Create Audit Reports of Users Assigned to Roles

Use the scripts in this section to automate the process of creating an audit report for users assigned to predefine roles in an environment.

This audit report shows the users assigned to predefined roles or groups that changed since the last time the report was generated. To create a daily audit report, run this script on a daily basis.

Create provisioningAuditReport.bat by copying the following script. This wrapper batch script calls the PowerShell script provisioningAuditReport.ps1, the source code for which is provided later on in this scenario.

Note:

  • Input parameters for runningprovisioningAuditReport.bat are: username, password or password_file, service_url, and identity_domain.

  • If you are using the PDF version of this document: To avoid line breaks and footer information that will render this script unusable, copy the script from the HTML version of this topic.


@echo off
set paramRequiredMessage=Syntax: provisioningAuditReport.bat USERNAME PASSWORD/PASSWORD_FILE URL IDENTITY_DOMAIN

if "%~1" == "" (
  echo User Name is missing.
  echo %paramRequiredMessage%
  exit /b 1
  )
if "%~2" == "" (
  echo Password or Password_File is missing.
  echo %paramRequiredMessage%
  exit /b 1
  )
if "%~3" == "" (
  echo URL is missing.
  echo %paramRequiredMessage%
  exit /b 1
  )

PowerShell.exe -File provisioningAuditReport.ps1 %*

provisioningAuditReport.bat calls provisioningAuditReport.ps1, which you create by copying the following script.

provisioningAuditReport.ps1 creates the audit report. Place it in the same directory where provisioningAuditReport.bat is located.


$username=$args[0]
$password=$args[1]
$url=$args[2]
$identitydomain=$args[3]

$date=$(get-date -f dd_MM_yy_HH_mm_ss)
$datedefaultformat=$(get-date)
$logdir="./logs/"
$logfile="$logdir/epmautomate-provisionauditreport-" + $date + ".log"
$reportdir="./reports/"
$provisionreport="provreport-audittest-" + $date + ".csv"
$provisionreporttemp="./provreport-audittest-temp.csv"
$provisionreportunique="./provreport-audittest-unique.csv"
$provisionreportbaselineunique="./provreport-audittest-baseline-unique.csv"

function EchoAndLogMessage
{
  $message=$args[0]
  echo "$message"
  echo "$message" >> $logfile
}

function Init
{
  $logdirexists=Test-Path $logdir
  if (!($logdirexists)) {
    mkdir $logdir 2>&1 | out-null
    }

  $logfileexists=Test-Path $logfile
  if ($logfileexists) {
    rm $logfile 2>&1 | out-null
    }

  $reportdirexists=Test-Path $reportdir
  if (!($reportdirexists)) {
    mkdir $reportdir 2>&1 | out-null
    }
}

function PostProcess
{
  rm $provisionreporttemp
  mv -Force $provisionreportunique $provisionreportbaselineunique
}

function ProcessCommand
{
  $op=$args
  echo "EPM Automate operation: epmautomate.bat $op" >> $logfile
  epmautomate.bat $op >> $logfile 2>&1
  if ($LASTEXITCODE -ne 0) {
    echo "EPM Automate operation failed: epmautomate.bat $op. See $logfile for details."
    exit
    }
}

function RunEpmAutomateCommands
{
  EchoAndLogMessage "Running EPM Automate commands to generate the provisioning report."
  ProcessCommand login $username $password $url $identitydomain
  ProcessCommand provisionreport $provisionreport
  ProcessCommand downloadfile $provisionreport
  ProcessCommand deletefile $provisionreport
  ProcessCommand logout
}

function CreateProvisionReportTempFile
{
  # Loop through iteration csv file and parse
  Get-Content $provisionreport | ForEach-Object {
  $elements=$_.split(',')
  echo "$($elements[0]),$($elements[2])" >> $provisionreporttemp
  }
}

function CreateUniqueElementsFile
{
  gc $provisionreporttemp | sort | get-unique > $provisionreportunique
}

function CheckBaselineAndCreateAuditReport
{
  $provisionreportbaselineuniqueexists=Test-Path $provisionreportbaselineunique
  if (!($provisionreportbaselineuniqueexists)) {
    EchoAndLogMessage "No existing provisioning report, so comparison with a baseline is not possible. Audit report will be created at the next test run."
  } else {
    CreateAuditReport
    }
}

function CreateAuditReport
{
  $auditreport=$reportdir + "auditreport-"+ $date + ".txt"
  $additions = @()
  $deletions = @()

  EchoAndLogMessage "Comparing previous provisioning report with the current report."
  $compare=compare-object (get-content $provisionreportunique) (get-content $provisionreportbaselineunique)

  $compare | foreach  { 
    if ($_.sideindicator -eq '<=')
     {
        $additions += $_.inputobject
      } elseif ($_.sideindicator -eq '=>') { 
        $deletions += $_.inputobject
      }
  }

  echo "Provisioning Audit Report for $datedefaultformat" > $auditreport
  echo "------------------------------------------------" >> $auditreport

  if ($additions.count -ne 0)
  {
    echo " "          >> $auditreport
    echo "Additions:" >> $auditreport
    foreach($element in $additions) { echo "$element" >> $auditreport }
    }

  if ($deletions.count -ne 0)
  {
    echo " "          >> $auditreport
    echo "Deletions:" >> $auditreport
    foreach($element in $deletions) { echo "$element" >> $auditreport }
  }

  if (($additions.count -eq 0) -and ($deletions.count -eq 0))
  {
    echo " "                                  >> $auditreport
    echo "No changes from last audit report." >> $auditreport
  }

  EchoAndLogMessage "Provisioning audit report has been generated: $auditreport."
}

Init
EchoAndLogMessage "Starting EPMAutomate provisioning audit reporting"
RunEpmAutomateCommands
CreateProvisionReportTempFile
CreateUniqueElementsFile
CheckBaselineAndCreateAuditReport
PostProcess
EchoAndLogMessage "EPMAutomate provisioning audit reporting completed"