23 Using Reporting Features

Reporting uses the standard features of Oracle BI Publisher. Using reports involve understanding the output formats, types of reports, and required scheduled tasks, and following best practices for using reports.

This chapter describes reporting in Oracle Identity Manager. It contains the following sections:

23.1 About Reporting in Oracle Identity Governance

Oracle Business Intelligence (BI) Publisher is Oracle's primary reporting tool for authoring, managing, and delivering all your highly formatted documents.

You can use standalone BI Publisher to view and run Oracle Identity Manager reports.

After BI Publisher configuration, you can take advantage of the standard features of BI Publisher, such as:

  • Highly formatted and professional quality reports with pagination and headers/footers.

  • PDF, Word, and HTML output of reports.

  • Capability to develop your own custom reports against the Oracle Identity Manager repository (read-only repository access).

  • BI Publisher's scheduling capabilities and delivery mechanisms, such as e-mail and FTP.

  • Format (report) can be edited separately from the data definition (data model).

  • Standardized Oracle Identity subtemplate for headers.

  • National Language Support (NLS) for BI Publisher report output.

Note:

Before using Oracle Identity Manager reports, configure standalone BI Publisher reports. See Configuring Reports in Developing and Customizing Applications for Oracle Identity Governance.

23.2 Supported Output Formats for Reports

BI Publisher supports multiple report output formats, such as HTML, PDF, RTF, and MHTML.

All reports are generated in a native XML format which can be transformed into different other output formats. The following formats are supported:

  • HTML

  • PDF

  • RTF

  • MHTML

23.3 Classification of Oracle Identity Governance Reports

Oracle Identity Governance reports are classified into various categories based on functional areas.

All the reports containing Date type input parameters must be provided with the date range in the Date Input Parameters before running the report. Otherwise, the reports will not display any data.

Oracle Identity Manager Reports are classified into the following categories based on their functional areas:

23.3.1 Access Policy Reports

The access policy reports are Access Policy Details and Access Policy List by Role.

Oracle Identity Manager BI Publisher Reports provides the following access policy reports for Oracle Identity Manager:

23.3.1.1 Access Policy Details

It provides administrators or auditors the ability to view a current snapshot of all the policies associated only with roles defined in Oracle Identity Manager system, along with key information about each policy, and the number of instances in which each policy has been activated.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Access Policy Name

Name of the Access Policy

Fields

The following table lists the fields of the report:

Report Field Description

Description

Description of the policy

Approval Required

Approval required for the policy

Creation Date

Date when the policy is created

Retrofit Access Policy

Retrofit of the access policy

Created By

Name of the person who created the policy

Priority

Priority of the policy

Columns

The following table lists the columns of the report:

Report Column Description

Application Instance Name

Name of the application instance

23.3.1.2 Access Policy List by Role

It lists all policies defined in Oracle Identity Manager system by role. This report can be used for operational and compliance purposes.

Input Parameters

The following table lists the input parameters for the report:

Report Parameter Description

Role Name

Name of the role

Fields

The following table lists the fields of the report:

Report Field Description

Description

Description of the policy

Approval Required

Approval required for the policy

Creation Date

Date when the policy is created

Retrofit Access Policy

Retrofit of the access policy

Created By

Name of the person who created the policy

Priority

Priority of the policy

Columns

The following table lists the columns of the report:

Report Column Description

Role Name

Name of the role

23.3.2 Request and Approval Reports

The request and approval reports are Approval Activity Report, Request Details Report, Request Summary Report, and Task Assignment History.

Oracle Identity Manager BI Publisher Reports provides the following request and approval reports for Oracle Identity Manager:

23.3.2.1 Approval Activity Report

This report provides the administrators the ability to view the approval activity including requests that are approved, rejected, or pending.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Approver's First Name

First name of the approver

Approver's Last Name

Last name of the approver

Approver's User ID

User ID of the approver

Organization

Name of the organization

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

Approver's First Name

First name of the approver

Approver's Last Name

Last name of the approver

Approver's User ID

User ID of the approver

Organization

Organization of the approver

Approval Accepted

Count of the accepted approval

Approval Rejected

Count of the rejected approval

Approvals Pending

Count of the pending approval

Approval Requests Total

Total number of approval requests

23.3.2.2 Request Details Report

This report provides administrators the ability to view the details (requestor, current approver and so on) of all requests with the input current status. Additionally, this report displays the details of all users (user name, organization, manager details, user status and so on) that will be provisioned as a result of the request approval. This helps administrators in planning and prioritizing operational activities so that they may expedite the closure of pending requests.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Requestor User First Name

First name of the requestor

Requestor User Last Name

Last name of the requestor

Request User ID

ID of the requestor

Request ID

Request ID

Request Parent ID

Parent ID of the request

Request Status

Status of the request

Request Type

Type of the request

Request Date From

Start date of the request

Request Date To

End date of the request

Beneficiary User First Name

First name of the beneficiary

Beneficiary User Last Name

Last name of the beneficiary

Beneficiary User ID

ID of the beneficiary

Fields

The following table lists the fields of the report:

