15User and Role Reports

This chapter contains the following:

User and Role Access Audit Report

The User and Role Access Audit Report provides details of the function and data security privileges granted to specified users or roles. This information is equivalent to the information that you can see for a user or role on the Security Console. This report is based on data in the Applications Security tables, which you populate by running the Import User and Role Application Security Data process.

To run the User and Role Access Audit Report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the User and Role Access Audit Report process.

  3. In the Process Details dialog box, set parameters and click Submit.

  4. Click OK to close the confirmation message.

User and Role Access Audit Report Parameters

Population Type

Set this parameter to one of these values to run the report for one user, one role, multiple users, or all roles.

  • All roles

  • Multiple users

  • Role name

  • User name

User Name

Search for and select the user name of a single user.

This field is enabled only when Population Type is User name.

Role Name

Search for and select the name of a single aggregate privilege or data, job, abstract, or duty role.

This field is enabled only when Population Type is Role name.

From User Name Starting With

Enter one or more characters from the start of the first user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

To User Name Starting With

Enter one or more characters from the start of the last user name in a range of user names.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users.

User Role Name Starts With

Enter one or more characters from the start of a role name.

This field is enabled only when Population Type is Multiple users. It enables you to report on a subset of all users and roles.

Data Security Policies

Select Data Security Policies to view the data security report for any population. If you leave the option deselected, then only the function security report is generated.

Note: If you don't need the data security report, then leave the option deselected to reduce the report processing time.
Debug

Select Debug to include the role GUID in the report. The role GUID is used to troubleshoot. Select this option only when requested to do so by Oracle Support.

Viewing the Report Results

The report produces either one or two .zip files, depending on the parameters you select. When you select Data Security Policies, two .zip files are generated, one for data security policies and one for functional security policies in a hierarchical format.

The file names are in the following format: [FILE_PREFIX]_[PROCESS_ID]_[DATE]_[TIME]_[FILE_SUFFIX]. The file prefix depends on the specified Population Type value.

This table shows the file prefix values for each report type.

Report Type File Prefix

User name

USER_NAME

Role name

ROLE_NAME

Multiple users

MULTIPLE_USERS

All roles

ALL_ROLES

This table shows the file suffix, file format, and file contents for each report type.

Report Type File Suffix File Format File Contents

Any

DataSec

CSV

Data security policies. The .zip file contains one file for all users or roles. The data security policies file is generated only when Data Security Policies is selected.

Note: Extract the data security policies only when necessary, as generating this report is time consuming.

Any

Hierarchical

CSV

Functional security policies in a hierarchical format. The .zip file contains one file for each user or role.

  • Multiple users

  • All roles

CSV

CSV

Functional security policies in a comma-separated, tabular format.

The process also produces a .zip file containing a diagnostic log.

For example, if you report on a job role at 13.30 on 17 December 2015 with process ID 201547 and the Data Security Policies option selected, then the report files are:

  • ROLE_NAME_201547_12-17-2015_13-30-00_DataSec.zip

  • ROLE_NAME_201547_12-17-2015_13-30-00_Hierarchical.zip

  • Diagnostic.zip

User Role Membership Report

The User Role Membership Report lists role memberships for specified users.

To run the report process:

  1. Open the Scheduled Processes work area.

  2. Search for and select the User Role Membership Report process.

User Role Membership Report Parameters

You can specify any combination of the following parameters to identify the users whose role memberships are to appear in the report.

Note: The report may take a while to complete if you run it for all users, depending on the number of users and their roles.
User Name Begins With

Enter one or more characters of the user name.

First Name Begins With

Enter one or more characters from the user's first name.

Last Name Begins With

Enter one or more characters from the user's last name.

Department

Enter the department from the user's primary assignment.

Location

Enter the location from the user's primary assignment.

Viewing the Report

The process produces a UserRoleMemberships_processID_CSV.zip file and a Diagnostics_processID.zip file. The UserRoleMemberships_processID_CSV.zip file contains the report output in CSV format. The report shows the parameters that you specified, followed by the user details for each user in the specified population. The user details include the user name, first and last names, user status, department, location, and role memberships.

User Password Changes Audit Report

This report identifies users whose passwords were changed in a specified period. You must have the ASE_USER_PASSWORD_CHANGES_AUDIT_REPORT_PRIV function security privilege to run this report. The predefined IT Security Manager job role has this privilege by default.

