Identity Governance 3.7 Reporting Guide

This guide describes Identity Reporting for Identity Governance and how you can use the features it offers.

Identity Reporting provides a set of predefined report definitions you can use to generate reports. In addition, it gives you the option to import custom reports. The user interface for Identity Reporting makes it easy to schedule reports to run at off-peak times to optimize performance.

1.0 Accessing Identity Reporting

You can launch Identity Reporting from the Identity Governance application or access it directly from a browser.

By default, Identity Governance uses One SSO Provider (SSO) for single sign-on. When you install Identity Reporting, you specify the basic settings for user authentication. However, you can also configure the OSP authentication server to accept authentication from the Kerberos ticket server or SAML IDP. For example, you can use SAML to support authentication from NetIQ Access Manager.

NOTE:To access Identity Reporting, you must be a Global Administrator or Report Administrator within Identity Governance.

1.1 Launching Identity Reporting from Identity Governance

If your administrator has enabled Identity Reporting, you can click the icon in the upper right-hand corner of the Identity Governance page.

1.2 Starting Identity Reporting Directly with a URL

To access Identity Reporting directly, open a web browser and go to the address (URL) for the module (as supplied by your system administrator). The URL will follow this pattern: http://server:8080/IDMRPT/

2.0 Using the Overview Page

The Overview page is the first page you see when you log in to Identity Reporting. At the top of the page there is a dismissible message (located under the page title) directing users to the NetIQ Identity Reporting Quick Start Guide.

The top of the page includes summary information, such as the number of report definitions and the number of started, failed, and completed reports.

Below the report summary area there is a section that lists the most recently completed reports. To view the report, click the report name.

The Scheduled Reports section lists the next five reports that are scheduled to run. To view a particular scheduled report on the Calendar page, click the date the report is scheduled to run.

The Overview page also includes a search field that provides a quick way to find report definitions by name.

The search facility allows you to pass in search strings for any of the items in the following table.

Table 1

Filter Value

Description

Name

Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user.

Description

Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user.

Tags

Performs an exact string search. The search is case-insensitive. Pass in only a single tag.

You can enter one or more words in the Search field, with or without quotes:

  • If you enter multiple words without quotes, the search results include reports that contain all of the words anywhere in the Name or Description, or that have all of the words as tags (that match exactly).

    For example, suppose you enter the following:

    catalog users

    In this case, the following report definitions are in the results:

    • Reports with a Name containing the words catalog and users anywhere in the string

    • Reports with a Description containing the words catalog and users anywhere in the string

    • Reports with Tags having both catalog and users as exact tags

  • If you enter multiple words surrounded by double quotes, the search results include reports that include the entire phrase anywhere in the Name or Description, or that have a tag that matches the entire phrase.

    For example, suppose you enter the following:

    "catalog users"

    In this case, the following report definitions are in the results:

    • Reports with Name containing the phrase catalog users

    • Reports with Description containing the phrase catalog users

    • Reports with a Tag that exactly matches catalog users

3.0 Using the Repository Page

When you click Repository in the top navigation menu, the Repository shows the list of reports that have been imported into Identity Reporting.

For each report definition, the list shows the report name and description, as well as any tags that have been specified for the report.

Identity Reporting does not install with a set of predefined reports. For information on how to install reports, see Using the Import Page and Using the Download Page.

You can define a new report by editing one of the predefined report definitions and saving it with a new name using the Save As command.

You cannot create a new report from scratch on the Repository page. To create a new report definition from scratch, you must design it outside of Identity Reporting and then import it.

For more information about using the features on the Repository page, see the following topics:

3.1 Modifying a Report Definition

To modify a report definition:

  1. Select the name of the report definition in the list on the Repository page.

    Mouse over the report definition name and click Edit. When you edit a report definition, a page opens to allow you to make changes to the definition.

    The fields at the top of the page allow you to modify the name, description, tags, comments, and output format (PDF, Complex CSV, or CSV Data Table) for the report. Use tags to organize reports according to common words or phrases that suggest how the reports are related. Tag names share a common namespace for all users, so specify tag names that make sense for all users. Tag names cannot be localized.

    You can specify one or more tags for a report definition. If you specify multiple tags, separate them with commas. Defined tags are shown in the list displayed on the Repository page, and in the Detail dialog box for a report listed on the Completed and Running Reports page. In the list displayed on the Repository page, the tags are alphabetized to allow for sorting.

    NOTE:The next time you edit the report definition, the tags appear in alphabetical order, regardless of how they were originally entered. The tags are also alphabetized in the Repository list, even if you did not alphabetize them when you first entered them.

    The other fields on the page are organized into the following sections:

    • Criteria

    • Default Notifications

    • Schedule

  2. To edit the criteria for the report, open the Criteria section and make changes as necessary. The Criteria section does not appear unless the imported definition included one or more report parameters.

