Oracle Adaptive Access Manager provides access to a rich set of forensic data to power investigations and auditing:
OAAM reports enables you to use Oracle BI Publisher as the reporting solution for OAAM components.
Oracle Adaptive Access Manager leverages the common audit framework from Oracle Platform Security Services to capture full audit trails for administration console users.
Oracle Adaptive Access Manager reports enable you to use Oracle BI Publisher as the reporting solution. Oracle Adaptive Access Manager reports use Oracle BI Publisher to query and report on information in the OAAM schema.
Oracle BI Publisher is an Oracle's enterprise reporting solution and provides a single reporting environment to author, manage, and deliver all of your reports and business documents. Utilizing a set of familiar desktop tools, such as Microsoft Word, Microsoft Excel, or Adobe Acrobat, you can create and maintain report layouts based on data from diverse sources
The Oracle Business Intelligence Publisher Administrator's Guide explains how to use Oracle BI Publisher to create reports. You can access the Oracle Business Intelligence Publisher Administrator's Guide by searching for it on the Oracle Technology Network web site.
The Oracle Business Intelligence Publisher Documentation Library is available on the Oracle Technology Network web site. You can access the Oracle Technology Network Website at:
When your data resides in a database, you can run pre-defined Oracle Business Intelligence Publisher (Oracle BI Publisher) reports and create your own reports on the data. This section contains these topics about configuring Oracle BI Publisher for OAAM reports:
For performance reasons, it is recommended to replicate production data into a reporting database and to provide a dedicated reporting environment for Oracle BI Publisher.
For information on how to configure audit reporting and view audit reports, refer to "Using Audit Analysis and Reporting" in Oracle Fusion Middleware Application Security Guide.
OAAM uses Oracle BI Publisher to generate your OAAM reports.
Perform the following steps to acquire and install Oracle BI Publisher:
Go to Oracle Technology Network web site at http://www.oracle.com/technetwork/index.html
Locate the Oracle BI Publisher Download page by searching on the key words Oracle BI Publisher or Oracle BI Publisher Download.
Review the Oracle Technology Network License Agreement that appears on the Oracle BI Publisher Download page. You must accept the Oracle Technology Network License Agreement to download Oracle BI Publisher.
Download the version of Oracle BI Publisher that is appropriate for your operating system by clicking on the appropriate link.
Install Oracle BI Publisher by referring to the Oracle Business Intelligence Publisher Installation Guide. Refer to Oracle Business Intelligence Publisher Documentation for information about accessing the Oracle Business Intelligence Publisher Installation Guide.
Verify your Oracle BI Publisher is operational before installing and configuring the OAAM reports.
This section explains how to install Oracle BI Publisher OAAM reports. You must install Oracle BI Publisher and verify it is operational before installing the OAAM reports. Refer to the Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management for more information.
Perform the following steps to install the reports:
Stop the Oracle BI Publisher server. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
On your OAAM host, locate the OAAM products reports package from the /IAM_HOME/oaam/reports
directory and extract the contents to a location on your Oracle BI Publisher server. For example:
/ORACLE_BI_PUBLISHER_HOME/xmlp/XMLP/reports
Copy the properties.xml
file to any directory in Oracle BI Publisher server's file system.
Start the Oracle BI Publisher server. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
Perform the following steps to configure the data source for the reports:
Configure the JDBC Data Source for the reports by performing the following steps:
Log in to Oracle BI Publisher from a Web browser as an Administrator. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
Click the Admin tab, then click JDBC under Data Sources, and then click the Add Data Source button. The Add Data Source screen appears.
Enter the following information in the fields on the Add Data Source screen. Replace the variable values in the following examples with the actual values for your Oracle Adaptive Access Manager database.
Field | Data to Enter |
---|---|
Data Source Name | ARM
For the Oracle Adaptive Access Manager reports to work out-of-the-box, the JDBC data source must be named as "ARM". If you choose a different name, you must modify the data source property in all reports. |
Connection String | jdbc:oracle:thin:@ host:port:sid |
User Name | User name for a database schema user that has access to Oracle Adaptive Access Manager. |
Password | Password for user identified in the User Name field. |
Database Driver Class | oracle.jdbc.driver.OracleDriver |
Click the Test Connection button to test the connection to the JDBC Data Source. You will receive the Connection established successfully
message if your connection is successful.
If you do not receive the Connection established successfully
message, verify the data you entered is accurate and check if the OAAM database is running.
Click the Apply button on the Add Data Source screen after you have received the Connection established successfully message.
Configure the AdminProperties Data Source. The AdminProperties contains configuration information that Oracle BI Publisher will need to read when generating the reports.
Click the Admin tab, then click File under Data Sources, and then click the Add Data Source button. The Add Data Source screen appears.
Enter the following information in the fields on the Add Data Source screen:
Field | Data to Enter |
---|---|
Data Source Name | AdminProperties
You must name this Data Source |
Full Path of Top-level Directory | Path must be the directory where you copied properties.xml . |
The configuration for the data source is complete. Refer to the Oracle Fusion Middleware Business Intelligence Publisher Reports Administrator's Guide for Oracle Identity Management to generate reports for Oracle Adaptive Access Manager.
Click Reports, Shared Folders, and then oaam.
Reports are grouped under Common, KBA, OTP, Security, Users, Devices, Location, Performance, and Summary.
Choose any report from these groupings.
Choose any output type and click View.