To run the User Password Changes Audit Report:

  1. Open the Scheduled Processes work area.

  2. Click Schedule New Process.

  3. Search for and select the User Password Changes Audit Report process.

  4. In the Process Details dialog box, set parameters and click Submit.

  5. Click OK to close the confirmation message.

User Password Changes Audit Report Parameters

Search Type

Specify whether the report is for all users, a single, named user, or a subset of users identified by a name pattern that you specify.

User Name

Search for and select the user on whom you want to report. This field is enabled only when Search Type is set to Single user.

User Name Pattern

Enter one or more characters that appear in the user names on which you want to report. For example, you could report on all users whose user names begin with the characters SAL by entering SAL%. This field is enabled only when Search Type is set to User name pattern.

Start Date

Select the start date of the period during which password changes occurred. Changes made before this date don't appear in the report.

To Date

Select the end date of the period during which password changes occurred. Changes made after this date don't appear in the report.

Sort By

Specify how the report output is sorted. The report can be organized by either user name or the date when the password was changed.

Viewing the Report Results

The report produces these files:

  • UserPasswordUpdateReport.csv

  • UserPasswordUpdateReport.xml

  • Diagnostics_[process ID].log

For each user whose password changed in the specified period, the report includes:

  • The user name.

  • The first and last names of the user.

  • The user name of the person who changed the password.

  • How the password was changed:

    • ADMIN means that the change was made for the user by a line manager or the IT Security manager, for example.

    • SELF_SERVICE means that the user made the change by setting preferences or requesting a password reset, for example.

    • FORGOT_PASSWORD means that the user clicked the Forgot Password link when signing in.

  • The date and time of the change.

Inactive Users Report

Run the Inactive Users Report process to identify users who haven't signed in for a specified period.

To run the report:

  1. In the Scheduled Processes work area, click Schedule New Process.

  2. Search for and select the Import User Login History process.

    Note: Whenever you run the Inactive Users Report process, you must first run the Import User Login History process. This process imports information that the Inactive Users Report process uses to identify inactive users. You're recommended to schedule Import User Login History to run daily.
  3. When the Import User Login History process completes, search for and select the Inactive Users Report process.

  4. In the Process Details dialog box, set parameters to identify one or more users.

  5. Click Submit.

Inactive Users Report Parameters

All parameters except Days Since Last Activity are optional.

User Name Begins With

Enter one or more characters.

First Name Begins With

Enter one or more characters.

Last Name Begins With

Enter one or more characters.

Department

Enter the department from the user's primary assignment.

Location

Enter the location from the user's primary assignment.

Days Since Last Activity

Enter the number of days since the user last signed in. Use this parameter to specify the meaning of the term inactive user in your enterprise. Use other parameters to filter the results.

This value is required and is 30 by default. This value identifies users who haven't signed in during the last 30 or more days.

Last Activity Start Date

Specify the start date of a period in which the last activity must fall.

Last Activity End Date

Specify the end date of a period in which the last activity must fall.

Viewing the Report

The process produces an Inactive_Users_List_processID.xml file and a Diagnostics_processID.zip file.

The report includes the following details for each user who satisfies the report parameters:

  • Number of days since the user was last active

  • Date of last activity

  • User name

  • First and last names

  • Assignment department

  • Assignment location

  • City and country

  • Report time stamp

Note: The information in the report relating to the user's latest activity isn't based solely on actions performed by the user in the UI. Actions performed on behalf of the user, which create user sessions, also affect these values. For example, running processes, making web service requests, and running batch processes are interpreted as user activity.

User History Report

This topic describes the User History report, which extracts and formats the history of a specified user account. Oracle Support might ask you to run this report to help diagnose user-related errors. To run the report, you must inherit the ORA_PER_MANAGE_USER_AND_ROLES_DUTY_OBI (Manage Users) duty role. Several predefined job roles, including IT Security Manager, inherit this duty role.

Follow these steps to run the report.

  1. Select Navigator > My Team > Users and Roles.

  2. On the Search Person page, search for the person of interest.

  3. In the search results, click the person name to open the Edit User page.

  4. On the Edit User page, click Print User History. In the User History dialog box, you can review the report.

    You can either print the report or download a PDF file by clicking relevant icons in the User History dialog box.

  5. Click Cancel to close the User History dialog box.

Tip: You don't have to view the report. You can select Print User History > Download to download the PDF file. The file name is in the format <person ID>_UserHistory.pdf.

This report is identical to the HCM Person User Information report, which authorized users can run in the HCM Reports and Analytics work area. Information is provided in this report for sales resources who are also defined as users in HCM.

Report Contents

For the selected user, the report includes:

  • Person information

  • User history

  • Provisioned roles and details of any associated role mappings

  • Role delegation details

  • LDAP request details

  • Work relationship and assignment information