    The number of fields displayed in the Criteria section and the way these fields behave depend on how they were specified in the original report definition object imported into Identity Reporting.

    Identity Reporting supports the following data types for criteria fields:

    • String

    • String with Options

    • Date

    • Integer

    • Boolean

    • Lookup

    The control displayed for each data type varies depending on how the parameter is defined in the report definition. For multivalued options, a multiselect control is displayed, but a single value control is displayed for a parameter that accepts only a single value.

    Some criteria fields are required by the report definition, but others are optional. If you do not provide a value for a required field, the user interface displays an error message.

    The criteria parameters in the following table are available with most of the reports installed with Identity Reporting.

    Table 2

    Parameter

    Description

    Data Source

    Defines the data source on which you want to report. This parameter is required for all reports.

    To run a report on multiple data sources, edit the report, select the desired data source when you define the report criteria, and then save as a new report.

    For a data source to be available for reports, you must first add it on the Data Sources page. For more information, see Using the Data Sources Page.

    Language

    Defines the target language for the report.

    Date Range

    Allows you to define a range of dates for the data included in the report. The following choices are available:

    • Current Day

    • Previous Day

    • Week to Date

    • Previous Week

    • Month to Date

    • Previous Month

    • Custom Date Range

    From Date

    Allows you to specify a fixed start date for the report data. This parameter is enabled only if you selected Custom Data Range for the Data Range parameter.

    To Date

    Allows you to specify a fixed end date for the report data. This parameter is enabled only if you selected Custom Data Range for the Data Range parameter.

    Limit Results To

    Limits the record types relevant to the report or sections within the report.

    Time Zone

    Allows you to specify the time zone to which date/time information returned in the report will be oriented.

    If a report definition includes one or more fields for defining dates, such as Date Range, From Date, and To Date, be aware that the date range you specify affects the data returned with the report, not the dates on which the report is run. Therefore, if a report is run monthly, do not define a custom date range that fixes the dates in the From Date and To Date fields. It does not make sense for a monthly scheduled report to report on a fixed date range (such as 3/10/2010 - 3/17/2010). To report on a fixed date range, schedule the report to run only once. For a monthly report, use one of the relative date range settings included in the Date Range field, such as Month to Date. This ensures that the data in the report is updated each month.

    Some criteria fields support automatic completion, which allows you to type several characters and then select an item from a list of possible choices. For example, the user(s) field might allow you to type the first few characters of a user’s name and then select the user from a list of users whose names contain the characters you have typed.

  3. To edit the email settings associated with the report definition, open the Default Notifications section and make changes as necessary.

  4. To add a new schedule for the report definition, click the + button on the left side of the Schedule section.

    1. Provide a name for the schedule in the Schedule Name field. The name for a schedule must be unique within the report definition, but does not need to be unique within Identity Reporting as a whole.

    2. (Conditional) If you want the name of the report definition to be added to the beginning of the schedule name, click Prepend Report Definition Name. This option allows you to see which report has been scheduled with each schedule instance in the Calendar page. This option is enabled by default.

    3. Click in the Date range field or select the calendar control to display calendar for selecting dates.

    4. Select the date in the left calendar on which you want to initiate the first run of the report.

    5. Select the approximate start time of day for each run. The time of day is based on the clock on the server where the report is executed. The actual execution time depends on server activity.

    6. Select the date in the right calendar after which no more runs should occur. Note that the last report run may not actually occur on this date. For example, if you select October 15 as the start date, and specify a repeat interval of two weeks and an end date of November 1, the report will be run on October 15 and October 29. In this case, October 29 is the last run. The report runs at its scheduled time, regardless of whether the data collection completed successfully.

    7. Select the approximate end time of day for each run.

    8. Select Apply.

    9. In the Frequency field, type the repeat interval (a number that specifies how often the report will run) and select the time period for report runs, such as Month(s), Week(s), or Day(s).

    10. Use the default notifications or deselect Use default notifications and enter emails, subject, and a custom message.

  5. (Conditional) To save the report definition and schedule, click Save or click Save As to distinguish it from the default report.

  6. (Conditional) To queue a report to run immediately, click Run Now.

  7. (Optional) To edit an existing schedule, see Editing a Schedule Instance.

3.2 Exporting a Report Definition

To export a report definition, mouse over the report definition and click Edit. In the edit page top right corner, click Export report definition.

3.3 Running a Report on Demand

To queue a report to run immediately from the Repository list view, mouse over the report definition and click Run Now.

3.4 Deleting a Report Definition

To delete a report definition, mouse over the report definition and click Delete.

