Identity Manager Reports

Identity Manager report types can be grouped into the following report type categories:

• AuditLog Reports

• Individual User AuditLog Reports

• Real Time Reports

• Summary Reports

• SystemLog Reports

• Usage Reports

• Workflow Reports

AuditLog Reports

AuditLog reports are based on events captured in the system audit log. These reports provide information about generated accounts, approved requests, failed access attempts, password changes and resets, self-provisioning activities, policy violations, and service provider (extranet) users, among others.

---

Note –

Before running audit logs, you must specify the types of Identity Manager events you want to capture. To do this, select Configure from the menu bar, and then select Audit. Select one or more audit group names to record successful and failed events for each group. For more information about setting up audit configuration groups, see Configuring Audit Groups and Audit Events.

---

To Define an AuditLog Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select AuditLog Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports page. Click Run to produce a report of all results that match the saved criteria. Included in the report are the date an event occurred, the action performed, and the result of the action.

Individual User AuditLog Reports

As with the AuditLog reports, the Individual User AuditLog report is based on events captured in the system audit log. This report, however, prompts you for a user to report on, and returns a list of activities that have been performed on that user. To maximize results, this report searches both the AccountId and ObjectDesc fields in the audit log for the matching user name.

This report can either return a fixed set of columns, or you can select a custom set of columns. Columns are defined in reporttasks.xml and defaultreports.xml. Both files can be found in the sample directory (located in your Identity Manager installation directory).

To Define an Individual User AuditLog Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select Individual User AuditLog Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

Real Time Reports

Real time reports poll resources directly to report real-time information.

Real time reports include:

• Resource Group Report. Summarizes group attributes, including user memberships.

• Resource Status Report. Tests the connection status of one or more specified resources by executing the testConnection method against each resource.

• Resource User Report. Lists user resource accounts and account attributes.

To Define a Real-Time Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select Resource Group Report, Resource Status Report, or Resource User Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports list page. Click Run to produce a report of all results that match the saved criteria.

Summary Reports

Summary report types include the following reports available from the Identity Manager Reports list:

• Account Index Report. Report on selected resource accounts according to reconciliation situation.

• Administrator Report. View Identity Manager administrators, the organizations they manage, and assigned capabilities. When defining an administrator report, you can select administrators to include by organization.

• Admin Role Report. List users assigned to admin roles.

• Role Report. Report on all aspects of roles and associated resources.

• Task Report. Report on pending and finished tasks. You determine the depth of information to include by selecting from a list of attributes such as approver, description, expiration date, owner, start date, and state.

• User Report. View users, the roles to which they are assigned, and the resources they can access. When defining a user report, you can select which users to include by name, assigned manager, role, organization, or resource assignment.

• User Question Report. Allows administrators to find users who have not answered the minimum number of authentication questions, as specified by their account policy requirements. The results indicate user name, account policy, the interface associated with the policy, and the minimum number of questions that require answers.

---

Note –

By default, the following reports are run on the set of organizations controlled by the logged-in administrator, unless overridden by selecting one or more organizations against which the report will be run.

• Admin Role Summary

• Administrator Summary

• Role Summary

• User Questions Summary

• User Summary

As shown in the following figure, the Administrator Report lists Identity Manager administrators, the organizations they manage, and their assigned capabilities and admin roles.

---

To Define a Summary Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select one of the Summary report types (listed above) from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

SystemLog Reports

A SystemLog report shows system messages and errors that are recorded in the repository.

When setting up this report, you can specify to include or exclude the following items:

• System components (such as Provisioner, Scheduler, or Server)

• Error codes

• Severity levels (error, fatal, or warning)

You also set the maximum number of records you want to display (by default, 3000), and whether you want to display the oldest or newest records if available records exceed the specified maximum.

When running a SystemLog Report, specific Syslog entries can be retrieved by specifying the syslog ID of the target entry. For example, to view specific entries in the Recent Systems Messages report, edit the report and select the Event field. Then enter the requested syslog ID and click Run.

---

Note –

You also can run the lh syslog command to extract records from the system log. For detailed command options, read syslog Command in Appendix A, lh Reference.

---

To Define a SystemLog Report

1. Follow the instructions for Creating a Report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select SystemLog Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports list page.

Usage Reports

Create and run usage reports to view graphical and/or tabular summaries of system events related to Identity Manager objects such as administrators, users, roles, or resources. You can display usage reports display data in table, bar chart, pie chart, or line chart format.

To Define a Usage Report

1. Follow the instructions for Creating a Report on Creating Reports.

2. Select Identity Manager Reports from the first Report Type menu, and select Usage Report from the second menu.

   The Define a Report page opens.

3. Complete the form and click Save.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports list page.

---

Example 8–1 Usage Report Chart (Generated User Accounts)

The following figure shows an example usage report. The table at the top of the report shows events comprising the report and the chart below shows the same information in graphical format.

---

Workflow Reports

This report lists workflows by name and provides the following information:

• The average time the workflow took to complete

• The number of times the workflow was requested

• The number of workflow requests that were completed

In addition, clicking the workflow name opens a detailed view of the workflow, which will show each activity that was instrumented within the workflow, and its average time to complete.

Workflow Reports are especially useful for capturing performance metrics that can help establish whether Service Level Agreement (SLA) targets are being met.

Identity Manager must be configured to capture workflow timing metrics as a prerequisite to running Workflow Reports. See the next section for more information.

Configuring Workflows to Capture Audit Timing Events

Before you can run Workflow Reports, you must first turn on workflow auditing for each workflow type that you want to report on.

---

Note –

Auditing workflows degrades performance. Consequently, you should only enable workflow auditing for those workflows that you plan to use with Workflow Reports.

---

Turn on workflow auditing as follows:

• For workflows that you can configure in the Administrator interface using task templates, select the Audit entire workflow checkbox on the Audit tab of the task template configuration form. See Configuring the Audit Tab for instructions.

• For workflows that do not have task templates, refer to Modifying Workflows to Log Timing Audit Events.

Specifying Attributes to Store for the Workflow Report

While it is not necessary to define attributes, to get the most out of Workflow Reports it is important to store attributes that you later plan to filter your reports on.

To define the set of attributes that you want to store for each workflow type, use the Administrator interface’s tabbed task template configuration form. The Audit tab contains an Audit Attributes section, which is located below the Audit entire workflow checkbox. See Configuring the Audit Tab for instructions.

To Define a Workflow Report

1. Follow the instructions for creating a report on Creating Reports.

   Select Identity Manager Reports from the first Report Type menu, and select Workflow Report from the second menu.

   The Define a Report page opens.

2. Complete the form and click Save. You can define time parameters as well as add any of the attributes that you elected to audit. (See Specifying Attributes to Store for the Workflow Report in the previous section.)

   To narrow your results, specify an attribute name (for example, user.global.state ), select a condition, and enter an attribute value. You can enter as many attributes as you need.

   Click Help if you have questions about the form.

   Once you have set and saved report parameters, run the report from the Run Reports page. Click Run to produce a report of all results that match the saved criteria.

   The report will return workflows by name, along with their average time to complete, the number of times the workflow was requested, and how many of those requests were completed.

   Click the workflow name to open a detailed view of the workflow, which will show each activity that was instrumented in the workflow. Because processes can have the same named activities, the activities are scoped by process.