This section explains how to view/run reports.
Take these steps to view/run a report:
Log in to Oracle BI Publisher using a URL of the form:
http://
host.domain.com:port/
xmlpserver/
Click Shared Folders, OAAM, and then oradb.
Click View for the report you want to generate.
Select an output format for the report and click View.
The report is generated. See Oracle Business Intelligence Publisher Documentation to learn more about Oracle BI Publisher.
You can set the Report Locale, User Interface Language, Time Zone, and Accessibility Mode for Oracle BI Publisher.
Report Locale- A locale is a language and territory combination (for example, English (United States) or French (Canada)). Oracle BI Publisher uses the report locale selection to determine the template translation to apply, the number formatting and date formatting to apply to the report data.
User Interface Language- The User Interface language is the language that your user interface displays in. The language that you selected at login will be selected as the default. However, you can choose from the languages that are available for your installation through this option.
Time Zone - Select the time zone to apply to your reports. Reports run by you (this user) will display the time according to the time zone preference selected here.
Accessibility Mode- Setting this to "On" will display the report catalog in a tree structure that is accessible via keyboard strokes
For more information on setting preferences, refer to the "Setting My Account Preferences and Viewing My Groups" chapter of the Oracle Fusion Middleware Report Designer's Guide for Oracle Business Intelligence Publisher.
In release 11g, Oracle BI Publisher supports two types of translation:
Catalog Translation
Template (or layout) Translation
Catalog translation enables the extraction of translatable strings from all objects contained in a selected catalog folder into a single translation file; this file can then be translated and uploaded back to Oracle BI Publisher and assigned the appropriate language code.
Catalog translation extracts not only translatable strings from the report layouts, but also the user interface strings that are displayed to users, such as catalog object descriptions, report parameter names, and data display names.
Users viewing the catalog will see the item translations appropriate for the user interface language they selected in their My Account preferences. Users will see report translations appropriate for the Report Locale they selected in their My Account preferences.
Template translation enables the extraction of the translatable strings from a single RTF-based template (including sub templates and style templates) or a single Oracle BI Publisher layout template (.xpt file). Use this option when you only need the final report documents translated. For example, your enterprise requires translated invoices to send to German and Japanese customers.
For information describing the process of downloading and uploading translation files, refer to the "Adding Translations for the BI Publisher Catalog and Reports" of the Oracle Fusion Middleware Administrator's and Developer's Guide for Oracle Business Intelligence Publisher.
If you want to localize reports perform the following steps:
Unzip oaam_reports_translations.zip
. The oaam_reports_translations.zip
is in the same directory as the reports you installed earlier. Refer to Section 24.1.2.2, "Copying OAAM Reports to the Reporting Database."
In the Oracle BI Publisher catalog, select the OAAM folder.
Click the option to Import XLIFF.
Upload the Catalog_*.xlf file for the languages you want to use.
Oracle BI Publisher Enterprise enables you to schedule reports, and deliver the executed output to various destinations. Oracle BI Publisher Scheduler is configured as a part of Oracle BI Enterprise Edition installation process. Ensure that the scheduler is configured properly, before you start scheduling the reports.
For information on scheduling reports, refer to "Creating Report Jobs" in the Oracle Fusion Middleware Report Designer's Guide for Oracle Business Intelligence Publisher.
OAAM provides a range of out-of-the-box reports that are accessible through Oracle Business Intelligence Publisher.
These reports provide data based on device location or login information.
These reports provide data based on the device information.
These reports provide data based on the KBA information.
Note:
Updated statistics are not available immediately after a user is challenged or answers a question. The Oracle BI Publisher reports are generated from the database and database updates do not occur in real-time for the statistics.These reports provide data based on the location information.
These reports provide data based on the performance information.
These reports provide data based on the security information.
These reports provide summaries for date ranges.
If you have additional reporting requirements beyond the out of the box reports described in Section 24.1.8, "OAAM Reports", you can create custom reports. You may want to refer to the Oracle Adaptive Access Manager Database Schema chapter in the Oracle Fusion Middleware Reference for Oracle Identity Management. It describes the OAAM schema, which is useful when building custom reports. This section discusses advanced report creation.
To create a custom OAAM report, you must perform the following tasks:
An example is provided for your reference.
In code listings OAAM table and field names are bold and italic.
Refer to the instructions in Creating a New Report in the Oracle Business Intelligence Publisher Report Designer's Guide:
https://download.oracle.com/docs/cd/E12844_01/doc/bip.1013/e12187/T518230T518233.htm
Several fields in many tables are numeric type codes, which correspond to OAAM User Defined Enums. Refer to the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager for more information on OAAM User Defined Enums. Information on how to map those type codes to readable names is presented in this section.
There are two methods for resolving these names, and the one to choose depends on whether you need to display in English only or in internationalized strings.
To display a readable string rather than a type code value in the report output, the report writer will need to add a join to the tables that hold the User Defined Enums, and then add the field to the select clause.
The following SQL code shows how to add the join criteria to the query:
SELECT … FROM … LEFT OUTER JOIN ( SELECT enumElement.num_value, enumElement.label FROM v_b_enum enum INNER JOIN v_b_enum_elmnt enumElement ON on enum.enum_id = enum_element.enum_id WHERE enum.prop_name = 'enum name') alias ON table.type_field = alias.num_value …
In this code, table.type_field is the field containing a type code value that you want to replace with a string. Alias is the name you are giving the inner select clause. Finally, enum_name is the property name of the User Defined Enum.