3.5 Performing Bulk Actions

To run or delete several reports at once:

  1. Click the check box to the left of each report definition you want to run or delete.

  2. In the Bulk Actions drop-down list, click Run Now or Delete.

  3. Click Apply.

Bulk actions apply only to the current page. If you select several items on one page, then navigate to the next page to select some additional items, a subsequent attempt to perform a bulk action such as Run Now or Delete applies only to the second set of items you selected. The previous selections are retained and still appear selected if you navigate back to the first page. However, the bulk action is not performed on these items.

3.6 Searching for a Report Definition

The search facility allows you to use any of the items in the following table to search for a report definition in the Repository.

Table 3

Filter Value

Description

Name

Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user.

Description

Performs a CONTAIN search. The search is case-insensitive, and it uses the locale of the user.

Tags

Performs an exact string search. The search is case-insensitive. Pass in only a single tag.

You can enter one or more words in the Search field, with or without quotes:

  • If you enter multiple words without quotes, the search results include reports that contain all of the words anywhere in the Name or Description, or that have all of the words as tags (that match exactly).

    For example, suppose you enter the following:

    catalog users

    In this case, the following report definitions are in the results:

    • Reports with a Name containing the words catalog and users anywhere in the string

    • Reports with a Description containing the words catalog and users anywhere in the string

    • Reports with Tags having both catalog and users as exact tags

  • If you enter multiple words surrounded by double quotes, the search results include reports that include the entire phrase anywhere in the Name or Description, or that have a tag that matches the entire phrase.

    For example, suppose you enter the following:

    "catalog users"

    In this case, the following report definitions are in the results:

    • Reports with Name containing the phrase catalog users

    • Reports with Description containing the phrase catalog users

    • Reports with a Tag that exactly matches catalog users

3.7 Sorting the List of Reports

To sort the list of reports, click the header for the column on which you want to sort. The sort indicator shows you which column is the new primary sort column.

3.8 Rows Per Page

You can control how many rows are displayed on the Repository page. Type the number of rows to display in the rows per page field at the bottom of the page and press Enter. The number you enter must be greater than zero. This preference is saved across sessions, and applies to all users. It affects both the Repository and Reports lists.

4.0 Using the Download Page

By default, reports for all supported products (Identity Manager and Identity Governance) appear on the Download Report Definitions page. If present, select the Identity Governance Reports tab to display its report. Reports are listed in one of three sections on the page:

  • Updated reports, which are newer versions of the reports already installed

  • New reports, which are not currently installed on your server

  • Up to date reports, which are the latest versions of the reports that are already installed on your server

There are potentially three types of download content for each report:

  • Report definition archive (*.rpz) that is a compiled version of the report, ready to be imported and run

  • Report definition source (*_src.zip) that contains all the Jaspersoft source files for the report

  • Additional downloads (*.zip) that contain SQL files for new or updated database schema upon which the new or updated report relies

    The report definition archive and the report definition source download files are always present. New or updated SQL files are present only when they are required. A ReadMe.html file within the additional downloads zip file contains instructions on installing the schema updates.

You can acquire download files one at a time per report or by bulk action.

The server that runs Identity Reporting must have internet access to be able to access and download the most current reports for Identity Governance from the Micro Focus Reporting Content Delivery Network (CDN).

If your Identity Reporting server does not have internet access, you must have a proxy server that can access and download the most current reports for Identity Governance from the Micro Focus Reporting CDN, and is also configured to access and send updated reports to the Identity Reporting server. This configuration allows you to isolate the Identity Reporting server from the internet while ensuring reports are up to date. For more information, see Configuring a Proxy Server for the Identity Reporting Server in the Identity Governance 3.7 Installation and Configuration Guide.

To download report updates:

  1. (Conditional) If you want to download report updates one at a time, click one of the icons under the Download column header.

    Tooltips for each icon identify the type of each download object. Left to right, they are arranged as report definition archive, report definition source, and addition downloads (SQL).

  2. (Conditional) If you want to download report updates in a bulk operation, click the check boxes beside the report names for which you want to download updates. Then select the Bulk Actions operation (at the top of the page on the left) that you want to use.

  3. Click Apply to take the action on the selected reports.

  4. (Conditional) If you opt to save the files to the local file system, you must also go to the Import page and follow the workflow there. For more information, see Using the Import Page.

    On the other hand, there is an install option available in both single and bulk import workflows that will download the report definition archive and import it in a single operation.

For reports that have the third, additional download file available that contains schema updates, the schema updates must be installed in the Identity Governance database for the associated report to work correctly.

5.0 Using the Import Page

The Import page lets you import downloaded report definitions (RPZs) from the local drive into Identity Reporting. After the definition has been imported, it is available for use throughout Identity Reporting.

NOTE:The report packager gives report definition archive files (RPZs) file names in the form REPORT-NAME_VERSION.rpz. The actual report name is stored within a component inside the RPZ so renaming the RPZ file has no effect on the name of the report when it is imported into Identity Reporting.

