Create Audit Reports of Users Assigned to Roles

Use the scripts in this section to automate the process of creating an audit report for users assigned to predefine roles in an environment.

This audit report shows the users assigned to predefined roles or groups that changed since the last time the report was generated. To create a daily audit report, run this script on a daily basis.

Create provisioningAuditReport.bat by copying the following script. This wrapper batch script calls the PowerShell script provisioningAuditReport.ps1, the source code for which is provided later on in this scenario.


  • Input parameters for running provisioningAuditReport.bat are: username, password or password_file, and service_url.

    If the password contains special characters, see Handling Special Characters.
  • If you are using the PDF version of this document: To avoid line breaks and footer information that will render this script unusable, copy the script from the HTML version of this topic.

@echo off
set paramRequiredMessage=Syntax: provisioningAuditReport.bat USERNAME PASSWORD/PASSWORD_FILE URL

if "%~1" == "" (
  echo User Name is missing.
  echo %paramRequiredMessage%
  exit /b 1
if "%~2" == "" (
  echo Password or Password_File is missing.
  echo %paramRequiredMessage%
  exit /b 1
if "%~3" == "" (
  echo URL is missing.
  echo %paramRequiredMessage%
  exit /b 1

PowerShell.exe -File provisioningAuditReport.ps1 %*

provisioningAuditReport.bat calls provisioningAuditReport.ps1, which you create by copying the following script.

provisioningAuditReport.ps1 creates the audit report. Place it in the same directory where provisioningAuditReport.bat is located.


$date=$(get-date -f dd_MM_yy_HH_mm_ss)
$logfile="$logdir/epmautomate-provisionauditreport-" + $date + ".log"
$provisionreport="provreport-audittest-" + $date + ".csv"

function EchoAndLogMessage
  echo "$message"
  echo "$message" >> $logfile

function Init
  $logdirexists=Test-Path $logdir
  if (!($logdirexists)) {
    mkdir $logdir 2>&1 | out-null

  $logfileexists=Test-Path $logfile
  if ($logfileexists) {
    rm $logfile 2>&1 | out-null

  $reportdirexists=Test-Path $reportdir
  if (!($reportdirexists)) {
    mkdir $reportdir 2>&1 | out-null

function PostProcess
  rm $provisionreporttemp
  mv -Force $provisionreportunique $provisionreportbaselineunique

function ProcessCommand
  echo "EPM Automate operation: epmautomate.bat $op" >> $logfile
  epmautomate.bat $op >> $logfile 2>&1
  if ($LASTEXITCODE -ne 0) {
    echo "EPM Automate operation failed: epmautomate.bat $op. See $logfile for details."

function RunEpmAutomateCommands
  EchoAndLogMessage "Running EPM Automate commands to generate the provisioning report."
  ProcessCommand login $username $password $url
  ProcessCommand provisionreport $provisionreport
  ProcessCommand downloadfile $provisionreport
  ProcessCommand deletefile $provisionreport
  ProcessCommand logout

function CreateProvisionReportTempFile
  # Loop through iteration csv file and parse
  Get-Content $provisionreport | ForEach-Object {
  echo "$($elements[0]),$($elements[2])" >> $provisionreporttemp

function CreateUniqueElementsFile
  gc $provisionreporttemp | sort | get-unique > $provisionreportunique

function CheckBaselineAndCreateAuditReport
  $provisionreportbaselineuniqueexists=Test-Path $provisionreportbaselineunique
  if (!($provisionreportbaselineuniqueexists)) {
    EchoAndLogMessage "No existing provisioning report, so comparison with a baseline is not possible. Audit report will be created at the next test run."
  } else {

function CreateAuditReport
  $auditreport=$reportdir + "auditreport-"+ $date + ".txt"
  $additions = @()
  $deletions = @()

  EchoAndLogMessage "Comparing previous provisioning report with the current report."
  $compare=compare-object (get-content $provisionreportunique) (get-content $provisionreportbaselineunique)

  $compare | foreach  { 
    if ($_.sideindicator -eq '<=')
        $additions += $_.inputobject
      } elseif ($_.sideindicator -eq '=>') { 
        $deletions += $_.inputobject

  echo "Provisioning Audit Report for $datedefaultformat" > $auditreport
  echo "------------------------------------------------" >> $auditreport

  if ($additions.count -ne 0)
    echo " "          >> $auditreport
    echo "Additions:" >> $auditreport
    foreach($element in $additions) { echo "$element" >> $auditreport }

  if ($deletions.count -ne 0)
    echo " "          >> $auditreport
    echo "Deletions:" >> $auditreport
    foreach($element in $deletions) { echo "$element" >> $auditreport }

  if (($additions.count -eq 0) -and ($deletions.count -eq 0))
    echo " "                                  >> $auditreport
    echo "No changes from last audit report." >> $auditreport

  EchoAndLogMessage "Provisioning audit report has been generated: $auditreport."

EchoAndLogMessage "Starting EPMAutomate provisioning audit reporting"
EchoAndLogMessage "EPMAutomate provisioning audit reporting completed"