Role Management Reports
Role analytics are an important part of the overall role life-cycle management. Role analytics provide role managers the ability to be proactive in their approach to monitoring and improving the role model within your organization. Role modeling is an iterative and constant process. As your business needs change, security features improve, and new applications and user are added to your enterprise, your role model will have to change accommodate them. Use role analytics to keep up with those changing needs and adjust your model as needed.
Identity Roles Report
This report shows all of the roles connected to a set of identities. It indicates whether each role was assigned to or detected on the identity, and it shows the last time that role was certified for the identity. Note that detected roles which were certified as a part of assigned roles (i.e. they were required/permitted by assigned roles that were certified) will not have a certification date shown next to them, but detected roles that are not granted by assigned roles and are therefore certified independently will show a certification date.
The detailed results of this report can be exported to a CSV or PDF file.
The Identity Roles Report consists of the following sections:
-
Identity Attributes
-
Identity Extended Attributes
-
Additional Identity Properties
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Identity Attributes
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
Note
Use the Shift and Crtl keys to select multiple items from lists.
| Option | Description |
|---|---|
| First Name | Input the first name of the identity you wish the report to include. For example, if you input "John" in the field, the report includes information on identities whose first name is John. |
| Last Name | Input the last name of the identity you wish the report to include. For example, if you input "Smith" in the field, the report includes information on identities whose last name is Smith. |
| Display Name | Input the display name of the identity you wish the report to include. For example, if you input "John_Smith" in the field, the report includes information on identities whose display name is John_Smith. |
| Input the email address of the identity you wish the report to include. For example, if you input "John@email.com" in the field, the report includes information on identities whose email address is name is John@email.com. | |
| Manager | The manager list to include in this report. Only users who report to the selected managers are included in the report. Click the arrow to the right of the suggestion field to a list of all managers, or enter a few letters in the field to display a list of managers that start with that letter string. |
| Inactive | Choose how the report handles inactive users. Select No selection to include both inactive and active users, True to include only inactive users, or False to not include inactive users. |
Identity Extended Attributes
You can use the identity extended attributes that have been defined for your installation as criteria for this report. Because these are custom-defined attributes, the specific criteria options you have here will be specific to your own installation of IdentityIQ. Any identity extended attributes defined as searchable or as multi-valued are included as possible filters for the report.
Additional Identity Properties
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
Note
Use the Shift and Crtl keys to select multiple items from lists.
| Option | Description |
|---|---|
| Applications | Select the applications to include in the report. If no applications are specified, all applications are included. Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. |
| Capabilities | Select the capabilities to include in the report. |
| Roles | The roles to include in the report. Click the arrow to the right of the field and select a role to create the inclusion list for this report. |
| Groups | The groups or populations to include in the report. Click the arrow to the right of the field and select a group to create the inclusion list for this report. |
| Last Refresh Date | Select a date range to filter users based on when the user was last refreshed. |
| Last Login Date | Select a date range to filter users based on when the user was last logged in. |
Role Archive Report
This report shows a detailed view of each role defined in the system (subject to filter criteria). Each page lists a single role and shows details such as its owner, activity monitoring status, activation status, type, inheritance, and as applicable to the role type, its permitted/required roles, detection profiles, among others.
This report is an archive-type report. Archive reports include end-of-period and task information that is formatted for easy dissemination of key audit information. Due to the large amount of data that is generated, the best option is to export the report results to a PDF file.
The Role Archive Report consists of the following sections:
-
Role Report Options – these are described in the table below
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Role Report Options
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
| Option | Description |
|---|---|
| Applications | Select the applications to include in the report. If no applications are specified, all applications are included. Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. Only roles associated with the selected applications are included in this report. |
| Type | Select types of roles to include in the report. |
| Owners | The list of role owners to include in this report. If no role owners are specified, the roles for all owners are included. Click the arrow to the right of the suggestion field to display a list of all role owners, or enter a few letters in the field to display a list of role owners that start with that letter string. |
| Status | Include only active roles or only inactive roles in the report. |
Role Change History Report
This report shows a summary of the roles which have been altered during the specified time period, the date of the alteration, and the name of the change approver. This report is based on the existence of role archives, so it can only be run for installations that have enabled role archiving (set the doArchive variable to True in the selected role management workflow). The person whose name is associated with the creation of the RoleArchive object is listed as the approver on the report; this may be the person who made the change or may be a separate approver, depending on the approval mode configured in the system.