To display in the report, you need to add alias.label to the select clause.
The following SQL code shows how to add the join criteria to the query:
SELECT … FROM … LEFT OUTER JOIN ( SELECT t0.config_value, element.num_value FROM v_b_config_rb t0 INNER JOIN ( SELECT enum_element.num_value, enum_element.str_value, enum.prop_name FROM v_b_enum enum INNER JOIN v_b_enum_elmnt enum_element ON enum.enum_id = enum_element.enum_id WHERE enum.prop_name = 'enum name') element ON t0.config_name=element.prop_name || '.' || element.str_value || '.name' WHERE t0.locale_id = ( SELECT locale_id FROM v_b_locale WHERE language = substr(:xdo_user_ui_locale, 1, 2) AND country = substr(:xdo_user_ui_locale, 4, 2) AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko') OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR') OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))) UNION SELECT locale_id FROM v_b_locale WHERE language = substr(:xdo_user_ui_locale, 1, 2) AND NOT EXISTS(SELECT locale_id FROM v_b_locale WHERE language = substr(:xdo_user_ui_locale, 1, 2) AND country = substr(:xdo_user_ui_locale, 4, 2)) AND country IS NULL AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko') OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR') OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))) UNION SELECT locale_id FROM v_b_locale WHERE language = 'en' AND NOT (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko') OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR') OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW')))) ORDER BY t0.config_name) alias ON table.type_field = alias.num_value …
In this code, table.type_field is the field containing a type code value that you want to replace with a string. Alias is the name you want to give the inner select clause. Finally, enum_name is the property name of the User Defined Enum.
To display in the report, you need to add alias.config_value to the select clause.
Add parameters to your report definition to enable your users to interact with the report and specify the data of interest from the data set.
To allow a user to select from a list of readable strings representing type codes, the report writer will need to create a List of Values (LOV) from a query on the User Defined Enums tables, filtered by the enum name.
The following listing shows how to write the query to populate the list of values.
SELECT enumElement.label, enumElement.num_value
FROM v_b_enum enum
INNER JOIN v_b_enum_elmnt enumElement ON on enum.enum_id = enumElement.enum_id
WHERE enum.prop_name = 'enum name'
ORDER BY enumElement.label
The following listing shows how to filter the report based on this LOV.
WHERE … AND (:parameter IS NULL OR :parameter = table.type_field)
In these listings, enum_name is the property name of the User Defined Enum, table.type_field is the field containing a type code value that you want to replace with a string, and parameter is the named parameter. Review the Oracle BI Publisher User's Guide for information about creating and setting up report parameters.
The following listing shows how to write the query to populate the list of values.
SELECT t0.config_value, element.num_value FROM v_b_config_rb t0 INNER JOIN ( SELECT enum_element.num_value, enum_element.str_value, enum.prop_name FROM v_b_enum enum INNER JOIN v_b_enum_elmnt enum_element ON enum.enum_id = enum_element.enum_id WHERE enum.prop_name = 'enum name') element ON t0.config_name=element.prop_name || '.' || element.str_value || '.name' WHERE t0.locale_id = ( SELECT locale_id FROM v_b_locale WHERE language = substr(:xdo_user_ui_locale, 1, 2) AND country = substr(:xdo_user_ui_locale, 4, 2) AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko') OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR') OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))) UNION SELECT locale_id FROM v_b_locale WHERE language = substr(:xdo_user_ui_locale, 1, 2) AND NOT EXISTS(SELECT locale_id FROM v_b_locale WHERE language = substr(:xdo_user_ui_locale, 1, 2) AND country = substr(:xdo_user_ui_locale, 4, 2)) AND country IS NULL AND (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko') OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR') OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW'))) UNION SELECT locale_id FROM v_b_locale WHERE language = 'en' AND NOT (substr(:xdo_user_ui_locale, 1, 2) in ('de', 'en', 'es', 'fr', 'it', 'ja', 'ko') OR (substr(:xdo_user_ui_locale, 1, 2) = 'pt' AND substr(:xdo_user_ui_locale, 4, 2) = 'BR') OR (substr(:xdo_user_ui_locale, 1, 2) = 'zh' AND substr(:xdo_user_ui_locale, 4, 2) IN ('CN', 'TW')))) ORDER BY t0.config_name
The filtering is done in the same manner as the English Only version.
The OAAM schema includes tables that map IP address ranges to location data including city, state, and country. The relevant tables are VCRYPT_IP_LOCATION_MAP, VCRYPT_CITY, VCRYPT_STATE, and VCRYPT_COUNTRY. Many tables contain IP addresses, and VCRYPT_IP_LOCATION_MAP contains foreign keys to each of VCRYPT_CITY, VCRYPT_STATE, and VCRYPT_COUNTRY.
In OAAM, IP addresses are stored as long numerals. The following listing shows how join a table containing an IP address to the VCRYPT_IP_LOCATION_MAP.
SELECT ... FROM vcrypt_tracker_usernode_logs logs INNER JOIN vcrypt_ip_location_map loc ON ( logs.remote_ip_addr >= loc.from_ip_addr AND logs.remote_ip_addr <= loc.from_ip_addr )
For user input and display purposes, you will normally want to use the standard four-part IP address. The following listing shows how to display a numeric IP address as a standard IP, where ipField is the field or parameter containing the numeric IP address you want to display.