Report Field Description

Request ID

Request ID

Request Type

Type of the request

Requester User ID

ID of the requester

Request Date

Date on which request is initiated

Approver User ID

ID of the approver

Current Status

Status of the request

Parent Request ID

ID of the parent Requester

Columns

The following table lists the columns of the report, if a beneficiary is present:

Report Column Description

First Name

First name of the beneficiary

Last Name

Last name of the beneficiary

User ID

ID of the beneficiary

User Type

Type of user

User Status

Status of the beneficiary

Organization

Organization of the beneficiary

Request Value

Request value of the resource

The following table lists the columns of the report, if a beneficiary is not present:

Report Column Description

Request Name

Name of the request

Request Value

Value of the request

The following table provides the approver details:

Report Column Description

Approver User ID

User ID of the approver of the request

Approver User Name

User name of the approver of the request

23.3.2.3 Request Summary Report

This report provides administrators the ability to view the current status of all requests raised in the specified time interval. This helps administrators in planning and prioritizing operational activities so that they may expedite the closure of pending requests.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Request Type

Type of request

Request Date From

Start date of the request

Request Date To

End date of the request

Organization

Details of the organization

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

Request ID

Request ID

Parent Request ID

ID of the parent Requester

Request Type

Type of request

Request Status

Status of request

Requester User ID

ID of the requester

Requester User Name

Name of the requester of the request

Beneficiary User ID

ID of the beneficiary

Request Details

Details of the request

Approver User ID

ID of the approver

Approver User Name

Name of the approver of the request

Request Date

Date of request

23.3.2.4 Task Assignment History

It lists the history of all task assignments.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Assignee User ID

ID of the assignee user

Assignee First Name

First name of the assignee user

Assignee Last Name

Last name of the assignee user

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

User ID

ID of the beneficiary

Assignee First Name

First name of the assignee

Assignee Last Name

Last name of the assignee

Assignee User ID

ID of the assignee

Assignee Role Name

Role name of the assignee

Assignee User Name

User name of the assignee

Employee Type

Type of employee

23.3.3 Role and Organization Reports

The role and organization reports are Role Membership History, Role Membership Profile, Role Membership, Organization Details, and User Membership History.

Oracle Identity Manager provides the following role and organization reports:

23.3.3.1 Role Membership History

This report displays membership history of all the roles. The report will not show indirect memberships.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Role Name

Name of the role

Role Category

Category of the role

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Employee Status

Status of the employee: Active, Disabled, Deleted, Disabled Until Start Date

Membership Status

Status of membership: Revoked, Active

Effective From

Role membership effective from date

Effective To

Role membership effective to date

Fields

The following table lists the fields of the report:

Report Field Description

Created By

Name of the person who created the role

Creation Date

Date on which the role was created

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Employee Type

Type of employee

Employee Status

Status of the employee

Membership Status

Membership date of the user

Effective From

Membership start date of the user

Effective To

Membership end date of the user

Manager's First Name

First name of the manager

Manager's Last Name

Last name of the manager

Manager's User ID

ID of the manager

Updated By

Name of the user who updated the record

23.3.3.2 Role Membership Profile

This report shows number of users present for number of roles and the details of users belonging to count number of roles.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Organization

Organization of the user

Fields

The following table lists the fields of the report:

Report Field Description

Membership in Number of Roles

Number of members in number of roles

Number of Users

Number of users in the role

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

23.3.3.3 Role Membership

This report displays membership details of all roles.

Input Parameters

The following table lists input parameters for the report.

Report Parameter Description

Role Name

Name of the role

Role Category

Category of the role

Organization

Name of the organization

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Employee Status

Status of the employee: Active, Disabled, Deleted, Disabled Until Start Date

Fields

The following table lists the fields of the report:

Report Field Description

Created By

Name of the person who created the user

Creation Date

Date on which the user is created

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of user

Employee Status

Status of the user

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Member Since

Joining date of the user

Manager's First Name

First name of the manager

Manager's Last Name

Last name of the manager

Manager's User ID

ID of the manager

23.3.3.4 Organization Details

It lists the hierarchical organization structure and details about users in the organization.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Organization Name

Name of the organization

Fields

The following table lists the fields of the report:

Report Field Description

Parent Organization Name

Name of the parent organization

Columns

The following table lists the columns of the report:

Report Column Description

Role

Name of Administrator User roles

First Name

First name of the user in the organization

Last Name

Last name of the user in the organization

User ID

ID of the user

User Status

Status of the user

User Type

Type of user

Start Date

Joining date of the user

End Date

Leaving date of the user

23.3.3.5 User Membership History

This report lists the logged in users with their membership history.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Last Name

First name of the user

First Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Status

Status of the employee: Active, Disabled, Deleted, Disabled Until Start Date

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Fields

The following table lists the fields of the report:

Report Field Description

User ID

ID of the user

User First Name

First name of the user

User Last Name

Last name of the user

Organization

Organization of the user

Employee Status

Status of the employee: Active, Disabled, Deleted, Disabled Until Start Date

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Columns

The following table lists the columns of the report:

Report Column Description

User Role

Name of the user role

Membership Status

Status of membership

Effective From

Date from which the membership is effective

Updated By

User who updated the record

23.3.4 Password Reports

The password reports are Password Expiration Summary Report, Password Reset Summary Report, and Resource Password Expiration Report.