To import a report definition:

  1. Click Import in the top navigation menu.

  2. Select the RPZ file to import and click Open.

    The Import page now displays the file to import in the Report Definitions To Import section.

  3. Click Select File again to include additional RPZs to import.

  4. To remove a file from the import procedure, click the delete icon to the left of the file name.

  5. Specify whether you want to overwrite the contents of any existing report definitions with the same names as those being imported by selecting or deselecting the Overwrite existing reports option.

    NOTE:When you select this option, the import operation overwrites the contents of existing report definitions that have the same names as those imported. However, some of the fields associated with an existing report definition are retained:

    • The email addresses to send the report to

    • Comments added to the report definition

    • Default report format (CSV or PDF)

    • Categories defined for the report definition

  6. Click Import to begin the import procedure.

  7. If you want to cancel the import procedure, click Clear All to the right of the progress bar.

    NOTE:After importing one or more report definitions, you can see the reports and make changes to them on the Repository page.

6.0 Using the Calendar Page

The Calendar page displays scheduled reports, as well as reports that have been initiated with the Run Now button. In addition, the page displays finished reports, reports that are still in progress, and reports that failed during execution. Finished reports, reports that are still in progress, and failed reports appear with a gray background, and reports that have not been executed yet appear with a white background. All days that have already passed appear with a gray background.

The Calendar page shows scheduled runs in the user’s time zone, not the server’s time zone. However, scheduled runs are executed according to the server’s time zone, and the time stamp on an executed report reflects the time on the server at the time of the run.

The scroll bar for the browser lets you scroll within the current view, but does not move forward to show additional weeks in the calendar.

When you first display the Calendar page, today’s report runs are displayed. If you scroll away from today’s schedule, you might need to return to it later. If so, click the Today button.

For more information about using the features on the Calendar page, see the following topics:

6.1 Checking the Status of a Schedule Instance

To check the status of a particular schedule instance in the calendar, mouse over the schedule name. If the schedule instance is still running, the Calendar shows In Progress under the schedule name. If the schedule instance has completed processing, the View and Delete links appear under the schedule name. If the schedule instance has not run yet because it is scheduled for some time in the future, the Edit and Delete links appear under the schedule name. If the report failed during execution, only the Delete link appears under the schedule name.

6.2 Editing a Schedule Instance

To edit a schedule instance for a report that has not been run yet:

  1. On the Calendar page, click Edit under the schedule name.

    Identity Reporting displays a page that lets you edit the report definition and schedule. In addition, you can create a new schedule from the editing page.

    The report definition has a one-to-many relationship with schedules. This means that a report definition can have one or more schedules, but a schedule can only be associated with a single report definition.

  2. To edit the settings for the schedule, scroll down to the Schedule section of the page and open the section for the scheduled run you want to edit.

  3. Make changes as necessary to the scheduled run. The following table describes the schedule properties you can change.

    Table 4

    Schedule Property

    Description

    From date

    Specifies the date in the calendar on which you want to initiate the first run of the report. This property also determines the date for all subsequent runs.

    You can change the start date for a schedule after it has been created, even if the calendar already includes one or more scheduled runs. If you change the start date for a schedule, all of the runs for that schedule shift to the new date.

    Time of day

    Specifies the approximate time of day for each report run. The time of day is based on the clock on the server where the report is executed. The actual execution time depends on server activity.

    The run time specified for each schedule instance is set to the hour or the half hour - for example, 1:00 AM or 1:30 PM.

    You can change the time of day for a schedule after it has been created. If you change the time of day, all of the runs for that schedule execute at the new time.

    Frequency

    Specifies the repeat interval (a number that specifies how often the report will run) and the time period for report runs: Month(s), Week(s), or Day(s).

    You cannot modify the frequency for a schedule after the schedule has been created.

    To date

    Specifies the date in the calendar after which no more runs should occur. Note that the last report run may not actually occur on this date. For example, if you choose October 15 as the start date, and specify a repeat interval of two weeks and an end date of November 1, the report will run on October 15 and October 29. In this case, October 29 is the last run.

    You can change the end date for a schedule after it has been created.

    Use default notifications

    Specifies the email settings associated with the schedule instance.

  4. Click Save.

6.3 Deleting a Schedule Instance

To delete a particular scheduled instance, mouse over the scheduled instance and click Delete. If you delete the first run in a schedule, the Start date for the schedule is changed to the next upcoming run date. If you delete the last run, the End date for the schedule is not modified.

6.4 Moving a Single Schedule Instance

The Calendar page allows you to move a single schedule instance by dragging and dropping the item from one date to another within the calendar. However, when you move a single schedule instance, the Calendar page automatically creates a new schedule with a new name and places the moved schedule instance on the new date that you selected as the target for the move operation.

After you have moved a schedule instance, this run is effectively deleted from the original schedule definition, and is now added to the new schedule definition. All of the text-based attributes from the original schedule instance are copied to the new schedule instance.