… to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 1, 3), 'XX')) || '.' || to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 4, 2), 'XX')) || '.' || to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 6, 2), 'XX')) || '.' || to_char(to_number(substr(to_char(ipField, 'XXXXXXXX'), 8, 2), 'XX')) ...
The following listing shows how to convert a standard IP address to the long numeric format.
… to_number(substr(ipField, 1, instr(ipField, '.')-1))*16777216 + to_number(substr(ipField, instr(ipField, '.', 1, 1)+1, instr(ipField, '.', 1, 2)-instr(ipField, '.', 1, 1)-1))*65536 + to_number(substr(ipField, instr(ipField, '.', 1, 2)+1, instr(ipField, '.', 1, 3)-instr(ipField, '.', 1, 2)-1))*256 + to_number(substr(ipField, instr(ipField, '.', 1, 3)+1))
Sessions and alerts exist in the VCRYPT_TRACKER_USERNODE_LOGS and VCRYPT_ALERT tables, respectively. They join to each other via the REQUEST_ID field, and they each join to the geolocation data via the VCRYPT_IP_LOCATION_MAP table via the BASE_IP_ADDR field.
The session table and the alert table have several type code fields that may be translated into readable text by following the instructions to look up the user defined enums by name. The following tables will list the type code fields and the name of the user defined enum.
This report will show a list of sessions, with user id, login id, auth status, and location. To start with, you will need to create two date parameters, fromDate and toDate. The query will look like this:
SELECT s.request_id, s.user_id, s.user_login_id, auth.label, country.country_name, state.state_name, city.city_name FROM vcrypt_tracker_usernode_logs s INNER JOIN vcrypt_ip_location_map loc ON s.base_ip_addr = loc.base_ip_addr INNER JOIN vcrypt_country country ON loc.country_id = country.country_id INNER JOIN vcrypt_state loc ON loc.state_id = country.state_id INNER JOIN vcrypt_city city ON loc.city_id = city.city_id LEFT OUTER JOIN ( SELECT enumElement.num_value, enumElement.label FROM v_b_enum enum INNER JOIN v_b_enum_elmnt enumElement ON on enum.enum_id = enum_element.enum_id WHERE enum.prop_name = 'auth.status.enum') auth ON s.auth_status = auth.num_value WHERE (:fromDate IS NULL OR s.create_time >= :fromDate) AND (:toDate IS NULL OR s.create_time <= :toDate) ORDER BY s.create_time DESC
This section explains how you can build transaction reports. It contains the following topics:
To obtain the Transaction Definition key and Entity Definition keys, follow these steps:
Log in to the OAAM Administration Console and go to Transactions menu and search for the transaction definitions you are interested in.
Go to the General tab and note down the Definition Key of the transaction. This is the "Transaction Definition Key" of the transaction.
Go to the Entities tab of the transaction and note down distinct list Entity Name.
Choose the Entities menu option to search for Entities and note the Key of each of those entities. That is the "Entity Definition Key" of the entities.
To discover entity data mapping information that you will need to create your report, follow the procedures in this section.
For your reference, number data types are listed in the following table.
Table 24-3 Information about Data Types
Data Type | Description |
---|---|
1 |
Represents String data |
2 |
Represents Numeric data. Data stored is equal to (Original value * 1000). |
3 |
Date type data. Store the data in "'YYYY-MM-DD HH24:MI:SS TZH:TZM" format and also retrieve it using same format. |
4 |
Boolean data. Stored as strings. "True" represents TRUE and "False" represents FALSE |
To get the entity data details that you will need to construct your report, follow these steps:
Get the Entity Definition Key by looking at the entity definition using the OAAM Administration Console.
Get details of how entity data is mapped using the SQL Query:
SELECT label, data_row, data_col, data_type FROM vt_data_def_elem WHERE status =1 AND data_def_id = (SELECT data_def_id FROM vt_data_def_map WHERE relation_type ='data' AND parent_obj_type =3 AND parent_object_id IN (SELECT entity_def_id FROM vt_entity_def WHERE entity_def_key=<Entity Definition Key> AND status =1 ) ) ORDER BY data_row ASC, data_col ASC;
The above SQL query gives a list of data fields of the entity with data type and row, column position. Using that information, build a SQL query based on the following information that represents data of the given entity. It is also recommended to create/build a view based on this SQL query that represents data of the given entity.
Note:
EntityRowN represents an entity data row. If your entity has 3 distinct data_row values from the above query then you would have 3 EntityRows, name the aliases as EntityRow1, EntityRow2, and so on, and similarly take care of the corresponding joins as shown below.SELECT ent.ENTITY_ID, ent.EXT_ENTITY_ID, ent.ENTITYNAME, ent.ENTITY_KEY, ent.ENTITY_TYPE, EntityRowN<row>.DATA<col> <column_name>, (EntityRowN<row>.NUM_DATA<col>/ 1000.0) <numeric_column_name>, to_timestamp_tz(EntityRowN<row>.DATA<col>, 'YYYY-MM-DD HH24:MI:SS TZH:TZM') <date_column_name>, ent.CREATE_TIME, ent.UPDATE_TIME, ent.EXPIRY_TIME, ent.RENEW_TIME FROM VT_ENTITY_DEF entDef, VT_ENTITY_ONE ent LEFT OUTER JOIN VT_ENTITY_ONE_PROFILE EntityRowN ON (EntityRowN.ENTITY_ID = ent.ENTITY_ID AND EntityRowN.ROW_ORDER = <row> AND EntityRowN.EXPIRE_TIME IS NULL) LEFT OUTER JOIN VT_ENTITY_ONE_PROFILE EntityRowN+1 ON (EntityRowN+1.ENTITY_ID = ent.ENTITY_ID AND EntityRowN+1.ROW_ORDER = <row+1> AND row1.EXPIRE_TIME IS NULL) WHERE ent.ENTITY_DEF_ID = entDef.ENTITY_DEF_ID and entDef.ENTITY_DEF_KEY=<Entity Definition Key>
To discover transaction data mapping information that you will need to create your report, follow the procedures in this section.