The detailed results of this report can be exported to a CSV or PDF file.
The Role Change History Report consists of the following sections:
-
Role Properties – these are described in the table below
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Role Properties
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
| Option | Description |
|---|---|
| Change Start and End Date(s) | Filter request based on request date: Start Date - all changes made on or after the selected date. End Date - all changes made on or before the selected date. |
| Role Status | Include only active roles or only inactive roles in the report. |
| Type | Select types of roles to include in the report. |
| Applications | Select the applications to include in the report. If no applications are specified, all applications are included. Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. Only roles associated with the selected applications are included in this report. |
| Owners | The list of role owners to include in this report. If no role owners are specified, the roles for all owners are included. Click the arrow to the right of the suggestion field to display a list of all role owners, or enter a few letters in the field to display a list of role owners that start with that letter string. |
Role Details Report
The Role Details Report includes information on the role name, owner name, role type, and associated applications configured in IdentityIQ, for each role that matches the specified criteria.
The detailed results of this report can be exported to a CSV or PDF file.
The Role Details Report consists of the following sections:
-
Report Criteria – these options are described in the table below
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Report Criteria
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
| Option | Description |
|---|---|
| Role Status | Include only active roles or only inactive roles in the report. |
| Applications | Select the applications to include in the report. If no applications are specified, all applications are included. Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. Only roles associated with the selected applications are included in this report. |
| Owners | The list of role owners to include in this report. If no role owners are specified, the roles for all owners are included. Click the arrow to the right of the suggestion field to display a list of all role owners, or enter a few letters in the field to display a list of role owners that start with that letter string. |
| Role Type | Select types of roles to include in the report. |
| Show Applications for Indirect Roles | If your role model uses indirect roles (for example, if you map business roles to IT roles), use this option to include application information for indirect roles. Note that selecting this option may impact report performance. You can also use the Roles by Application Report to report on indirect roles, with more streamlined performance. |
| Show Inherited Applications | If a role (whether direct or indirect) inherits any entitlements, select this option to display the names of the applications for the inherited entitlements. Note that selecting this option may impact report performance. You can also use the Roles by Application Report to report on inherited, with more streamlined performance. |
Role Members Report
This report shows the names of all Identities who are associated to each role that meets the specified report filters. Identities are considered "members" of a role if the role is in either their assigned or detected role set.
The detailed results of this report can be exported to a CSV or PDF file.
The Role Members Report consists of these sections:
-
Role Members Options – these options are described in the table below
All reports use a set of standard properties for basic information, such as naming and descriptions, and to set controls, such as scope and to require sign off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Role Members Options
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
| Option | Description |
| Role Status | Include only active roles or only inactive roles in the report. |
| Applications | Select the applications to include in the report. If no applications are specified, all applications are included. Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. |
| Role Owners | To filter roles by role owner, choose the owner(s) here. If no role owners are specified, the roles for all owners are included. Click the arrow to the right of the suggestion field to display a list of all role owners, or enter a few letters in the field to display a list of role owners that start with that letter string. |
| Type | To filter roles by type, select types here. If no types are selected. all types of roles are included. |
| Empty Roles | Filter for role membership: select All Roles, Only Empty Roles (to include only roles with no members) or Only Populated Roles (to include only roles with members assigned). |
| Role Name | Choose roles to include in the report, by name. Click the arrow to display a list of all roles, or enter a few letters in the field to display a list of roles that start with that letter string.Leave this field blank to include all roles. |
| For the next four fields, the values you can choose are determined by the application(s) you have selected. If no application is selected, the dropdown will show all valid options for all applications in the system. If the application(s) you have selected do not have any valid options for the field, the dropdown is replaced by a text box. You can type in any values and click the plus icon to add them as criteria, but any invalid options entered in this way are "sanitized" when the report is run, and will not produce results or appear in the report's list of parameters. |
|
| Entitlement Attribute | Filter for roles that include the selected entitlement attribute(s). |
| Entitlement Value | Filter for roles that include the selected entitlement value(s). |
| Permission Target | Filter for roles that include the selected permission target(s). |
| Permission Right | Filter for roles that include the selected permission right(s). |
| Profile Relationship to Role | Filter roles by the role's profile relationship (direct or indirect). A profile is a set of entitlements on a specific application. Options are:
Note that some roles can grant both direct and indirect access to entitlements and permissions, so a role can potentially be returned by both the direct relationship and indirect relationship options. |
Role Profiles Composition Report
This report shows the profiles used for role detection. If a description was provided for the profile, it is included in the report along with the filter used for role detection and the application against which the filter is applied. If a role includes more than one profile filter (for example, to specify criteria on multiple applications), each one is included as a separate line item on the report. Roles without profiles are noted with "Contains No Profiles" in the description column; under the default IdentityIQ role configuration, any non-IT role will be marked as containing no profiles since profiles are specific to IT roles only.
