Users reports

Accounts

Purpose: Accounts with their associated profile and target system.

In addition to account long IDs, the report displays the target system that each account was listed from, and the user that owns each account.

Executable: account

Table 1. Accounts report search criteria

Criteria	Description
Account	Type a comma-and-space-delimited list of long IDs (not short IDs) that match the accounts you want to include in the report. Alternatively, you can search for one or more accounts.
Target system ID	Type a comma-and-space-delimited list of target system IDs to only include accounts from those systems. Alternatively, you can search for one or more target systems.
Target system group	Select one or more target groups to include in the report. The list only includes target groups that are in use with the instance being configured.
Account status	Select one or more values to only include accounts with a matching account status. The possible values are: Auto associated: accounts that were automatically associated with a profile ID. Manually claimed: accounts that were manually associated with a profile ID. Unclaimed: accounts that are not associated with a profile ID. Deleted: accounts that can no longer be listed from a target system. Filtered: accounts that have been filtered out by ID filters. By default, all account statuses are selected. This field applies to detail or summary report types only.
Deleted by	Choose a method on which an account has been removed from the drop-down list. All method is selected by default. All: lists all deleted accounts Bravura Security Fabric : lists all accounts that were deleted by Bravura Security Fabric . The ’track account changes’ option must be enabled on the account’s target system for it to be listed here. Out-of-band: lists all accounts that were not deleted by Bravura Security Fabric . The ’track account changes’ option must be enabled on the account’s target system for it to be listed here. Other: lists all deleted accounts that belonged to target systems where ’track account changes’ was not enabled.
Report type	Choose a report type from the drop-down list. The Account details setting is selected by default. Account details: lists accounts by status, User ID, target system, and target group. Account summary: lists the number of accounts of each status. Account as source of profile IDs: lists the number of accounts on target systems that are a source of profile IDs; includes the attribute used to automatically attach accounts to profile IDs, and account status. Account not as source of profile IDs: lists the number of accounts on target systems that are a not a source of profile IDs; includes the attribute used to automatically attach accounts to profile IDs, and account status.
Graph type	Specify the type of graph for a visual representation of the data. The available graph types are vertical bar chart, pie chart and horizontal bar chart. This field is only visible when the account summary report type is selected.

If you do not specify any search criteria, all valid accounts are included in the report.

Resource authorizers

Purpose: Authorizers and the resources to which they are assigned.

Executable: authorizers

Table 2. Resource authorizers report search criteria

Criteria	Description
Authorizer ID	Type a comma-and-space-delimited list of profile IDs that match the authorizers you want to list resources for. Alternatively, you can search for one or more authorizers. This option is only displayed if Authorizer type is set to List explicitly assigned .
Target system ID	Type a comma-and-space-delimited list of target system IDs to only include Accounts and Managed groups from those systems in the report. Alternatively, you can search for one or more target systems.
Roles	Type a comma-and-space-delimited list of roles for which you want to list authorizers. Alternatively, you can search for one or more authorizers.
Managed groups	Type the long ID of one or more managed groups for which you want to list authorizers. Alternatively, you can search for one or more managed groups.
Template accounts	Select one or more template accounts for which you want to list authorizers.
Managed system policy ID	Select one or more managed system policy IDs for which you want to list authorizers.
Segregation of duties rules	Select one or more segregation of duties (SoD) rules for which you want to list authorizers. This option is only displayed if there are SoD rules configured.
Authorizer type	Set the type of authorizers that you want to list: List explicitly assigned: authorizers explicitly assigned to at least one resource List workflow managers: workflow managers assigned by user access rules List delegation managers: delegation managers assigned by user access rules {reportList authorization user class: user class assigned for authorization

Delegation

Purpose: Current and archived delegation requests - details and statistics.