To get entity data details you will need to construct your report, follow these steps:
Get list of transaction to entity definition mapping Ids using the following SQL:
SELECT map_id FROM vt_trx_ent_defs_map, vt_trx_def WHERE vt_trx_ent_defs_map.trx_def_id = vt_trx_def.trx_def_id AND vt_trx_def.trx_def_key =<Transaction Definition Key>
Use the following SQL query to get details of all transaction data fields, their data type and their row, column mapping:
SELECT label, data_row, data_col, data_type FROM vt_data_def_elem WHERE status =1 AND data_def_id = (SELECT data_def_id FROM vt_data_def_map WHERE relation_type ='data' AND parent_obj_type =1 AND parent_object_id IN (SELECT trx_def_id FROM vt_trx_def WHERE trx_def_key='mayo_pat_rec_acc' AND status =1 ) ) ORDER BY data_row ASC, data_col ASC;
Use the information from the previous section and build a SQL query that represents transaction data based on the following:
Note: It is recommended to build a view based on this query so that it is easier to build reports
SELECT trx.LOG_ID, trx.USER_ID, trx.REQUEST_ID, trx.EXT_TRX_ID, trx.TRX_TYPE, trx.STATUS, trx.SCORE, trx.RULE_ACTION, trx.TRX_FLAG, trx.POST_PROCESS_STATUS, trx.POST_PROCESS_RESULT, TxnDataRowN<row>.DATA<col> <data_column_name>, (TxnDataRowN<row>.NUM_DATA<col>/ 1000.0) <numeric_column_name>, to_timestamp_tz(TxnDataRowN<row>.DATA<col>, 'YYYY-MM-DD HH24:MI:SS TZH:TZM') <date_column_name>, (SELECT entTrxMap.MAP_OBJ_ID FROM VT_ENT_TRX_MAP entTrxMap WHERE entTrxMap.DEF_MAP_ID = <Transaction to Entity Mapping Id of Entity1_Name> AND entTrxMap.TRX_ID = trx.LOG_ID ) <EntityN_Name>, (SELECT entTrxMap.MAP_OBJ_ID FROM VT_ENT_TRX_MAP entTrxMap WHERE entTrxMap.DEF_MAP_ID = <Transaction to Entity Mapping Id of Entity2_Name> AND entTrxMap.TRX_ID = trx.LOG_ID ) <EntityN+1_Name>, trx.CREATE_TIME, trx.UPDATE_TIME, TRUNC(trx.create_time, 'HH24') created_hour, TRUNC(trx.create_time, 'DDD') created_day, TRUNC(trx.create_time, 'DAY') created_week, TRUNC(trx.create_time, 'MM') created_month, TRUNC(trx.create_time, 'YYYY') created_year FROM VT_TRX_DEF trxDef, VT_TRX_LOGS trx LEFT OUTER JOIN VT_TRX_DATA TransactionDataRowN ON (TransactionDataRowN.TRX_ID = trx.LOG_ID AND TransactionDataRowN.ROW_ORDER = <rowN>) LEFT OUTER JOIN VT_TRX_DATA TransactionDataRowN+1 ON (TransactionDataRowN+1.TRX_ID = trx.LOG_ID AND TransactionDataRowN+1.ROW_ORDER = <rowN+1>) WHERE trx.TRX_DEF_ID = trxDef.TRX_DEF_ID and trxDef.TRX_DEF_KEY=<Transaction Definition Key>
Follow the instructions in this section to build reports for entities and transactions.
Use the SQL Queries or Views built using the information mentioned in Section 24.1.10.2.3, "Build Entity Data SQL Queries and Views."
Use the SQL Queries or Views built using the information mentioned in Section 24.1.10.3.2, "Build Transaction Data SQL Queries and Views."
The Fusion Middleware Audit Framework leverages Oracle BI Publisher to audit data recorded to an audit database. By using Oracle BI Publisher, you can take advantage of powerful reporting features such as flexible report display, filtering, scheduling, and custom reporting.
Oracle Adaptive Access Manager uses the Oracle Fusion Middleware Common Audit Framework to support auditing for a number of events. The Oracle Fusion Middleware Common Audit Framework provides uniform logging.
While auditing can be enabled or disabled, it is normally enabled in production environments. Auditing has minimal performance impact, and the information captured by auditing can be useful (even mission-critical).
Audit data can be written to either a single, centralized Oracle Database instance or to flat files known as bug-stops. Regardless of where the audit record is stored, it contains a sequence of items that can be configured to meet particular requirements. The audit log file helps the audit administrator track errors and diagnose problems if the audit framework is not working properly.
