run.

---

Note –

You also can run the lh syslog command to extract records from the system log. For detailed command options, read syslog Command in Appendix A, lh Reference.

---

To Define a SystemLog Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select SystemLog Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports list page.

Usage Reports

Create and run usage reports to view graphical and/or tabular summaries of system events related to Identity Manager objects such as administrators, users, roles, or resources. You can display usage reports display data in table, bar chart, pie chart, or line chart format.

To Define a Usage Report

1. Follow the instructions for Creating a Report on Creating Reports.

2. Select Identity Manager Reports from the first Report Type menu, and select Usage Report from the second menu.

   The Define a Report page opens.

3. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports list page.

---

Example 8–1 Usage Report Chart (Generated User Accounts)

The following figure shows an example usage report. The table at the top of the report shows events comprising the report and the chart below shows the same information in graphical format.

---

Workflow Reports

This report lists workflows by name and provides the following information:

• The average time the workflow took to complete

• The number of times the workflow was requested

• The number of workflow requests that were completed

In addition, clicking the workflow name opens a detailed view of the workflow, which will show each activity that was instrumented within the workflow, and its average time to complete.

Workflow Reports are especially useful for capturing performance metrics that can help establish whether Service Level Agreement (SLA) targets are being met.

Identity Manager must be configured to capture workflow timing metrics as a prerequisite to running Workflow Reports. See the next section for more information.

Configuring Workflows to Capture Audit Timing Events

Before you can run Workflow Reports, you must first turn on workflow auditing for each workflow type that you want to report on.

---

Note –

Auditing workflows degrades performance. Consequently, you should only enable workflow auditing for those workflows that you plan to use with Workflow Reports.

---

Turn on workflow auditing as follows:

• For workflows that you can configure in the Administrator interface using task templates, select the Audit entire workflow checkbox on the Audit tab of the task template configuration form. See Configuring the Audit Tab for instructions.

• For workflows that do not have task templates, refer to Modifying Workflows to Log Timing Audit Events.

Specifying Attributes to Store for the Workflow Report

While it is not necessary to define attributes, to get the most out of Workflow Reports it is important to store attributes that you later plan to filter your reports on.

To define the set of attributes that you want to store for each workflow type, use the Administrator interface’s tabbed task template configuration form. The Audit tab contains an Audit Attributes section, which is located below the Audit entire workflow checkbox. See Configuring the Audit Tab for instructions.

To Define a Workflow Report

1. Follow the instructions for creating a report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select Workflow Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save. You can define time parameters as well as add any of the attributes that you elected to audit. (See Specifying Attributes to Store for the Workflow Report in the previous section.)

   To narrow your results, specify an attribute name (for example, user.global.state ), select a condition, and enter an attribute value. You can enter as many attributes as you need.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports page. Click Run to produce a report of all results that match the saved criteria.

   The report will return workflows by name, along with their average time to complete, the number of times the workflow was requested, and how many of those requests were completed.

   Click the workflow name to open a detailed view of the workflow, which will show each activity that was instrumented in the workflow. Because processes can have the same named activities, the activities are scoped by process.

Auditor Reports

Auditor reports provide information that help you manage user compliance based on criteria defined in audit policies.

Identity Manager provides the following auditor reports:

• Access Review Coverage Reports

• Access Review Detail Reports

• Access Review Summary Reports

• Access Scan User Scope Coverage Reports

• Audit Policy Summary Reports

• Audited Attribute Reports

• Audit Policy Violation History

• User Access Reports

• Organization Violation History

• Resource Violation History

• Separation of Duties Reports

• Violation Summary Reports

To define an auditor report, follow the steps in Creating Reports.

For more information about auditor reports, see Working with Auditor Reports in Chapter 15, Auditing: Monitoring Compliance.

Working with Graphs

You can perform the following activities related to graphs:

• Viewing Defined Graphs

• To Create a Dashboard Graph

• To Edit a Dashboard Graph

• To Delete a Defined Graph

Viewing Defined Graphs

Identity Manager provides some sample graphs. Some use sample data and some do not. You are encouraged to create additional graphs that are applicable to your deployment.