Executable: delegation

Table 3. Delegation report search criteria

Criteria	Description
Primary user ID	Type the profile ID of the primary authorizer for whom you want to generate the report. Alternatively, you can search for one or more profile IDs.
Delegate user ID	Type the profile ID of the delegate for whom you want to generate the report. Alternatively, you can search for one or more profile IDs.
Participant	Select the type of delegation: (All): to include requests for all types of delegations (default) Authorizer: to only include requests to delegate authorization tasks Implementer: to only include requests to delegate implementation tasks Reviewer: to only include Certification delegate
Earliest escalation date	(Optional) Choose a date range during which the delegation is in effect.
Latest escalation date	(Optional) Choose a date range during which the delegation round ended or will end.
Delegable	Select: (All): to include all delegation requests regardless of whether the responsibilities are delegable. True: to only include delegation requests where the responsibilities are delegable False: to only include delegation requests where the responsibilities are not delegable The term delegable means that the delegate user is allowed to delegate the inherited responsibilities, along with his or her own responsibilities, to someone else.
Status	Select one or more statuses to include in the report. This is the status of the delegation request.
Required to accept	Select: (All): to include all delegation requests regardless of whether the delegate was asked to respond True: to only include delegation requests where the delegate was asked to respond False: to only include delegation requests where the delegate was not asked to respond
Report type	Detailed: The default detailed output Summary by user: The summary by user mode. In this mode, the report output contains delegation-request statistics for each primary authorizer, as well as for the entire system. Statistics includes the total number of delegation requests, and the total number of requests in each status. Total for all users: The total summary mode. In this mode, the report output contains delegation-request statistics for all delegation types. Statistics include the total number of delegation requests, and the total number of requests in each status.
Graph type:	Select the graph type: (None): no graph will be generated. Vertical bar chart: a vertical bar chart for different delegation type will be generated.

If you do not specify any search criteria, the report is generated for all delegation requests.

Enrollment

Purpose: Detailed and statistical overview of the progress of user enrollment.

Executable: enrollment

Table 4. Enrollment report search criteria

Criteria	Description
User ID	Type the profile ID of the user for whom you want to generate the report. Alternatively, you can search for one or more profile IDs.
User name	Type the full name of the user for whom you want to generate the report.
Status match	Select whether to display users with any of the statuses, or all of them.
Status	Select the enrollment statuses that you want to add to the report output.
Enrollment type	Select the types of enrollment that you want to add to the report output: Update security questions Generate voice print enrollment PIN Attach other accounts Password synchronization registration Mobile devices View and update profile
Show detailed report	Select this checkbox to display additional report details.
Graph type	Select the chart type for the graph. This option will only show when Show detailed report option is not selected.

Click below to view a demonstration of running an enrollment report:

Password status on target systems

Purpose: Last-change date, expiry date and current status for passwords on target systems.

Executable: expiry

Table 5. Password status on target systems report search criteria

Criteria	Description
User ID	Type the profile ID of the user for whom you want to generate the report. Alternatively, you can search for one or more profile IDs.
User name	Type the full name of the user for whom you want to generate the report.
Users must have accounts on at least one of these target systems	Type a comma-and-space-delimited list of target system IDs on which users must have accounts. Alternatively, you can search for one or more target systems.
Target system group	Select the target system groups you want to add to the report output.
Password expiration date	(Optional) Choose a date range to define a password expiration date.
Password expiration dates to display	Select the types of password expiration dates you want to add to the report output.
Show all accounts	If users have multiple accounts, select this checkbox to list the password change date, expiry date and status for all accounts.

Implementers

Purpose: Resources and associated operations assigned to human implementers (not connectors).

Executable: implementerreport

Table 6. Implementers report search criteria

Criteria	Description
Implementer type	Select the implementer type: Explicitly assigned Assigned by user class
Implementer ID	Type the profile ID of the implementer for whom you want to run the report. Alternatively, you can search for one or more profile IDs.
Target system ID	Type a comma-and-space-delimited list of target system IDs to only include accounts from those systems. Alternatively, you can search for one or more target systems.
Operation	Select the operations that you want to include. All operations are included by default. This is only shown when implementer type is set to explicitly assigned.