Database Logging: Implements the Common Auditing Framework across a range of Oracle Fusion Middleware products. The benefit is audit-function commonality at the platform level.
Database Audit Store: In production environments, Oracle recommends using a database audit store to provide scalability and high-availability for the Common Audit Framework. Audit data is cumulative and grows over time. Ideally this is a database for only audit data; not used by other applications.
The Oracle Fusion Middleware Audit Framework schema for audit log tables is provided by the Oracle Fusion Middleware Repository Creation Utility (RCU), which must be run before you can log information to the database.
OAAM events are those generated when the Oracle Adaptive Access Manager Console is used.
The OAAM events that can be audited and the details captured in them are listed in this section. These event definitions and configurations are implemented as part of the audit service in Oracle Platform Security Services.
Customer Care events are shown in Table 24-4.
Table 24-4 Customer Care Events
Event | Event Data |
---|---|
Create CSR Case |
CaseId, UserGroupName, UserId, CaseSeverity, Description |
Update Cases |
CaseId, CaseSeverity, CaseStatus, CaseDisposition, CaseExpirationDurationInHrs, ActionNotes, CaseActionResult |
Change Status |
CaseId, CaseStatus, CaseDisposition, ActionNotes, CaseActionResult |
Perform Case Action |
CaseId, CaseActionEnum, CaseSubActionEnum, ActionNotes, CaseActionResult |
Get Challenge Question |
CaseId, ActionNotes, CaseChallengeQuestion |
Check Challenge Question Response |
CaseId, ActionNotes, CaseChallengeQuestion, CaseChallengeQuestionResult |
KBA Questions events are listed in Table 24-5.
Table 24-5 KBA Questions Events
Event | Event Data |
---|---|
Create KBA Category |
KBACategoryId, KBACategoryName, KBACategoryDetails |
Update KBA Category |
KBACategoryId, KBACategoryName, KBACategoryDetails |
Delete KBA Categories |
KBACategoryIds |
Create KBA Question |
KBAQuestionId, KBAQuestion, KBAQuestionDetails |
Update KBA Question |
KBAQuestionId, KBAQuestion, KBAQuestionDetails |
Delete KBA Questions |
KBAQuestionIds |
Create KBA Validation |
KBAValidationId, KBAValidationName, KBAValidationDetails |
Update KBA Validation |
KBAValidationId, KBAValidationName, KBAValidationDetails |
Delete KBA Validation |
KBAValidationIds |
Add KBA Validation to Global |
KBAValidationId |
Delete KBA Validation from Global |
KBAValidationId |
Update KBA Answer Logic |
KBAAnswerLogicDetails |
Update KBA Registration Logic |
KBARegistrationLogicDetails |
Policy Management events are listed in Table 24-6.
Table 24-6 Policy Management Events
Event | Event Data |
---|---|
Create Policy |
PolicyId, PolicyName, PolicyDetails |
Copy Policy |
SourcePolicyId, PolicyName, PolicyDetails |
Update Policy |
PolicyId, PolicyName, PolicyDetails |
Delete Policy |
PolicyIds |
Add Override |
PolicyId, PolicyOverrideRowId, PolicyOverrideDetails |
Update Overrides |
PolicyId, PolicyOverrideIds, PolicyOverrideDetails |
Delete Overrides |
PolicyId, PolicyOverrideIds |
Link Policy To Group |
PolicyId, GroupId, ActionNotes |
Unlink Policy from Groups |
PolicyId, GroupIds |
Create Rule |
PolicyId, RuleId, RuleName, RuleDetails |
Add Conditions to Rule |
PolicyRuleMapId, RuleConditionIds |
Update Rule in Policy |
PolicyId, RuleId, RuleName, RuleDetails |
Copy Rule to Policy |
PolicyId, PolicyRuleMapDetails |
Delete Rules from Policy |
PolicyRuleMapIds |
Update Rules Order in Policy |
PolicyRuleMapId, RuleConditionMapIds |
Update Rule Parameter values |
PolicyRuleMapId, RuleConditionMapId, RuleParamValueDetails |
Policy set management events are listed in Table 24-7.
Group/List Management events are listed in Table 24-8.
Table 24-8 Group Management Events
Event | Event Data |
---|---|
Add Group |
GroupId, GroupName, GroupDetails |
Update Group |
GroupId, GroupName, GroupDetails |
Delete Groups |
GroupIds |
Add Group Elements |
GroupId, GroupElementsDetails |
Update Group Element |
GroupId, GroupElementId, GroupElementValue |
Delete Group Elements |
GroupId, GroupElementIds |
Delete all Group Elements |
GroupId |
Pattern management events are listed in Table 24-9.
Table 24-9 Pattern Management Events
Event | Event Data |
---|---|
Pattern Update Status |
UpdatePattern |
Pattern Create |
CreatePattern |
Pattern Update |
UpdatePatternStatus |
Pattern Delete |
DeletePattern |
Pattern Add Parameter |
AddParam |
Pattern Update Parameter |
UpdateParam |
Pattern Delete Parameter |
DeleteParams |
Pattern Update Parameter Order |
UpdateParamsOrder |
Dynamic action management events are listed in Table 24-10.