The name you specify for the new schedule need not be unique across all of the report definitions within Identity Reporting. However, it does need to be unique within the list of schedules for the report definition.

You cannot move a schedule instance into the past (before the current date and time) or to a day that already has a run scheduled for the same report definition.

To move a single schedule instance to a new date:

  1. Select the schedule instance you want to move and drag it to the desired date.

  2. Click Move This.

6.5 Moving All Schedule Instances

The Calendar page also allows you to move all of the scheduled runs for a schedule by dragging and dropping a particular run within the schedule from one date to another within the calendar. When you move all schedule instances for a particular schedule, the Calendar page retains the original repeat pattern specified in the Frequency field, but updates the start date to reflect the new date for execution of the report.

The target date for the move need not be within the original start and end period dates specified for the schedule. If you move outside the original range of the schedule, the schedule start and end dates change accordingly.

To move all of the scheduled runs for a schedule:

  1. Select the schedule instance you want to move and drag it to the desired date.

  2. Click Move All.

    The Calendar page shifts all of the scheduled runs to align with the new run date.

7.0 Using the Reports Page

You can perform a number of tasks on the Reports page, including searching for, viewing, sorting, and deleting reports.

For more information about using the features on the Reports page, see the following topics:

7.1 Viewing the List of Completed and Running Reports

To view a list of completed and running reports, click Reports in the top navigation menu.

The Completed And Running Reports page shows all reports that have finished processing, as well as reports that are still in progress or have failed during execution. The list of reports includes reports that were scheduled, as well as reports that were initiated with the Run Now button. For each report listed, the page shows the report name, data source on which you ran the report, description, run date, and status icon.

If a report is run multiple times very quickly (each run is within a fraction of a second of the other runs), the time format shows one or more periods after AM or PM. For example, you might see PM. or PM.. after the time the report was run.

7.2 Viewing a Completed Report

To view a completed report, click the View link below the report that you want to display.

When you view a report, the generated report appears in a new window. The report appears in PDF or CSV format, depending on how the report was defined.

IMPORTANT:Please do not try to copy and send links to files within Identity Reporting, because this action might potentially expose your login information.

The View link is not available for reports that are still in progress or have failed.

7.3 Viewing the Details for a Report

To view the details for a report:

  1. Click the Details link below the report for which you want to see the details. If the report definition includes one or more parameters, a Criteria section is added to the page that shows the parameters. The fields shown in the pop-up window are not editable, because the report has already been submitted to be run.

    The Run By user is the logged-in user who creates a schedule or clicks Run Now. For example, if the user cblack creates a schedule, and then mmackenzie logs in and modifies the schedule, the Run By user is still the original creator, cblack. If mmackenzie moves the item by clicking Move This, thereby creating a new schedule, mmackenzie is the creator for the report generated by that one-off schedule.

  2. If the report has completed processing, you can display the generated report from this window by clicking the View link next to the status icon at the top of the window. This link is not available if the report is still in progress or has failed.

  3. To return to the report list, click the Close icon. You can continue to work outside the window while it is still open.

7.4 Deleting a Report

To delete a generated report, click the Delete link below the report that you want to delete.

If you choose multiple reports by selecting the check box for each report, and then click the Delete link for another report in the list, the delete operation applies only to the report for which you clicked the Delete link.

7.5 Performing Bulk Actions

To delete several reports at once:

  1. Select the check box to the left of each report definition you want to delete.

  2. In the Bulk Actions list, click the Delete operation.

  3. Click Apply.

Bulk actions apply only to the current page. If you select several items on one page, then navigate to the next page to select some additional items, a subsequent attempt to perform a bulk delete applies only to the second set of items you selected. The previous selections are retained and still appear selected if you navigate back to the first page. However, the bulk action is not performed on those items.

7.6 Searching for a Report

To search for a report definition:

  1. Type a search string in the Search text field, which is designated by the magnifying glass at the top right of the page.

    The search facility allows you to pass in search strings for any of the items in the following table.

    Table 5

    Filter Value

    Description

    Name

    Performs a CONTAINS search. The search is case-insensitive, and it uses the locale of the user.

    Description

    Performs a CONTAINS search. The search is case-insensitive, and it uses the locale of the user.

    Tags

    Performs an exact string search. The search is case-insensitive. You need to pass in only a single tag.

    Run By

    Performs a search on the first name and last name of the creator of the schedule. The creator is the logged-in user who creates a schedule or clicks Run Now. For example, if the user cblack creates a schedule, then mmackenzie logs in and modifies the schedule, the Run By user is still the original creator, cblack. If mmackenzie moves the item by clicking Move This, thereby creating a new schedule, mmackenzie is the creator for the report generated by that one-off schedule.