This report returns information in the detailed results format that can be exported to a CSV file and used as spreadsheets.
The Role Profiles Composition Report consists of the following sections:
-
Role Properties – these are described in the table below
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Role Properties
The following criteria determines what information is included in this report. You can use any combination of options to build a report.
Note
Selecting NO options from a list indicates that ALL options in the list are included in the report.
| Option | Description |
|---|---|
| Role Status | Include only active roles or only inactive roles in the report. |
| Roles Without Profiles | Include only roles that contain no profiles or only roles that contain at least one profile. |
| Applications | Select the applications to include in the report. If no applications are specified, all applications are included. Click the arrow to the right of the suggestion field to display a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. Only roles associated with the selected applications are included in this report. |
| Owners | The list of role owners to include in this report. If no role owners are specified, the roles for all owners are included. Click the arrow to the right of the suggestion field to display a list of all role owners, or enter a few letters in the field to display a list of role owners that start with that letter string. |
| Type | Select types of roles to include in the report. |
Roles by Application Report
The Roles by Application Report shows role relationships for all applications. You can run this report on all applications, or on selected applications.
The Roles by Application Report includes the following sections:
-
Role Properties – these are described in the table below
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
- Name
For step by step instructions on creating or editing a report, see Working With Reports.
Role Properties
The following criteria determines what information is included in this report.
| Option | Description |
|---|---|
| Applications | Select the application(s) to include in the report. If no applications are selected, all applications are included. To select the applications to include, click the arrow in the suggestion field to see a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. Only roles associated with the selected applications are included in this report. |
| Show role relations for all applications | This option is available only if you have not selected specific applications to report on, in the Applications field. Use this option to list all direct, required, and permitted applications for all roles. |
| Include roles with inherited entitlements | Use this option to include roles that inherit application entitlements. |
Roles by Entitlement Report
The Roles by Entitlement Report shows how particular entitlements and permissions fit into your organization's role model. This report lets you enter specific entitlements or permissions for selected application(s) and see which roles provide direct or indirect access to them. You must select at least one application as part of your reporting criteria – in other words, you can not leave the Application field blank to report on all applications at once.
The Roles by Entitlement Report includes the following sections:
-
Role Properties – these are described in the table below
All reports use a set of standard properties for basic information such as naming and descriptions, and for setting controls, such as scoping and requiring sign-off.
You must enter the following before running this report:
-
Name
-
Application
-
Filter Type
For step by step instructions on creating or editing a report, see Working With Reports
Role Properties
The following criteria determines what information is included in this report.
| Option | Description |
|---|---|
| Applications | Select the application(s) to include in the report. You must select at least one application. Click the arrow in the suggestion field to see a list of all applications, or enter a few letters in the field to display a list of applications that start with that letter string. Only roles associated with the selected applications are included in this report. |
| Filter Type | Choose whether to report on role relationships based on entitlements or permissions. A selection in this field is required. The selection determines which of the following fields appear: Entitlement fields or Permission fields. |
| Entitlement Attribute | Filter for roles that include the selected entitlement attribute(s). |
| Entitlement Value | Filter for roles that include the selected entitlement value(s). |
| Permission Target | Filter for roles that include the selected permission target(s). |
| Permission Right | Filter for roles that include the selected permission right(s). |
| Profile Relationship to Role | Filter roles by the role's profile relationship (direct or indirect). A profile is a set of entitlements on a specific application. Options are:
Note that some roles can grant both direct and indirect access to entitlements and permissions, so a role can potentially be returned by both the direct relationship and indirect relationship options. |