Table 24-10 Dynamic Action Management Events
Event | Event Data |
---|---|
Dynamic Action Create |
CreateDynamicAction |
Dynamic Action Update |
UpdateDynamicAction |
Dynamic Action Delete |
DeleteDynamicActions |
Dynamic Action Create Instance |
CreateDynamicActionInstance |
Dynamic Action Update Instance |
UpdateDynamicActionInstance |
Dynamic Action Update Status |
UpdateDynamicActionInstanceStatus |
Dynamic Action Delete Instance |
DeleteDynamicActionInstances |
Entity Management events are listed in Table 24-11.
Table 24-11 Entity Management Events
Event | Event Data |
---|---|
Entity Create |
CreateEntityDef |
Entity Update |
|
Entity Update Status |
UpdateEntityDefStatus |
Entity Delete |
DeleteEntityDefs |
Entity Save Data |
SaveDataElements |
Entity Delete Data |
DeleteDataElements |
Entity Add ID |
AddIDSchemeElements |
Entity Update ID |
UpdateIDSchemeElements |
Entity Delete ID |
DeleteIDSchemeElements |
Entity Add Display |
AddDisplayElements |
Entity Update Display |
UpdateDisplayElements |
Entity Delete Display |
DeleteDisplayElements |
Entity Create Reference |
CreateEntityDefsRelation |
Entity Update Reference |
UpdateEntityDef |
Entity Delete Reference |
DeleteEntityDefsRelations |
When an update to attributes/properties of an entity definition is performed, the following audit events are triggered:
Update Entity Def
Update ID Scheme Elements
Save Data Elements
Transaction management events are listed in Table 24-12.
Table 24-12 Transaction Management Events
Event | Event Data |
---|---|
Transaction Create |
CreateTransactionDef |
Transaction Update |
UpdateTransactionDef |
Transaction Update Status |
UpdateTransactionDefStatus |
Transaction Delete |
DeleteTransactionDef |
Transaction Add Entity |
AddTransactionEntityDefMap |
Transaction Update Entity |
UpdateTransactionEntityDefMap |
Transaction Delete Entity |
DeleteTransactionEntityDefMaps |
Transaction Save Data |
SaveTransactionDataElemDefs |
Transaction Delete Data |
DeleteTransactionDataElemDefs |
Transaction Save Source |
SaveTransactionSourceDataElemDefs |
Transaction Delete Transaction Source Data Element Definitions |
DeleteTransactionSourceDataElemDefs |
Transaction Set Data Map |
SetTransactionDataMapping |
Transaction Delete Data Map |
DeleteTransactionDataMappings |
Transaction Set Entity Map |
SetTransactionEntityDataMapping |
Transaction Delete Entity Map |
DeleteTransactionEntityDataMappings |
When an update to attributes/properties of a transaction definition occurs, an audit event is triggered as well as audit events of related APIs. For example, when the transaction "save source" is performed the following audit events are also triggered:
Save transaction data-element defs
Update a transaction definition
Snapshot management events are listed in Table 24-13.
OAAM Server Administration events are listed in Table 24-14
User events are listed in Table 24-15.
Import events are listed in Table 24-16.
Event | Event Data |
---|---|
Import Policy |
ImportPolicies |
Import KBA |
ImportKBAQuestions |
Import Dynamic Action |
ImportDynamicActions |
Import Transaction |
ImportTransactions |
Import Pattern |
ImportPatterns |
Import Entity |
ImportEntities |
Import Condition |
ImportConditions |
Import Group |
ImportGroups |
Import Property |
ImportProperties |
Import Validation |
ImportValidations |
Oracle Adaptive Access Manager can be configured to write audit records to a central database. In production environments, Oracle recommends using a database audit store to provide scalability and high-availability for the Common Audit Framework. Audit data is cumulative and grows over time. Ideally this is a database for only audit data; not used by other applications.
Configuring auditing for Oracle Adaptive Access Manager as follows:
Run the Oracle Fusion Middleware Repository Creation Utility (RCU) against the database, as described in "Create the Audit Schema using RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Set up audit data sources for the audit loader and configure it for the OAAM Server as described in "Set Up Audit Data Sources" in the Oracle Fusion Middleware Application Security Guide.
Enable the audit Policy and Audit Store by using Fusion Middleware Control.
Set up Oracle Business Intelligence Publisher audit reports.
Restart the WebLogic Server.
For information on deploying auditing, refer to "Configuring and Managing Auditing" in the Oracle Fusion Middleware Application Security Guide.
To switch to a database as the permanent store for your audit records, you first use the Oracle Fusion Middleware Repository Creation Utility (RCU) to create a database store for audit data.
Before you begin, make sure to collect the details on which database to use, along with the DBA credentials to use. Create the audit schema using RCU by selecting Audit Services when running RCU. When running RCU, and selecting the OAAM component, it does not select Audit by default. Hence, by default, the audit data is on a file system (IAMDomain/servers/AdminServer/logs/auditlogs/JPS/audit.log) rather than a database. If you want to use audit in production, it is advised to configure the audit schema when running RCU.
After you create a database schema to store audit records in a database, you must set up an Oracle WebLogic Server audit data source that points to that schema.
Define a JDBC data source for the audit database by using the WebLogic Administration Console so that the WebLogic server can access the database. You must configure the data source on the administration server and on all WebLogic managed server instances running Oracle Adaptive Access Manager server. Refer to the Oracle Fusion Middleware Application Security Guide for specific steps to follow to configure the data source.
Enable Audit Policy and Audit Store by using Fusion Middleware Control.
An audit policy is a declaration of the type of events to be captured by the audit framework for a particular component.