Oracle Identity Manager provides the following password reports:

23.3.4.1 Password Expiration Summary Report

This report shows the list of all active users whose Oracle Identity Manager passwords are about to expire within a specified period.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Last Name

Last name of the user

First Name

First name of the user

User ID

ID of the user

Organization

Organization of the user

Expiration Date Range From

Start date of the expiration date

Expiration Date Range To

End date of the expiration date

Fields

N/A

Columns

The following table lists the columns of the report:

Report Field Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Employee Type

Type of the employee: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Employee Status

Status of the employee: Active, Disabled, Deleted, Disabled Until Start Date

Organization

Organization of the user

Password Expiration Date

Date on which the password expires

23.3.4.2 Password Reset Summary Report

This report provides the ability to view the aggregated metrics around password change attempts done by users themselves or on behalf of them. The metrics include all password change attempts, successful or failure outcome of password change attempt, users locked due to multiple concurrent unsuccessful password change attempts.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Aggregation Frequency

The frequency of the report generated

Date Range From

Start date of the report generated

Date Range To

End date of the report generated

Organization

Name of the organization

Fields

The following table lists the fields of the report:

Report Field Description

Aggregation Frequency

The frequency of the report generated

Columns

The following table lists the columns of the report:

Report Column Description

Time Period

Date and time of reset attempts performed

Reset Attempts

Number of reset attempts

Failed Reset Attempts

Number of failed reset attempts

Locked Users due to Failed Reset Attempts

Number of users locked due to a failed reset attempt

Resets by non-beneficiary

Number of resets by non-beneficiary

23.3.4.3 Resource Password Expiration Report

It lists users whose resource passwords will expire in a specified time period.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

User Status

Status of the user

Password Expiration Date From

The password expiry starting date

Password Expiration Date To

The password expiry ending date

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Field Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

User Status

Status of the user: Active, Disabled, Deleted, Disabled Until Start Date

User Type

Type of the user: Full-Time, Part-Time, Temp, Intern, Consultant, Contractor

Password Expiration Date

Date on which the password expires

23.3.5 Resource and Entitlement Reports

The resource and entitlement reports are Account Activity In Resource, Delegated Admins and Permissions by Resource, Delegated Admins by Resource, Entitlement Access List, Entitlement Access List History, Financially Significant Resource Details, Resource Access List History, Resource Access List, Resource Account Summary, Resource Activity Summary, User Resource Access History, User Resource Access, User Resource Entitlement, and User Resource Entitlement History.

Oracle Identity Manager BI Publisher Reports provides the following resource and entitlement reports for Oracle Identity Manager:

23.3.5.1 Account Activity In Resource

The Account Activity in Resource report lists all account activities in each resource, and provides information on how each user is associated with a specific activity of that resource.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Date Range From

Date from which reports are displayed

Date Range To

Date to which reports are displayed

Fields

The following table lists the fields of the report:

Report Field Description

Resource Name

Name of the resource

Activity Type

The type of activity

Resource Authorizer User Role(s)

Name of the role which authorize the role

Resource Administrator User Role(s)

Name of the role which authorize the resource

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

User Status

Status of the user: Active, Disabled, Deleted, Disabled Until Start Date

Organization

Organization of the user

Manager's User ID

ID of the manager

Timestamp

Date when the report is created

23.3.5.2 Delegated Admins and Permissions by Resource

This report displays the list of user roles with write and delete access that are administrators of the resource.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

Administrator Role Name

Name of the Administrator role

Administrator Role Information

Information about the Administrator role

Read Access

Indicates whether the resource has read access

Write Access

Indicates whether the resource has write access

Delete Access

Indicates whether the resource has delete access

Authorizer Role

Authorizer role name

Name Priority

Priority of the resource

Created By

Name of the person who created the resource

Creation Date

Resource creation date

23.3.5.3 Delegated Admins by Resource

The report displays the list of user roles that are the administrators or authorizers of the resource and members of those roles.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Resource Type