Orphan / Inactive

Purpose: Lists:

Unclaimed accounts
Users without an associated account
Dormant accounts
Dormant profiles
"Dormant accounts" are user objects on target systems where the user has not logged in for at least N days. This number is defined by the Show inactive accounts (days) search criteria. See below for details.
"Dormant profiles" are user profiles in Bravura Security Fabric , containing one or more accounts, all of which are dormant.

Note

You should generate a full attribute listing before running this report for a target system. To do this, click Generate full list on the Target system information page, then run auto discovery.

Bravura Security Fabric only supports Microsoft Active Directory and Microsoft Windows server target systems for use with the Orphan / inactive report. This report only supports Active Directory target systems running on Microsoft Windows Server 2008 or newer.

Executable:orphan

Table 7. Orphan / Inactive report search criteria

Criteria	Description
Report type	Choose a report type from the drop-down list. The `Orphan accounts (not attached to a profile)` setting is selected by default. Orphan accounts (not attached to a profile): Lists accounts that are not associated with any user’s profile ID. Orphan profiles (have no accounts): lists profile IDs that do not have an associated account. Inactive accounts (N days with no login): lists dormant accounts. Inactive profiles (N days with no login): lists dormant user profiles.
Target system ID	To list unclaimed or inactive accounts for one or more target systems, type a comma-and-space-delimited list of target system IDs. Alternatively, you can search for one or more target systems. The search engine only returns results for manually added target systems, not for discovered systems. This option is only displayed if Report type is set to `Orphan accounts (not attached to a profile)` or `Inactive accounts (N days with no login)` .
Account	Type a comma-and-space-delimited list of long IDs (not short IDs) that match the accounts you want to include in the report. Alternatively, you can search for one or more accounts. This option is only displayed if Report type is set to `Orphan accounts (not attached to a profile)` , `Inactive accounts (N days with no login)` or `Inactive profiles (N days with no login)` .
User ID	Type the profile ID of the user for whom you want to generate the report. Alternatively, you can search for one or more profile IDs. This option is only displayed if Report type is set to `Orphan profiles (have no accounts)`, `Inactive accounts (N days with no login)` or `Inactive profiles (N days with no login)` .
User name	Type the full name of the user for whom you want to generate the report. This option is only displayed if Report type is set to `Orphan profiles (have no accounts)`, `Inactive accounts (N days with no login)` or `Inactive profiles (N days with no login)` .
Number of days with no login	Type a numeric value to only show accounts/profiles that have been dormant for the specified number of days. This option is only displayed if Report type is set to `Inactive accounts (N days with no login)` or `Inactive profiles (N days with no login)` .
Discovered in the last N days	Type a numeric value to filter results based on how recently the account was discovered during auto-discovery. A value of zero will return all results. This option is only displayed if Report type is set to `Orphan accounts (not attached to a profile)` .

Access to product features

Purpose: Security privileges held by product administrators.

Lists product administrators, privileges, and finds product administrators with selected administrative privileges.

Executable: prodadmin

Table 8. Access to product features report search criteria

Criteria	Description
Product administrator	Type a comma-and-space-delimited list of product administrators to include in the report. Alternatively, you can search for one or more product administrators. The default is all product administrators.
Administrative privileges	Select one or more privileges to search on. All privileges are selected by default.
Administrator group ID	Select one or more groups to search on. All groups are selected by default. This field is not displayed if there is no data available.
Source of privileges	You can specify whether to report on privileges granted to individual administrators, or granted by group membership.

Profile and request attributes

Purpose: Provides information about users, and profile attributes.