You should remove the sample graphs and sample dashboards before moving a deployment into production. Some of the sample graphs that do not use sample data might appear blank if no applicable data has been collected.

To View a Defined Graph

1. In the Administrator interface, click Reports in the main menu.

2. Click Dashboard Graphs in the secondary menu.

3. Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.

   All graphs in the selected category display in the graphs list.

4. Click a graph name.

5. If desired, click Pause refresh to pause the dashboard refresh. Click Resume to renew the view.

   ---

   Note –

   For dashboards containing many graphs, it is sometimes helpful to pause the refresh until all of the graphs are initially loaded.

   ---

6. If desired, click Refresh now to force an immediate refresh.

7. Click Done to return to the Dashboard Graphs list page.

   ---

   Note –

   If any of the graphs show an error message, open the system configuration object for editing (Editing Identity Manager Configuration Objects) and set dashboard.debug=true. Once this property is set, return to the graph that generated the error and use the Please include this text script if reporting a problem link to retrieve the graph script. This graph script should be included when reporting the problem.

   ---

To Create a Dashboard Graph

1. In the Administrator interface, select Reports -> Dashboard Graphs.

2. Select a dashboard graphs category from the list of Select Dashboard Graph Type options.

   All graphs in the selected category display in the graphs list.

3. Click New to display the Create Dashboard Graph page and enter a Graph Name.

   Choose a unique, meaningful name because graphs are added to dashboards by name.

4. Select a Registry: IDM or SAMPLE.

   The sample data selection is provided for you to familiarize yourself with the system. As sample data is not available for all tracked events, this selection is most useful for demos and when experimenting with the various graph options. Delete sample data prior to going to a production environment.

   ---

   Note –

   The set of tracked events that use sample data differs from the events that are actually tracked.

   ---

5. Select a Tracked Event type from the list.

   An event is a system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.

   Tracked events for the IDM registry are:

   • Provisioner Execution Counts. Tracks how many provisioner operations occurred (by operation type).

   • Provisioner Execution Duration. Tracks the duration of each provisioner operation (by operation type).

   • Resource Operation Count. Tracks the number of resource operations.

   • Resource Operation Duration. Tracks the duration of a resource operation.

   • Workflow Duration. Tracks how long it takes to execute a workflow.

   • Workflow Execution Count. Tracks the number of times each workflow is executed.

6. Select a Time Scale from the list.

   This option controls how often data is aggregated (for example, one hour) and how often it is retained (for example, one month). The system stores tracked event data for progressively larger time scales to allow both a detailed, current view of the system as well as an understanding of historical trends.

7. Select a Metric from the list.

   A metric (count or average) will be selected by default, depending on the selected tracked event. Each graph displays a single metric. The available metrics depend on the selected tracked event.

   Possible metrics include:

   • Count. The total number of times the event occurred in the time interval

   • Average. The arithmetic mean of the event values for the time interval

   • Maximum. The maximum event value for the time interval

   • Minimum. The minimum event value for the time interval

   • Histogram. The separate counts for discrete ranges of event values for the time interval

8. Select Show count as from the list.

   The graph count is shown either as a raw total or scaled by various time scales.

9. Select a Graph Type from the list.

   This controls how the tracked event data is displayed. The available graph types depend on the selected tracked event and can include line graphs, bar charts, and pie charts.

10. Specify a Base Dimension (optional).

    Select from the following list:

    • Resource Name. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.

    • Server Instance. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.

    • Operation Type. If selected, all values for the dimension are included in the graph. Deselect this option to choose individual values of the dimension to include in the graph.

      After you select the dimension, the page refreshes to display a graph.

11. Enter text in the Graph Options field to produce a subtitle under the main title of the graph (optional).

12. Select Advanced Graph Options (optional).

    Use this option if you want to specify the following:

    • Grid Lines

    • Font

    • Color Palette

13. Click Save to create the graph.

To Edit a Dashboard Graph

1. In the Administrator interface, click Reports in the main menu.

2. Click Dashboard Graphs in the secondary menu.

   The Dashboard Graphs page opens.

3. From the Select Dashboard Graph Type drop-down menu, select a category.

   A table listing dashboard graphs opens.

4. Click a graph name to edit it.

   The graph attributes you can edit vary depending on the graph selected.

   One or more of the following characteristics are available for editing:

   • Graph Name. Graphs are added to a dashboard by name.

   • Registry. Specifies the tracked event description defined in the registry. The current selection includes: SAMPLE, Service Provider, and IDM.

   • Tracked Event. A system characteristic, such as memory usage, or an aggregation of events, such as resource operations, whose historical values are tracked and displayed visually as graphs or charts.

   • Time Scale. Controls how often data is aggregated and how often it is retained.

   • Metric. Each graph displays a single metric. The available metrics depend on the selected tracked event. Other options may be available for the metric selected.

   • Graph type. Controls how the tracked event data is displayed (for example, line graph or bar graph).

   • Included Dimension Values. If selected, all values for the dimensions are included in the graph.

   • Graph Subtitle. If desired, enter a subtitle under the main title of the graph.

   • Advanced Graph Options. Select this if you want to set the following:

     • Grid Lines

     • Font

     • Color Palette

5. Click Save.

To Delete a Defined Graph

1. In the Administrator interface, click Reports in the main menu.

2. Click Dashboard Graphs in the secondary menu.

3. Select a category of dashboard graphs from the Select Dashboard Graph Type list of options.

   All graphs in the selected category display in the graphs list.

4. Use the checkboxes to select the graphs to delete and then click Delete.

   ---

   Note –

   Graphs are deleted without warning from all dashboards that included it.

   ---

Working with Dashboards

A dashboard is a collection of related graphs that are viewed on a single page. As with graphs, Identity Manager provides a set of sample dashboards that administrators are encouraged to customize to their own deployment. See To Create Dashboards for instructions.

To View Dashboards

1. In the Administrator interface, click Reports in the main menu.

2. Click View Dashboards in the secondary menu to view currently defined Dashboards.

   The Dashboards page opens.

3. Click Display next to the dashboard you want to view

   ---

   Note –

   For dashboards containing many graphs, it’s sometimes helpful to pause the refresh until all of the graphs are initially loaded.

   Click Pause to pause dashboard refresh, or Refresh to renew the view.

   ---

   The following sections provide procedures for working with dashboards:

   • To Create Dashboards

   • Editing Dashboards

   • Deleting Dashboards

To Create Dashboards

1. In the Administrator interface, click Reports in the main menu.

2. Click View Dashboards in the secondary menu.

3. Click New.

4. Enter a name for the new dashboard.

5. Enter a summary describing the new dashboard.

6. Select a refresh rate in either seconds, minutes, or hours, from the list.

   ---

   Note –

   Setting a refresh rate of less than 30 seconds can cause problems with dashboards that contain several graphs.

   ---

7. To associate a graph style to the dashboard, select the appropriate entry from the list.

   ---

   Note –

   A single graph can be used in multiple dashboards.

   ---

8. To remove a dashboard graph, select the appropriate entry from the list and click Remove Graphs.

9. Click Save.

Editing Dashboards

Use the procedure described in To Create Dashboards to edit a dashboard, except instead of selecting New, select the dashboard you want to modify and edit the following attributes:

• The name for the dashboard.

• The summary describing the new dashboard.

• The refresh rate in either seconds, minutes, or hours from the list.

• Add or remove graphs associated with a dashboard.

---

Note –

Removing a graph from a dashboard does not delete the graph. The graph is still available for use with other dashboards.

A single graph can be used in multiple dashboards.

---

Figure 8–2 illustrates a sample dashboard edit page.

Figure 8–2 Edit Dashboards

Deleting Dashboards

To delete Service Provider dashboards, from the Service Provider area click Manage Dashboards, then select the desired dashboard and click delete.

---

Note –

The graphs included in the dashboard are not removed using this procedure. Delete graphs using the Manage Dashboard Graphs page (see To Delete a Defined Graph).

---

System Monitoring

You can set up Identity Manager to track events in real-time and monitor the events by viewing them in dashboard graphs. The dashboards allow you to quickly assess system resources and spot abnormalities, to understand historical performance trends (based on the time of day, the day of week, and so on), and to interactively isolate problems before looking at audit logs. They do not provide as much detail as the audit logs, but they do provide you with hints about where to look for problems in the logs.

You can create graphic dashboard displays to track automated and manual activities at a high level. Identity Manager provides sample resource operations dashboard graphs. The resource operations dashboard graphs enable you to quickly monitor system resources to maintain an acceptable level of service.

You can view sample data for these graphs in the Resource Operations Dashboard. For more information about using dashboards, see Working with Dashboards.

Statistics are collected and aggregated at various levels to present a real-time view based on your specifications.

Tracked Event Configuration

From the Tracked Event Configuration area of the Configure Reports page, you can determine if statistics collection for tracked events is currently enabled, and enable it. Click Enable event collection to enable the tracked event configuration.

Specify the following options for event collection:

• Time Zone. This option sets the time zone to use for recording tracked events. This primarily determines when day boundaries occur.

  Alternatively, you can set the time zone to the default time zone set on the server.

• Time Scales to collect. This option specifies the time intervals for which the data is aggregated (in other words, how often it is collected and persisted). For example, if a one-minute interval is selected, data is collected and persisted every minute.

The system stores tracked event data for progressively larger time scales to allow a detailed, current view of the system, as well as an understanding of historical trends.

The following time scales are available, and all of these intervals are selected by default. Clear the selections for the intervals you do not want to collect.

• 10 Second Intervals

• 1 Minute Intervals

• 1 Hour Intervals

• 1 Day Intervals

• 1 Week Intervals

• 1 Month Intervals

After configuring tracked events, use the dashboards to monitor the tracked events. Where present, use the sliders to zoom in on a section of the chart.

Risk Analysis

Identity Manager risk analysis features let you report on user accounts whose profiles fall outside certain security constraints. Risk analysis reports scan the physical resource to gather data and show, by resource, details about disabled accounts, locked accounts, and accounts with no owners. They also provide details about expired passwords. Report details vary depending on the resource type.

---

Note –

Standard reports are available for AIX, HP, Solaris, NetWare NDS, and Windows Active Directory resources.

---

Risk analysis pages are controlled by a form and can be configured for your environment. You can find a list of forms under the RiskReportTask object on the idm\debug page (The Identity Manager Debug Page), and modify these by using the Identity Manager IDE. See Chapter 3, Identity Manager Forms, in Sun Identity Manager Deployment Referencefor more information about configuring forms.

To Create a Risk Analysis Report

1. In the Administrator interface, click Reports in the main menu.

2. Click Run Risk Analysis in the secondary menu.

3. In the New drop-down menu, select a report to create.

   A Risk Analysis Report Settings page opens.

4. Complete the form.

   You can limit the report to scan selected resources and, depending on the resource type, you can scan for accounts that meet these criteria:

   • Accounts that are disabled, expired, inactive, or locked

   • Accounts that have never been used

   • Accounts that do not have a fullname or password

   • Accounts that do not require a password

   • Accounts with passwords that have expired or have not changed for a specified number of days

5. Click Save.

To Schedule a Risk Analysis Report

Once defined, you can use the following steps to schedule risk analysis reports to run at specified intervals.

1. In the Administrator interface, click Server Tasks in the main menu.

2. Click Manage Schedule in the secondary menu.

   The Scheduled Tasks page opens.

3. Select a risk analysis report to schedule.

   The Create New Risk Analysis Task Schedule page opens.

4. Enter a name and schedule information, and then optionally adjust other risk analysis selections.

5. Click Save to save the schedule.