Type of resource

Resource Audit Objective

Objective to carry out the audit for the resource

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Target

Indicates whether the resource is a target for organization or user

Write Access

Indicates whether the resource has write access

Delete Access

Indicates whether the resource has delete access

Creation By

Resource creation source

Creation Date

Date on which resource is created

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

User Status

Status of the user

Member Since

Joining date of the user

Manager's First Name

First name of the manager

Manager's Last Name

Last name of the manager

Manager's User ID

ID of the manager

23.3.5.4 Entitlement Access List

This report provides administrators or auditors the ability to query all existing users, who have a specified entitlement. This report can be used for operational and compliance purposes.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Entitlement Code

Code of the entitlement

Resource Name

Name of the resource

Organization

Organization of the user

Role Name

Name of the role

User Status

Status of the user: Active, Disabled, Deleted, Disabled Until Start Date

User Type

Type of user

Provisioning Date From

Date from which the resource is provisioned to the user

Provisioning Date To

Date to which the resource is provisioned to the user

Fields

The following table lists the fields of the report:

Report Field Description

Entitlement Code

Code of the entitlement

Entitlement Name

Name of the entitlement

Entitlement status

Status of the entitlement.

Resource Name

Name of the resource

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

User Id

ID of the user

First Name

First name of the user

Last Name

Last name of the user

User Status

User Status

User Type

Type of the user

Organization

Organization of the user

Valid To Date

Entitlement valid from date

Valid From Date

Entitlement valid to date

23.3.5.5 Entitlement Access List History

This report provides administrators or auditors the ability to query all existing users provisioned to a entitlement over its lifecycle. This is a lifetime report showing entire history of resource's access list or entitlements.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Entitlement Code

Code of the entitlement

Resource Name

Name of the resource

Organization

Organization of the user

Role Name

Name of the role

User Status

Status of the user: Active, Disabled, Deleted, Disabled Until Start Date

User Type

Type of user

Effective From Date

Entitlement effective from date

Effective To Date

Entitlement effective to date

Fields

The following table lists the fields of the report:

Report Field Description

Entitlement Code

Code of the entitlement

Entitlement Name

Name of the entitlement

Resource Name

Name of the resource

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

User Id

ID of the user

First Name

First name of the user

Last Name

Last name of the user

User Status

Status of the user

User Type

Type of user

Effective From

Entitlement effective from date

Effective To

Entitlement effective to date

23.3.5.6 Financially Significant Resource Details

This report provides Administrators to get a list of financially significant resources to prioritize various administrative and cleanup activities. It also helps Compliance or Privacy and Security officers assessing effectiveness of preventive and detective controls in financial significant resources and Auditors to understand the IT resources that host financial data.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

User Roles

Lists the resource administrator user roles

23.3.5.7 Resource Access List History

This report provides administrators or auditors the ability to query all existing users provisioned to a resource over its lifecycle. This is a lifetime report showing entire history of resource's access list or entitlements.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

User Status

Status of the user

User Type

Type of the user

Snapshot Date From

Effective start date of resource access to the user

Snapshot Date To

Effective end date of resource access to the user

Changes Date From

Resource changed from date to user

Changes Date To

Resource changed to date to user

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Resource Descriptive data

Descriptive data to identify the resource

User Status

Status of the user

Resource Status

Status of the resource

Effective From

Effective start date

Effective To

Effective end date

23.3.5.8 Resource Access List

This report provides administrators or auditors the ability to query all existing users provisioned to a specified resource. This report can be used for operational and compliance purposes.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

User Status

Status of the user

User Type

Type of the user

Provisioning Date From

Resource provision start date

Provisioning Date To

Resource provision end date

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

User Type

Type of the user

User Status

Status of the user

Organization

Organization of the user

Provisioning Date

Date on which the resource is provisioned

23.3.5.9 Resource Account Summary

This report lists the number of users for each status within each resource.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Resource Type

Type of resource

Account Status

Status of the account

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Total Number of Users

Total number of users associated with the account

Columns

The following table lists the columns of the report:

Report Column Description

Account Status

Status of the account

Number of Users

Number of users with that account status

23.3.5.10 Resource Activity Summary

It lists the history of all provisioning and approval activities for a resource.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Date Range From

Start date

Date Range To

End date

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

Accounts Provisioned

Number of accounts provisioned

Accounts De-Provisioned

Number of accounts de-provisioned

Approval Requests

Number of approval requests

Approval Accepted

Number of approved requests

Approval Rejected

Number of rejected requests

23.3.5.11 User Resource Access History

This report provides administrators or auditors the ability to view user's resource access history over user's lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a user access profile snapshot report. This is a lifetime report showing entire history of user's entitlements.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Status

Status of the user

Employee Type

Type of employee

Fields

The following table lists the fields of the report:

Report Field Description

User ID

ID of the user

User First Name

First name of the user

User Last Name

Last name of the user

Manager User ID

ID of the reporting Manager

Manager First Name

First name of the reporting Manager

Manager Last Name

Last name of the reporting Manager

Organization

Organization of the user

Employee Status

Status of employee

Employee Type

Type of employee

Identity Creation Date

User creation date

Columns

The following table lists the columns of the report:

Report Column Description

Resource Name

Name of the resource

Resource Descriptive Data

Description of the resource

Provisioned Date

Date on which the resource is provisioned

Provisioned By

Name of the person who provisioned the resource

Effective From

Effective start date of resource access to the user

Effective To

Effective end date of resource access to the user

23.3.5.12 User Resource Access

This report provides administrators or auditors the ability to query all existing users provisioned to a specified resource. This report can be used for operational and compliance purposes.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Status

Status of employee

Employee Type

Type of employee

Fields

The following table lists the fields of the report:

Report Field Description

User ID

ID of the user

User First Name

First name of the user

User Last Name

Last name of the user

Manager User ID

ID of the reporting Manager

Manager First Name

First name of the reporting Manager

Manager Last Name

Last name of the reporting Manager

Organization

Organization of the user

Employee Status

Status of employee

Employee Type

Type of employee

Identity Creation Date

User creation date

Columns

The following table lists the columns of the report:

Report Column Description

Resource Name

Name of the resource

Resource Descriptive Data

Description of the resource

Resource Status

Status of the resource

Provisioned Date

Date on which the resource is provisioned

23.3.5.13 User Resource Entitlement

This report provides administrators or auditors the ability to query all existing entitlements provisioned to specific users. This report can be used for operational and compliance purposes.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

User ID

ID of the user

First Name

First name of the user

Last Name

Last name of the user

Email

Email of the user

Resource Name

Name of the resource

Organization

Organization of the user

Role Name

Name of the role

User Status

Status of the user

User Type

Type of the user

Fields

The following table lists the fields of the report:

Report Field Description

User ID

ID of the user

First Name

First name of the user

Middle Name

Middle name of the user

Last Name

Last name of the user

Email

Email of the user

Organization

Organization of the user

User Status

Status of the user

User Type

Type of the user

Manager First Name

First name of the manager

Manager Last Name

Last name of the manager

Start Date

Entitlement of resource start date

End Date

Entitlement of resource end date

Columns

The following table lists the columns of the report:

Report Column Description

Entitlement Code

Code of the entitlement

Entitlement Name

Name of the entitlement

Entitlement Status

Status of the entitlement

Resource

Type of the resource

Provisioning Start

Date from which the resource is provisioned to the user

Valid From Date

Entitlement of resource valid start date

23.3.5.14 User Resource Entitlement History

This report provides administrators or auditors the ability to view user's resource entitlement history over user's lifecycle. This report can be used for compliance and forensic auditing purposes. This is not a user access profile snapshot report. This is a lifetime report showing entire history of user's entitlements.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

User ID

ID of the user

First Name

First name of the user

Last Name

Last name of the user

Email

Email of the user

Resource Name

Name of the resource

Organization

Organization of the user

Role Name

Name of the role

User Status

Status of the user

User Type

Type of the user

Effective From Date

Resource entitlement effective start date

Effective To Date

Resource entitlement effective end date

Fields

The following table lists the fields of the report:

Report Field Description

User ID

ID of the user

First Name

First name of the user

Last Name

Last name of the user

User Status

Status of the user

User Type

Type of the user

Organization

Organization of the user

Email

Email of the user

Start Date

Start date of resource entitlement

End Date

End date of resource entitlement

Identity Creation Date

Date of identity creation

Manager First Name

First name of the manager

Manager Last Name

Last name of the manager

Columns

The following table lists the columns of the report:

Report Column Description

Entitlement Code

Code of the entitlement

Entitlement Name

Name of the entitlement

Resource

Type of the resource

Effective From Date

Resource entitlement effective start date

Effective To Date

Resource entitlement effective end date

23.3.6 User Reports

The user reports are User Creation, User Profile History, User Summary, Users Deleted, Users Disabled, and Users Unlocked.

Oracle Identity Manager provides the following user reports:

23.3.6.1 User Creation

This report lists all Oracle Identity Manager users created between a specified date range. In addition, it provides the source of information on the users created.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Employee Status

Status of the user

Employee Type

Type of employee

Creation Date From

Start date of user summary

Creation Date To

End date of user summary

Organization

Organization of the user

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Current Status

Status of the user

Employee Type

Type of employee

Manager ID

ID of the Manager to whom the user reports

Source of Creation

User creation source

Creation On

Date on which the user is created

Created By

User who created the user

23.3.6.2 User Profile History

This report shows all the users and their details based on the input parameters.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Role Name

Role of the user

Manager User ID

ID of the Manager to whom the user reports

Employee Status

Status of the user

Employee Type

Type of employee

Changes Date Range From

Effective start date of the changes

Changes Date Range To

Effective end date of the changes

Snapshot Date Range From

Effective start date of resource access to the user

Snapshot Date Range To

Effective end date of resource access to the user

Fields

The following table lists the fields of the report:

Report Field Description

User ID

ID of the user

User First Name

First name of the user

User Last Name

Last name of the user

Manager User ID

ID of the reporting Manager

Manager First Name

First name of the reporting Manager

Manager Last Name

Last name of the reporting Manager

Organization

Organization of the user

Employee Status

Status of employee

Employee Type

Type of employee

Identity Creation Date

User creation date

Columns

The following table lists the columns of the report:

Report Column Description

Profile Parameter

Name of user profile

Value

Value of user profile

Date Effective From

Effective from date

Time Effective From

Effective from time

Updated By

User who updated the record

23.3.6.3 User Summary

It lists all Oracle Identity Manager User's summary in a specified time period. It includes user details along with source of creation, and who created it and when.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Employee Status

Status of the user

Employee Type

Type of employee

Creation Date From

Start date of user summary

Creation Date To

End date of user summary

Organization

Organization of the user

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Status

Status of the user

Employee Type

Type of employee

Manager ID

ID of the Manager to whom the user reports

Source

User creation source

Creation Date

Date at which the user is created

23.3.6.4 Users Deleted

This report shows all the deleted users and their details based on input parameters.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Type

Type of employee

Deletion Date From

Start date of summary of deleted users

Deletion Date To

End date of summary of deleted users

Organization

Organization of the user

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Type

Type of employee

Manager ID

ID of the Manager to whom the user reports

Source

User creation source

Deletion Date

Date at which the user is deleted

23.3.6.5 Users Disabled

This report provides the ability to view the details of users whose accounts are disabled. The account may be disabled for various reasons, for example, unsuccessful login or password reset attempts failure.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Type

Type of employee

Disabled Date From

Start date of user disabled

Disabled Date To

End date of user disabled

Organization

Organization of the user

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Status

Current status of the employee

Employee Type

Type of employee

Manager ID

ID of the Manager to whom the user reports

Source

User creation source

Disabled Date

Date at which the user is disabled

Updated By

Users who updated the record

23.3.6.6 Users Unlocked

This report provides the ability to view the details of users whose disabled accounts are unlocked by administrators. Delegated administrators of the organizations to whom the user belongs may enable the accounts.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Type

Type of employee

Unlocked Date From

Start date of user unlocked

Unlocked Date To

End date of user unlocked

Organization

Organization of the user

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

Employee Status

Status of the user

Employee Type

Type of employee

Manager ID

ID of the Manager to whom the user reports

Source

User creation source

Unlocked Date

Date at which the user is unlocked

Updated By

User who updated the record

23.3.7 Certification Reports

Certification reports select data from the certification tables of the Oracle Identity Manager database.

There are a list of predefined or default certification reports in Oracle Identity Manager. Table 23-1 lists the default certification reports for each type of certification.

Table 23-1 Default Certification Reports

Certification Type Certification Report Description

User certification

Complete Certification Report

Presents comprehensive data of a user certification. This report includes a list of all employees and their access.

User certification

Certified Access Report

Lists access marked as certified.

User certification

Revoked Access Report

Lists access marked as revoked.

User certification

Abstained Access Report

Lists certification items that the certifier declined to complete because the certifier is not responsible for verifying the user's assigned roles and entitlements.

User certification

Certified Conditionally Access Report

Lists access that the certifier approved temporarily, even though the access may not be appropriate or justified in the long term. Reviewers are required to enter an end date, which is included in this report. However, the access is not revoked and notices are not sent out about expired end dates.

User certification

Complete Certification Task Report

Presents user-certification data based on certification tasks. This is a subset of the Complete Certification Report.

Role certification

Complete Certification Report

Presents comprehensive data of a role certification.

Role certification

Certified Access Report

Lists entitlements marked as certified.

Role certification

Revoked Access Report

Lists entitlements as revoked.

Role certification

Abstained Access Report

Lists certification items that the certifier declined to complete because the certifier is not responsible for verifying the role's assigned memberships.

Role certification

Certified Conditionally Access Report

Lists access that the certifier approved temporarily, even though the access may not be appropriate or justified in the long term. Reviewers are required to enter an end date, which is included in this report. However, the access is not revoked and notices are not sent out about expired end dates.

Role certification

Complete Certification Task Report

Presents role-certification data based on certification tasks. This is a subset of the Complete Certification Report.

Application instance certification

Complete Certification Report

Presents comprehensive data of an application instance certification.

Application instance certification

Certified Access Report

Lists entitlements marked as certified.

Application instance certification

Revoked Access Report

Lists entitlements marked as revoked.

Application instance certification

Abstained Access Report

Lists certification items that the certifier declined to complete because the certifier is not responsible for verifying the application instances's assigned users and accounts.

