Out of the box reports

Hitachi ID Identity Manager provides over 180+ built-in reports, including:

  • Users: list selected users or those with specific attributes or entitlements.
  • Targets: list selected target systems or those accessible by some users.
  • Orphans: list login IDs on target systems not attached to active user profiles or with too-old last-login dates.
  • Workflow:
    • Authorizers: list available authorizers and their attached resources.
    • Roles: list roles and their component templates.
    • Templates: list templates, their dependencies and role membership.
    • Requests: list current and closed change requests in the system.
  • Inventory: list physical objects under management and their locations.

Graphical dashboards

Identity Manager includes a number of dashboards, for example to monitor its operation and the workflow request queue. These are available via navigation or can be pinned to a user's landing page. This is illustrated in Figure [link] and Figure [link].

figure

    Screen shot: Workflow current state

figure

    Screen shot: Workflow trend

Policy violations and data quality

Identity Manager includes reports to identify policy violations, such as:

  1. SoD violations (generally or for specific rules or users).
  2. RBAC violations -- i.e., users whose entitlements do not match assigned roles, through surplus or deficit.
  3. Access which has not been certified recently or at all.
  4. Access which is not even configured to be certified (out of scope of defined rounds).
  5. Users whose entitlements, in aggregate, contribute to a high risk score.

Identity Manager includes built-in data quality analytics, including:

  1. Inconsistent account attributes (differ between systems for the same user).
  2. Attribute violations (e.g., mandatory but empty, too short, too long, does not satisfy RegEx rules, etc.).
  3. Orphan and dormant accounts and profiles.
  4. Users with no managers and managers with no subordinates.
  5. Accounts and groups that disappeared from managed systems.
  6. Resources whose authorizers are not set, whose identities have disappeared or who are inactive.
  7. Certification processes assigned to invalid users.
  8. Users whose actual entitlements do not match their assigned roles.
  9. Users who should but do not have login accounts on key systems.

Robust analytics infrastructure

All data in Identity Manager is in a normalized, relational database schema and can be accessed using standard analytical tools (Crystal Reports, Cognos, MS-Excel, SQL queries, etc).

The schema is well documented and is available to all product licensees and evaluators under NDA. The current release schema documentation is about 127 pages long and includes detailed descriptions of every field, table, relation, value constraint, etc.

Hitachi ID Systems customer can add custom reports to the Identity Manager web UI, so that they can be run interactively, scheduled, have output delivered via e-mail, etc. These reports are written using short Python scripts that mostly contain a SQL SELECT statement which interacts with the Identity Manager back-end database, but can also pull data from other sources (e.g., web services, other SQL databases, LDAP directories, etc.).

Hitachi ID Password Manager includes various built-in reports, including:

  • User Reports
    • Matching user ID (string).
    • Matching user names (string).
    • By disabled only? Y/N.
    • List accounts? Y/N.
    • Matching target identifiers (string).
    • Matching target names (string).
    • Target type (drop down list).

  • Target System Reports
    • Matching target identifiers (string).
    • Matching target names (string).
    • Target types (drop down list).
    • List accounts Y/N.
    • Matching user ID (string).
    • Matching user names (string).

  • Event Reports
    • Matching session IDs (string).
    • Matching user IDs (string).
    • Matching target identifiers (string).
    • Matching target names (string).
    • Target type (drop down list).
    • Event type (drop down list 46 different selectable, all).
    • Event list (number).
    • Requested by (string).
    • Earliest date/time.
    • Latest date/time.

  • Synchronization Reports
    • Matching user IDs (string).
    • Matching target identifiers (string).
    • Matching target names (string).
    • Target type (drop down list).
    • Currently queued or failed events.