Change auditing store from file to database: navigate to the WebLogic Domain, then IAM_Domain, then Security, then Audit Store. Specify the JNDI name of the data source for the audit database.
Enable audit policies: navigate to the WebLogic Domain, then IAM_Domain, then Security, then Audit Policy.
You must install Oracle BI Publisher and verify it is operational before installing the Fusion Middleware Audit reports. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
Perform the following steps to set up standard Oracle BI Publisher audit reports in their default formats out-of-the-box.
Stop the Oracle BI Publisher server. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
Unjar the AuditReportTemplates.jar to a location on your Oracle BI Publisher server. For example:
/ORACLE_BI_PUBLISHER_HOME/xmlp/XMLP/reports
You can find AuditReportTemplates.jar at $MW_ORA_HOME/oracle_common/modules/oracle.iau_<version>/reports/AuditReportTemplates.jar.
Start the Oracle BI Publisher server. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
Configure the JDBC Data Source for the reports by performing the following steps:
Log in to Oracle BI Publisher from a Web browser as an Administrator. Refer to Oracle Business Intelligence Publisher Documentation if you need more information.
Click the Admin tab, then click JDBC under Data Sources, and then click the Add Data Source button. The Add Data Source screen appears.
Enter the following information in the fields on the Add Data Source screen. Replace the variable values in the following examples with the actual values for your audit schema.
Field | Data to Enter |
---|---|
Data Source Name | Audit
Provide a name for the data source. |
Connection String | jdbc:oracle:thin:@ host:port:sid |
User Name | User name for a audit schema user. |
Password | Password for user identified in the User Name field. |
Database Driver Class | oracle.jdbc.driver.OracleDriver |
Test for a successful connection. If the connection is not successful, check the values you entered.
Click Apply.
Restart WebLogic Server instances: You must restart all the WebLogic Server instances (the admin server and all the managed server instances in the domain). During the restart, the audit loader rereads the audit store configuration and starts using the database for auditing.
To generate Fusion Middleware Audit Framework reports in Oracle BI Publisher, perform the following steps:
Log in to Oracle BI Publisher.
Select the Reports tab.
Click More to expose the list of standard reports, including audit reports.
Click Oracle_Fusion_Middleware_Audit, then navigate to the report you want to run.
Use filter options in the top part of the report page to filter reported data in various ways. Report data appears on the bottom part of the report page.
For information, refer to "Using Audit Analysis and Reporting" in Oracle Fusion Middleware Application Security Guide.
Perform the following steps to run the Fusion Middleware common user activities reports in Oracle BI Publisher:
Log in to Oracle BI Publisher.
Select the Reports tab.
Click More to expose the list of standard reports, including audit reports.
Click Oracle_Fusion_Middleware_Audit, then navigate to the report you want to run.
Select All Events.
You can use the standard audit reports in their default formats out-of-the-box. However, if you want to customize the scope of data and other related aspects of the reports, you do so by setting up audit report filters.
For information, refer to "Using Audit Analysis and Reporting" in Oracle Fusion Middleware Application Security Guide.
Clicking on the report's Schedule button brings up a page which you can use to schedule and administer the report.
For information on customizing audit reports, refer to "Using Audit Analysis and Reporting" in Oracle Fusion Middleware Application Security Guide.
The data in the database audit store is exposed through OAAM reports. OAAM audit reports are not available with Oracle Adaptive Access Manager out of the box. Oracle Fusion Middleware Audit Framework ships with a set of pre-defined reports that are designed to work, out-of-the-box, with Oracle Fusion Middleware components, but you can design and create custom reports with Oracle Business Intelligence Publisher's complete set of capabilities for designing and creating custom reports.
For information, refer to "Using Audit Analysis and Reporting" in Oracle Fusion Middleware Application Security Guide.
The following section provides a scenario of how Oracle Adaptive Access Manager's reports are used.
You are Marty, a business analyst for Acme Corp. You have been asked to gather some aggregate data on the impact to customers by the Oracle Adaptive Access Manager security system.
Directions: Run the KBA challenge statistics report and rules aggregate breakdown report. Also run the recent logins report, filtering for sessions that resulted in a block. Run all the reports with XLS output so you can share the results with your business unit.
This use case demonstrates how to use Oracle BI Publisher reports.
Log in to Oracle BI Publisher as an Analyst.
Select OAAM under Shared Folders.
Under oaam folder, select oradb.
Locate the report to run.
Under the Common folder, click RecentLogins to view the RecentLogins report.
Under the KBA folder, click ChallengeStatistics to view the Challenge Statistics report.
Under the KBA folder, click QuestionStatistics to view the QuestionStatistics report
Under the Security folder, click RulesBreakdown to view the RulesBreakdown report.
For the RecentLogins report, select Blocked in Auth Status as a search criteria.
Repeat the following steps for each report.
Click View.
In Template menu, select Excel2000 and click Export.
The LoginSummary displays login aggregate summary for the designated date range.
Log in to Oracle BI Publisher using a URL of the form:
http://
host.domain.com:port/
xmlpserver/
In the main page, click OAAM under Shared Folders and then oradb.
Under the Security folder, click LoginSummary to view the LoginSummary report.
The Login Summary Report opens with the default time range of one month.
The summary graph shows the following:
The count of sessions
The count of users
The count of registrations
The count of blocks
Save or export the report as desired.