Application instance certification

Certified Conditionally Access Report

Lists access that the certifier approved temporarily, even though the access may not be appropriate or justified in the long term. Reviewers are required to enter an end date, which is included in this report. However, the access is not revoked and notices are not sent out about expired end dates.

Application instance certification

Complete Certification Task Report

Presents certification data for application instances based on certification tasks. This is a subset of the Complete Certification Report.

Entitlement certification

Complete Certification Report

Presents comprehensive data of an entitlement certification.

Entitlement certification

Certified Access Report

Lists access marked as certified.

Entitlement certification

Revoked Access Report

Lists access marked as revoked.

Entitlement certification

Abstained Access Report

Lists certification items that the certifier declined to complete because the certifier is not responsible for verifying the entitlement's assigned accounts and attributes.

Entitlement certification

Certified Conditionally Access Report

Lists access that the certifier approved temporarily, even though the access may not be appropriate or justified in the long term. Reviewers are required to enter an end date, which is included in this report. However, the access is not revoked and notices are not sent out about expired end dates.

Entitlement certification

Complete Certification Task Report

Presents entitlement-certification data based on certification tasks. This is a subset of the Complete Certification Report.

23.3.8 Identity Audit Reports

An IDA Policy Violation report can be generated for a Policy, Scan Stop Date, Manager, Remediator or selected users.

IDA Policy Violation Reports are available for download from Reports link in the Compliance tab of Oracle Identity Self Service.

The following types of reports are available:

  • Closed Policy Violation Report: Contains all the policy violations that are in Closed state.

  • Remediation Completed Policy Violation Report: Contains all the policy violations that are in Remediation Completed state.

  • Expired Policy Violation Report: Contains all the policy violations that are in Expired state.

  • Remediation In Progress Policy Violation Report: Contains all the policy violations that are in Remediation In Progress state.

  • Remediation Under Review Policy Violation Report: Contains all the policy violations that are in Remediation Under Review state.

  • Open Policy Violation Report: Contains all the policy violations that are in Open state.

  • Preview Policy Violation Report: Contains all the policy violations that are in Preview state.

  • Assigned Policy Violation Report: Contains all the policy violations that are in Assigned state.

23.3.9 Exception Reports

The exception reports are Fine Grained Entitlement Exceptions By Resource, Orphaned Account Summary Report, and Rogue Accounts By Resource.

This section describes about the exception reports in the following topics:

23.3.9.1 About Exception Reports

In Oracle Identity Manager, exception refers to the difference between accounts that a user is entitled to and the accounts that are actually assigned to a user. The user is assigned these accounts as a result of access policies, provisioning of resources, approval requests, and reconciliation events. Any difference of these accounts assigned to a user in the target system and the ones assigned to the user in Oracle Identity Manager comprises an exception. Exception reports are enabled by default.

Oracle Identity Manager provides the following exception reports:

  • Rogue Accounts By Resource

    This report returns a list of all the rogue accounts existing in a resource. The following exceptions are reported:

    • Account exists in the target system, but has been deprovisioned for the corresponding user in Oracle Identity Manager

    • Account exists and is active in the target system, but account does not exist in Oracle Identity Manager (user exists)

    • Account exists and is active in the target system, but user does not exist in Oracle Identity Manager

    • Account exists and is active in the target system, but Oracle Identity Manager user has been disabled

    • Account exists and is active in the system target, but Oracle Identity Manager user has been deleted

  • Orphaned Account Summary Report: An account that exists in the target system, but the corresponding user to whom the account is provisioned has been deleted in Oracle Identity Manager. For the given input resource, it lists the rogue accounts that exist in the target system, but the corresponding users to whom the accounts are provisioned has never existed in Oracle Identity Manager.

  • Fine Grained Entitlement Exceptions By Resource

    This report returns a list of all the accounts in a resource for which the process form data being reconciled is different from the expected values. It means that this report returns any account existing in the target system that is also provisioned to the corresponding user in Oracle Identity Manager, but for which the process data does not match.

    Note:

    • After completion of initial target reconciliation, all account-related activities performed directly on a target resource are tracked as exception activity. Account-related activities include account creation, account modification, and entitlement assignment/revocation. The exception reports should be used only if the organization policies enforce that all account-related activities in target resources would always be initiated in Oracle Identity Manager. In addition, remember that exception detection and recording are an extension of account data reconciliation and, therefore, may result in a drop in performance during reconciliation.

    • All the exception reports depend on reconciliation data. Therefore, these reports will not display any data if the corresponding reconciliation events are archived.