Executable: userattr

Table 9. Profile and request attributes report search criteria

Criteria	Description
User ID	Type a comma-and-space-delimited list of profile IDs to only include profile attributes for certain users. Alternatively, you can search for one or more profile IDs.
Profile attribute	Select a profile attribute on which to filter users. You can select up to eight attributes. You can also select the same attribute multiple times; for example, you may want to list all users whose first name is ’Mike’ or ’Michael’. All profile attributes are available, except for request-only attributes and encrypted attributes. If no attributes are specified, the report lists all user profiles filtered by user ID.
Value type	This field is displayed if a Profile attribute field is other than `Attribute not required`. Select the value type of comparator to apply on selected the profile attribute. Different types of attributes have access to different sets of value types. `is empty` if you want Bravura Security Fabric to search on empty values. `is not empty` if you want Bravura Security Fabric to search on non empty values. `is equal to` if you want Bravura Security Fabric to search on values equal to a specified string. `is not equal to` if you want Bravura Security Fabric to search on values not equal to a specified string. `is less than` if you want Bravura Security Fabric to search on values that are less than a specific integer. `is less than or equal to` if you want Bravura Security Fabric to search on values that are less than or equal to a specific integer. `is greater than` if you want Bravura Security Fabric to search on values that are greater than a specific integer. `is greater than or equal to` if you want Bravura Security Fabric to search on values that are greater than or equal to a specific integer. `is greater than or equal to` if you want Bravura Security Fabric to search on values that are greater than or equal to a specific integer. `Is later than today + N days` if you want Bravura Security Fabric to search on dates that are later than N days after today. `is earlier than, or equal to, today - N days` if you want Bravura Security Fabric to search on dates that are earlier or equal to N days before today.
Value	This field is displayed and required if a Value type field is set to something other than `is empty` or is `not empty`. Type or select the value to compare with.
Display of attributes	Choose the display mode for attributes. Select: `All attributes` if you want all non null account attributes to be displayed by the report. `Searched on attributes` if you only want the account attributes that are searched on to be displayed by the report. `No attributes` if you want no account attributes to be displayed by the report. Attributes that are searched on will be displayed in the All attributes and Searched on attributes modes, regardless of whether they are null.
Attribute match	Select: `Match on all` if you want Bravura Security Fabric to match on all the profile attribute rows. `Match on any` if you want Bravura Security Fabric to match on any profile attribute rows.

Profiles

Purpose: Provides information about user profiles, including accounts, group memberships and identity attributes.

Executable: users

Table 10. Profiles report search criteria

Criteria	Description
User ID	Type a comma-and-space-delimited list of profile IDs to only include information about certain users. Alternatively, you can search for one or more profile IDs.
User name	Type the full name of the user for whom you want to generate the report.
User attribute to search	Select a profile attributes on which to filter users. The options include all available profile attributes, excluding request-only attributes.
Attribute value to search	This field is displayed if User attribute to search is other than `Attribute not required`. Type the value of the user attribute. This searches against the attribute’s stored string value in the database, regardless of attribute type.
User attributes to display	Select one or more profile attributes that you want to add to the report output.
List only product administrators	Filter the report to list only product administrators. This applies only to individual product administrators; not users added to administrator groups.
Account restriction	Select one of the following options to filter users based on whether they have accounts: (No restriction) only users with accounts only users without accounts
Profile status	Select one or more of the following options to filter users based on the profile status: Locked Unlocked Enabled Disabled
RBAC enforcement	Select one of the following options to filter users based on RBAC enforcement: All users Users under RBAC enforcement Users not under RBAC enforcement
Show accounts	Select this checkbox if you want to include a list of each user’s accounts in the report output.
Users must have accounts on at least one of these target systems	Type a comma-and-space-delimited list of target system IDs on which users must have accounts. Alternatively, you can search for one or more target systems.
Target system group	Select the target system groups that you want to add to the report output.
Show managed groups	Select this checkbox if you want to include a list of each user’s managed groups in the report output.
Managed groups	Type the long ID of one or more managed groups in which users must have accounts. Alternatively, you can search for one or more managed groups.
Last login time	(Optional) Choose a date range to define a date range for the last login time:
Summarize report	Select this checkbox to summarize the report details. In this mode, the report includes the number of users, the number of users without accounts, and the license size.

