Report on Users and Entitlements - Hitachi ID Identity Manager
One of the key elements of both security management and regulatory compliance is to periodically review who has access to systems, to find exceptions, and to remove them.
Global access reporting includes finding and eliminating dormant and orphan accounts, reviewing the access rights of current users to find entitlements that are no longer required, and the ability to simply report on "who has what."
Hitachi ID Identity Manager comes with built in capabilities to meet these security reporting requirements, including: Identity Manager provides many built-in reports, including:
- Users: list selected users or those with specific attributes or entitlements.
- Targets: list selected target systems or those accessible by some users.
- Orphans: list login IDs on target systems not attached to active user profiles or with too-old last-login dates.
- Authorizers: list available authorizers and their attached resources.
- Roles: list roles and their component templates.
- Templates: list templates, their dependencies and role membership.
- Requests: list current and closed change requests in the system.
- Inventory: list physical objects under management and their locations.
In addition, Identity Manager has an open schema and data access layer, allowing customers to develop their own security reports. (1) All data in Identity Manager is in a normalized, relational database schema and can be accessed using standard analytical tools (Crystal Reports, Cognos, MS-Excel, SQL queries, etc).
The schema is well documented and is available to all product licensees and evaluators under NDA. The current release schema documentation is about 127 pages long, and includes detailed descriptions of every field, table, relation, value constraint, etc.
Hitachi ID Systems customer can add custom reports right to the Identity Manager web UI, so that they can be run interactively, scheduled, have output delivered via e-mail, etc. These reports are written using short Python scripts that mostly contain a SQL SELECT statement which interacts with the Identity Manager back-end database, but can also pull data from other sources (e.g., web services, other SQL databases, LDAP directories, etc.).
Identity Manager includes many built-in reports, which can be run interactively from the web portal or scheduled to run automatically (and periodically if so desired). Report output is HTML or CSV and can be delivered to the same web portal or via e-mail or filesystem. Built-in reports cover:
- Identities -- users, accounts, attributes, orphan/dormant accounts, etc.
- Entitlements -- roles, groups, accounts, etc.
- History -- by user, role, group, etc.
- Workflow -- activity in the queue, historical trends, request popularity, etc.
- Role analytics -- users sharing entitlements, SoD violations and more.
- Configuration data -- roles, groups, etc.
- System data and troubleshooting -- event logs, unsatisfiable requests, entitlements with no/invalid owners, etc.
The same data is accessible to 3rd party reporting tools.