    You can enter one or more words in the Search field, with or without quotes:

    • If you enter multiple words without quotes, the search results include reports that contain all of the words anywhere in the Name or Description, or that have all of the words as tags (that match exactly).

      For example, suppose you enter the following:

      chris black

      In this case, the following report definitions are in the results:

      • Reports with a Name containing the words chris and black anywhere in the string

      • Reports with a Description containing the words chris and black anywhere in the string

      • Reports with Tags having chris and black as exact tags

      • Reports with Run By having a first name or last name of chris and last name or first name of black

    • If you enter multiple words surrounded by double quotes, the search results include reports that include the entire phrase anywhere in the Name or Description, or that have a tag that matches the entire phrase.

      For example, suppose you enter the following:

      "margo mackenzie"

      In this case, the following report definitions are in the results:

      • Reports with Name containing the phrase margo mackenzie

      • Reports with Description containing the phrase margo mackenzie

      • Reports with a Tag that exactly matches margo mackenzie

      • Reports with Run By having margo mackenzie as the first name and last name or last name and first name

  2. Press Enter key on your keyboard.

You can clear the current search criteria and refresh the display by clicking Reports on the top navigation menu, or by emptying the Search field and clicking the Search button again.

7.7 Sorting the List of Reports

To sort the list of reports, click the header for the column on which you want to sort. The sort indicator shows you which column is the new primary sort column.

7.8 Rows Per Page

You can control how many rows are displayed on the Repository page. Type the number of rows to display in the rows per page field at the bottom of the page and press Enter. The number you enter must be greater than zero. This preference is saved across sessions, and applies to all users. It affects both the Repository and Reports lists.

8.0 Using the Settings Page

The General Settings page allows you to specify how long completed reports should be retained. Specify the unit of time (days, weeks, or months) and a number in the Delete generated reports after field. Click Save to save your changes.

9.0 Using the Data Sources Page

The Data Sources page allows you to create, modify, and remove MS SQL, Oracle, PostgreSQL, and Vertica data sources on which you want to run reports. You can select data sources from a predefined list of installed Java Naming and Directory Interface (JNDI) data sources that the reporting server manages or define new, external Java Database Connectivity (JDBC) data sources. For a data source to be available when you run reports, you must first add it on this page.

After you add a predefined JNDI data source, you can use the Data Sources page to modify the display name. For JDBC data sources, you can modify the display name and the password that Identity Reporting uses to connect to the data source.

NOTE:The necessary JDBC driver JAR file must be in the lib directory of the Tomcat install. If you add the JAR, a restart of Tomcat is required.

9.1 Before You Create a Data Source Using SSL Communication [DRAFT]

If you want to create a data source and configure the database to use SSL communication, you must first create and configure the proper global configuration properties for your database platform and for the SSL type -- server authentication or mutual authentication. Use the table below to determine which configuration properties you need to create and the values for each.

Table 6 Global Configuration Properties and Value Types for Database Platforms and SSL Types

Database Platform/SSL Type

Configuration Property

Value Type

Vertica/Server

com.netiq.iac.vertica.ssl.truststore.path

Filename

Vertica/Server

com.netiq.iac.vertica.ssl.truststore.password

Password

Vertica/Mutual

com.netiq.iac.vertica.ssl.truststore.path

Filename

Vertica/Mutual

com.netiq.iac.vertica.ssl.truststore.password

Password

Vertica/Mutual

com.netiq.iac.vertica.ssl.keystore.path

Filename

Vertica/Mutual

com.netiq.iac.vertica.ssl.keystore.password

Password

Oracle/Server

com.netiq.iac.oracle.ssl.truststore.path

Filename

Oracle/Server

com.netiq.iac.oracle.ssl.truststore.type

Type of truststore

Oracle/Server

com.netiq.iac.oracle.ssl.truststore.password

Password

Oracle/Mutual

com.netiq.iac.oracle.ssl.truststore.path

Filename

Oracle/Mutual

com.netiq.iac.oracle.ssl.truststore.type

Type of truststore

Oracle/Mutual

com.netiq.iac.oracle.ssl.truststore.password

Password

Oracle/Mutual

com.netiq.iac.oracle.ssl.keystore.path

Filename

Oracle/Mutual

com.netiq.iac.oracle.ssl.keystore.type

Type of truststore

Oracle/Mutual

com.netiq.iac.oracle.ssl.keystore.password

Password

PostgreSQL/Server

com.netiq.iac.postgres.ssl.root.cert

Contents of the certificate

NOTE:Do not use a filename.

PostgreSQL/Mutual

com.netiq.iac.postgres.ssl.root.cert

Contents of the certificate

NOTE:Do not use a filename.

PostgreSQL/Mutual

com.netiq.iac.postgres.ssl.client.cert

Contents of the certificate

NOTE:Do not use a filename.

PostgreSQL/Mutual

com.netiq.iac.postgres.ssl.client.key

Contents of the key

NOTE:Do not use a filename.

MS SQL/Server

com.netiq.iac.mssql.ssl.server.cert

Contents of the certificate

NOTE:Do not use a filename.

MS SQL/Server

com.netiq.iac.mssql.ssl.password

Password

Use the information from this table to create and configure the required configuration properties for the data source you want to create.

NOTE:The configuration properties required for SSL communication could already exist in your environment. In Identity Governance, select Configuration > Advanced, then use the search feature to verify whether the configuration property you need is already configured as a global configuration setting.

To create and configure the proper global configuration properties for your data store type and for the SSL type:

  1. Log in as a Global Administrator.

  2. In Identity Governance, select Configuration > Advanced.

  3. Next to Global Configuration Settings, click the plus sign (+).

  4. Type the name of the configuration property you want to create, then click Add.

  5. Type the value for the configuration property you want to create, then click Create.

  6. Perform Step 3 through Step 5 for each property you need to create.

9.2 Creating or Managing a Data Source [DRAFT]

You can use the Data Source page to create, modify, or delete data sources.

To create a data source:

  1. In Identity Reporting, click Data Sources in the top navigation menu.

  2. Click the plus sign (+) to add a new data source.

  3. Select the appropriate method for connecting to the data source.

  4. (Conditional) If you are adding a predefined data source, select the source from the list.

  5. (Conditional) If you are defining a new data source, provide the following information for connecting to the data source:

    • The name of the data source

    • The database type

    • The host - DNS name or IP address of the computer that hosts the data source

    • Whether to use SSL to connect to the data source

    • The port the database is listening on

    • The name of the database. For Oracle this will be the SID/ServiceName.

    • The user name and password for the data source user account. As a best practice for Identity Governance reports, use the igrptuser account.

  6. (Optional) To test whether Identity Reporting can connect to the data source, click Test Connection.

    NOTE:A successful connection is not required to add the data source. It is possible to come back and test the connection at a later time.

  7. Click the Save icon.

To modify a data source:

  1. Click Data Sources in the top navigation menu.

  2. Click the data source name, then modify the information.

To remove a data source:

  1. Click Data Sources in the top navigation menu.

  2. Click the delete icon next to the data source you want to remove.

10.0 Administering and Customizing Identity Reporting

Identity Reporting offers various administration and customization tools. For more information, see the following topics:

10.1 REST Services for Reporting

Identity Reporting supports complete REST API functionality.

The REST APIs for reporting use the OAuth2 protocol for authentication.

The installation program deploys a special API WAR file, rptdoc.war, which contains the documentation of REST services needed for reporting. On Tomcat the rptdoc.war file is automatically deployed when Identity Reporting is installed.

The REST API documentation can be found at http://%servername%:8080/rptdoc. If you installed Reporting using https, substitute https for http.

NOTE:As a best practice while working in a staging or production environment, you should manually move or delete the rptdoc.war files and folders from the Tomcat webapps directory in your environment.

10.2 Enabling and Configuring Auditing for Identity Reporting

Use the following information to enable auditing for Identity Reporting. The steps for enabling auditing are the same whether you installed Identity Reporting and Identity Governance on the same server or on different servers.

If a Global Administrator enables auditing for Identity Reporting, all events in the Identity Reporting Events table are sent to the audit flow channel. For more information about logged events, see Identity Reporting Events.

NOTE:You can view the events in the catalina.timestamp.log file even if you do not enable auditing.

To enable and configure auditing:

  1. (Conditional) If you enabled auditing during the installation, proceed to Step 3.

  2. (Conditional) If you want to enable auditing after the installation, complete the following steps:

    1. Create an audit directory to store the audit information.

      • Linux: /opt/netiq/idm/apps/audit

      • Windows: C:\netiq\idm\apps\audit

    2. Create the Identity Reporting log file.

      • Linux: ../tomcat/conf/idmrptcore_logging.xml

      • Windows: C:\netiq\idm\apps\tomcat\conf\idmrptcore_logging.xml

    3. (Linux only) Assign ownership to the audit directory.

      chown -R novlua.users /opt/netiq/idm/apps/audit

      NOTE:The novlua.users is the same ownership as the tomcat directory. It allows the Tomcat service to modify files within the audit logs directory.

  3. Modify the Identity Governance logging file to enter the syslog server information.

    1. Open the logging file in a text editor.

      • Linux: /opt/netiq/idm/apps/tomcat/conf/idmrptcore_logging.xml

      • Windows: C:\netiq\idm\apps\tomcat\conf\idmrptcore_logging.xml

    2. Make the following changes specific for your syslog server:

      <enabled>${com.netiq.ism.audit.cef.enabled:true/false}</enabled>
      <protocol>${com.netiq.ism.audit.cef.protocol:TCP/TLS}</protocol>
      <host>${com.netiq.ism.audit.cef.host:123.456.78.90}</host>
      <port>${com.netiq.ism.audit.cef.port:6514}</port>
      <cache-dir>${com.netiq.ism.audit.cef.cache-file-dir:/opt/netiq/idm/apps/audit}</cache-dir>
      <cache-file>idm-rpt.txt</cache-file>
      <application>Reporting Core</application>
      <vendor>Micro Focus</vendor>
      <version>6.6.0</version>

      NOTE:To disable auditing, ensure that the <enabled> line is set to false. For example:

      <enabled>false</enabled>
  4. (Conditional) If you are using TLS, add the certificate (public key) for the syslog server (at the provided port) to the Identity Governance and Identity Reporting trusted certificates files.

  5. Restart Tomcat. For more information, see the User Guide on the Identity Governance documentation website.

10.3 Identity Reporting Events

The events listed in the following table are logged for Identity Reporting. For more information about event auditing in Identity Reporting, see Enabling and Configuring Auditing for Identity Reporting.

Table 7

Event ID

Process

NetIQ Identity Audit Event

Severity

31771

Report definition created

Report_Defn_Created

Info

31772

Report definition modified

Report_Defn_Modified

Info

31773

Report definition deleted

Report_Defn_Deleted

Info

31774

Schedule created

Schedule_Created

Info

31775

Schedule modified

Schedule_Modified

Info

31776

Schedule deleted

Schedule_Deleted

Info

31777

Report generated

Report_Generated

Info

31778

Report delivered

Report_Delivered

Info

 

Data cleanup requested

Data_Cleanup_Requested

Info

 

Data collection activated

Data_Collection_Activated

Info

 

Data collection failed

Data_Collection_Failed

Info

 

Data collection requested

Data_Collection_Requested

Info

 

Data collection started

Data_Collection_Started

Info

 

Data collection suspended

Data_Collection_Suspended

Info

 

Data source modified

Data_Source_Modified

Info

 

Data source registered

Data_Source_Registered

Info

 

Data source removed

Data_Source_Removed

Info

 

Data Collection Service (DCS) driver collection disabled

DCS_Driver_Collection_Disabled

Info

 

DCS collection enabled

DCS_Driver_Collection_Enabled

Info

 

DCS driver registeration add

DCS_Driver_Registration_Add}

Info

DCS driver registeration modify

DCS_Driver_Registration_Modify

Info

 

Service started

Service Started

Info

 

Service stopped

Service Stopped

Info

10.4 Security Considerations

This section describes security considerations to keep in mind when working with Identity Reporting.

Authentication Token Exposure

On Windows, the authentication token used for login operations is exposed as a URL parameter in the Internet Explorer address bar when users open PDF files for reports. This happens because the browser handles links to PDFs instead of JavaScript handling the links.

Do not copy and paste links to report PDFs. If the token has not yet expired and the user has not logged out, the link receiver, who might not be a legitimate user, is able to access Identity Reporting by using the token given to the legitimate user.

IMPORTANT:Do not try to copy and send links within Identity Reporting, because this action might potentially expose your login information.

10.5 Report Customization Tools

Report Packaging Tool: Facilitates the process of creating new reports.

Custom header/footer tool: Tool to customize the report header and footer. There is help embedded in the tool.

10.6 Customizing the User Interface

Identity Reporting requires a web browser to present information and allow users to perform actions.

The reporting client WAR supports customization through the custom.css file. To customize the user interface, set the location of the custom.css file using the com.netiq.rpt.css.custom.dir property.

NOTE:The Identity Governance server process must have read permissions on the custom.css file.

10.7 Customizing Strings

You can customize the strings for Identity Reporting into any of several supported languages by customizing the appropriate language-specific properties JAR file.

NOTE:As a best practice, copy only the property or properties that need to be translated.

The following table lists the supported languages.

Table 8

Language

Locale Code

Chinese – Simplified

zh_cn

Chinese – Traditional

zh_tw

Danish

da

Dutch

nl

English

en

French

fr

German

de

Italian

it

Japanese

ja

Polish

pl

Portuguese

pt

Russian

ru

Spanish

es

Swedish

sv

The strings for Identity Reporting are contained with a set of language-specific JAR files that are associated with the two main WARs used by Reporting:

  • Client WAR

  • Core WAR

The language-specific JAR files follow this pattern:

  • RPTCORE-CLIENT_language.jar

  • RPTCORE-SERVER_language.jar

For example, the following JAR files apply to strings in French:

  • RPTCORE-SERVER_fr.jar

11.0 Legal Notice

The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice.

 For additional information, such as certification-related notices and trademarks, see https://www.microfocus.com/about/legal/.

Copyright © 2022 Micro Focus or one of its affiliates. All Rights Reserved.