23.3.9.2 Fine Grained Entitlement Exceptions By Resource

This report enables administrators, signing officers, internal and external auditors to analyze discrepancies in various process forms and related child tables of various resources and mitigate material weaknesses in the resources through remediation activities.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Employee Type

Type of the employee such as fulltime, part time

Organization Name

Name of the organization

Role Name

Name of the role

Fields

The following table lists the fields of the report:

Report Field Description

Resource Name

Name of the resource

User ID

ID of the user

First Name

First name of the user

Last Name

Last name of the use

Organization Name

Name of the organization

Employee Status

Status of the user

Employee Type

Type of the user

Reviewer First Name

First name of the reviewer

Reviewer Last Name

Last name of the reviewer

Unique ID Attribute

Unique ID attribute in account profile

Unique ID Value in Account Profile

Unique ID value in account profile

Columns

The following table lists the columns of the report:

Report Column Description

Form Name

Name of the form

Form Type

Type of the form

Form Field Name

Field name of the form

Expected Form Field Value

Old value of the field

Actual Form Field Value

New value of the field

Note:

Before running this report, you must populate data for account audit and reconciliation exceptions.

To populate the data for account audit and reconciliation exceptions:

  1. Provision an user to any target.

  2. Modify any of the user's attribute in the target and reconcile the user.

  3. Find data in UPA_UD_FORMFIELDS and UPA_UD_FORMS tables.

  4. Go to Oracle Identity Manger server and run RefreshMaterializedViewScheduler Task.

  5. Log in to BIP and view the report.

23.3.9.3 Orphaned Account Summary Report

It lists the rogue accounts for the input resource for which a user existed in the target system, but the associated user to whom the account is provisioned never existed in Oracle Identity Manager.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

Reconciliation Date Range From

Start date of reconciliation

Reconciliation Date Range To

End date of reconciliation

Fields

N/A

Columns

The following table lists the columns of the report:

Report Column Description

Resource

Name of the resource

Account Information

Information of the orphaned account

Account Detail

Details of the account associated with this orphaned account

Reconciliation Date

Date of reconciliation

23.3.9.4 Rogue Accounts By Resource

This report includes all rogue accounts for the input resource. This enables administrators, signing officers, internal and external auditors to identify material weaknesses in the resources and plan their mitigation through remediation activities.

Input Parameters

The following table lists the input parameters for the report.

Report Parameter Description

Resource Name

Name of the resource

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization Name

Organization of the user

User Status

Status of the user

User Type

Type of the user

Exception Type

Type of exception

Fields

The following table lists the fields of the report:

Report Field Description

Resource Type

Type of resource

Columns

The following table lists the columns of the report:

Report Column Description

Exception Type

Type of exception

First Name

First name of the user

Last Name

Last name of the user

User ID

ID of the user

Organization

Organization of the user

User Status

Status of the user

User Type

Type of the user

Account Details

Details of the rogue account

Reviewer First Name

First name of the reviewer

Reviewer Last Name

Last name of the reviewer

Reviewer User ID

User ID of the reviewer

23.4 Required Scheduled Tasks for BI Publisher Reports

The RefreshMaterializedView, IssueAuditTask, Entitlement List, Entitlement Assignment, and Entitlement Updates scheduled tasks are required for BI Publisher reports.

Table 23-2 lists the scheduled tasks required for Oracle Identity Manager BI Publisher reports:

Table 23-2 Scheduled Tasks for BI Publisher Reports

Report Name Scheduled Task Name Description

Fine Grained Entitlement Exceptions By Resource

RefreshMaterializedView

To refresh the Materialized View used in this report with the latest data

User Profile History

IssueAuditTask

To populate the audit tables with the latest data

User Unlocked

IssueAuditTask

To populate the audit tables with the latest data

User Membership History

IssueAuditTask

To populate the audit tables with the latest data

Role Membership History

IssueAuditTask

To populate the audit tables with the latest data

Resource Access List History

IssueAuditTask

To populate the audit tables with the latest data

User Resource Access History

IssueAuditTask

To populate the audit tables with the latest data

Resource Activity Summary

IssueAuditTask

To populate the audit tables with the latest data

Password Reset Summary

IssueAuditTask

To populate the audit tables with the latest data

Entitlement Reports

Entitlement List

To populate the Entitlement List table with the marked entitlements

Entitlement Reports

Entitlement Assignment

To populate the Entitlement Assignment tables with the assigned entitlements

Entitlement Reports

Entitlement Updates

To populate the latest data into the Entitlement Assignment tables, if any entitlement has assigned to any user periodically or later

23.5 Best Practices for Running Oracle Identity Governance Reports

Some of the best practices to be followed for BI Publisher reports include not running the reports with null value in date range parameters and running the reports with the set of values as input parameters to provide the selectivity.

As a best practice, you must consider the following points before running Oracle Identity Manager BI publisher reports:

  • Do not run Oracle Identity Manager reports with null value in date range parameters. You must run Oracle Identity Manager reports always with date range values in data range parameters, otherwise report will not display anything.

  • Invoke the reports with the set of values as input parameters to provide the selectivity, thus improving the performance.

  • By default, the System Administrator user of Oracle Identity Manager has all the permissions to login to BI Publisher and access all the Oracle Identity Manager Reports.