If you do not specify any search criteria or select any options, the report output includes the profile ID and full name of every Bravura Security Fabric user.

Userstat

Purpose: Lists information about users with associated tags in the userstat database table.

Executable: userstat

Table 11. Userstat report search criteria

Criteria	Description
User ID	Type the profile ID of the user for whom you want to generate the report. Alternatively, you can search for one or more profile IDs.
User name	Type the full name of the user for whom you want to generate the report.
Tags	Select one or more tags to list the users associated with these tags. This field is not displayed if there is no data available.
Tag value	Type a tag value to list the tags and associated users.
Report type	Choose a report type from the drop-down list. The Details report is selected by default. Detailed: lists accounts with tags by User ID, User name, Tag ID and Tag value. Users without tag or not matching tag value: lists accounts without tags or not matching tag value by User ID, Username and Tag ID. Summary: lists a summary of each tag; includes the total number of users with, and without the tag value for each tag.

Resources per user

Purpose: View resources (accounts, group memberships, roles, user classes, delegations, authorizer power and access privileges) associated with a given set of users.

Executable: userresources

Criteria	Description
User ID	Type a comma-and-space-delimited list of the profile IDs you want to include in the report. Alternatively, you can search for one or more profile IDs.
User attributes to display	Select the profile attributes that you want to add to the report output. This option is only available when Summarize report is unselected. Default: none.
Sections to display	Select the sections you want to add to the report output. Default: all.
Number of entitlements	Select an option to filter out users by total number of entitlements. This option is only available when Summarize report is selected. No threshold: lists all users. Threshold for minimum number of entitlements: only lists the users whose total number of entitlements is not less than the threshold. Threshold for maximum number of entitlements: only lists the users whose total number of entitlements is not greater than the threshold.
Threshold value	Type a number to define the threshold. The default value is 1. This option is only available in summary mode when ’Threshold for minimum number of entitlements’ or ’Threshold for maximum number of entitlements’ is selected for Number of entitlements.
Summarize report	Check to summarize the report details.

Account attributes

Purpose: Lists accounts and account attributes

Executable: accountattr

Table 12. Account attributes report search criteria

Criteria	Description
Account	Type a comma-and-space-delimited list of long IDs (not short IDs) that match the accounts you want to include in the report. Alternatively, you can search for one or more accounts.
User ID	Type a comma-and-space-delimited list of profile IDs to only include accounts belonging to certain users. Alternatively, you can search for one or more profile IDs.
Target system ID	Type a comma-and-space-delimited list of target system IDs to only include accounts from those systems. Alternatively, you can search for one or more target systems.
Account attribute	Select an attribute on which to filter accounts. You can select up to eight attributes. You can also select the same attribute multiple times; for example, you may want to list all accounts where ’givenName’ is ’Mike’ or ’Michael’.
Value	Type the value of the account attribute. This field is only displayed if an attribute is selected to filter accounts.
Display of attributes	From the drop-down list, select: `All attributes` if you want all account attributes to be displayed in the report. By default, all attributes are shown. `Searched on attributes` if you want only the account attributes selected for filtering to be displayed in the report. `No attributes` if you want no account attributes to be displayed in the report. Encrypted attribute values are masked.
Attribute match	From the drop-down list, select: `Match on all` if you want Bravura Security Fabric to match on all the account attribute rows. `Match on any` if you want Bravura Security Fabric to match on any account attribute row.

Password profile attribute fulfillment

Purpose: Provides details about who has set a password for profile attributes of type password.

Executable: PasswordUserAttrFulfilment

Table 13. Password profile attribute fulfillment report search criteria

Criteria	Description
User ID	Type a comma-and-space-delimited list of profile IDs to only include profile attributes for certain users. Alternatively, you can search for one or more profile IDs.
User attribute to search	Select a profile attribute on which to filter users. The options include profile attributes of type password.
Condition	Select one or more of the following options of the following options to filter users based on whether they set a value for a profile attribute of type password: Is set Is not set

In this section: