Skip to main content

Roles and groups reports

Role assignments

Purpose: Provides information about the users assigned to roles.

Executable: roleassignment

Table 1. Role assignments report search criteria

Criteria

Description

Roles

Select one or more roles to include in the report.

User ID

Type a profile ID to only display role assignments for the specified user. Alternatively, you can search for one or more profile IDs.

Role assignment attributes to display

Select one or more role membership attributes to include in the report.

Role assignment attributes

Select a role membership attribute on which to filter. You can select up to four attributes. The union of all attributes configured will be returned.

Summarize report

Select this checkbox to show summary information for each role.

Minimum number of users

Filter out rows that have less than the specified threshold value for number of users with the role. This option is only available if Summarize report is selected.

Graph type

Select a type of graph to generate for the report. This option is only available if Summarize report is selected.

  • None : no graph will be generated.

  • Horizontal bar chart : a horizontal bar chart will be generated for the report.

Number of rows for graph

The maximum rows for graph to display. The selected rows will be displayed with the number of entitlements in descending order.



Role definitions

Purpose: Lists either the resources that are members of each role or authorizers that are assigned to each role.

Executable: roledefinitions

Table 2. Role definitions report search criteria

Criteria

Description

Roles

Select one or more roles to include in the report.

Managed groups

Type the long ID of one or more managed groups for which you want to run the report. Only roles that contain the specified groups are included in the report. All groups are included by default. Alternatively, you can search for one or more managed groups.

Template accounts

Select one or more template accounts. Only roles that contain the specified template accounts are included in the report.

Sub-roles

Select one or more sub-roles. Only roles that contain the specified sub-roles are included in the report.

Resource attribute

Filter results using a resource attribute and criteria. The type of criteria is dependent on the attribute selected. Up to four resource attribute filters can be defined.

Resource attribute to display

Choose which resource attributes to display.

Necessity

Select the necessity (Required, Optional, Legacy), to only include role-members with the specified necessity. The default is Show all.

Show authorizer

Select this checkbox if you want generate a report listing the authorizers for each matching role.

Show deprecated

Select this checkbox to include only deprecated roles in the report.

Summarize report

Select this option to summarize the report.

In this mode, the report includes a count of the number of members and authorizers for each matching role.



If you do not specify any search criteria, the report output includes all (non-deprecated) roles and their members.

If JavaScript is enabled, then Template accounts and Sub-roles only appear if they exist as role entitlements. For example, if a template account is added as a role entitlement, then Template accounts option appears for this report.

Role exceptions

Purpose: Lists approved exceptions to role enforcement violations.

Executable: roleexceptions

Criteria

Description

User ID

Type a user’s profile ID to only list exceptions that apply to that user. Alternatively, you can search for one or more profile IDs.

Roles

Select one or more roles to include in the report.

Managed groups

Type the long ID of one or more managed groups for which you want to run the report. Only exceptions that apply to the specified groups are included in the report. Alternatively, you can search for one or more managed groups.

Templates accounts

Select one or more template accounts. Only exceptions that apply to the specified templates are included in the report.

Show authorizer

Select this checkbox if you want the report output to list the authorizers for each exception.

Authorizer ID

Type a user’s profile ID to list the exceptions for which the user is an authorizer. Alternatively, you can search for one or more profile IDs. You must also select the Show authorizer checkbox.

Role exception

Select the type of exception to include in the report: Deficit or Surplus. The default is Deficit.

Show summary

Select this checkbox to summarize the report.

In this mode, the report includes a count of the number of matching exceptions for each user and role combination.

Graph type

Select a type of graph to generate for the summarized report. This option shows when the Show summary option is checked.

  • None : no graph will be generated.

  • Horizontal bar chart : a horizontal bar chart will be generated for the summarized report.

Number of rows for graph

The maximum rows for graph to display, the selected rows will be displayed with the number of requests in descending order. This option will show when the Horizontal bar chart is selected as the graph type.

Role history

Purpose: Audit trail of changes to role definitions.

Executable: roleaudit

Table 3. Role history report search criteria

Criteria

Description

Roles

Select one or more roles to include in the report.

User ID

Type in the console user to audit.

Choose date range

Choose a date range for role operations.

Operation

Select one or more operations that you want an audit report for. Default is all operations.



Incomplete roles

Purpose: Identify roles that have users with too many surpluses or deficits.

Which roles have many users that, in turn, have many out-of-role entitlements? How many out-of-role entitlements do users assigned each role have, on average? This suggests either incomplete role definitions (add entitlements) or users that do not fit well into a role model.

Executable: roleincomplete

Table 4. Incomplete roles report search criteria

Criteria

Description

Roles

Select one or more roles to include in the report.

Minimum number of users

Filter out rows that have less than the specified threshold value for number of users with the role.

Lower bound on the average number of out-of-role entitlements held by users in the role

Filter out rows that have less than the specified threshold value for average number of out-of-role (surplus) entitlements.

Summarize report

Select this checkbox to summarize the report details.



Roles violating segregation of duties rules

Purpose: Identify roles whose definition violates segregation of duties rules.

Executable: roledefviolatingsod

Table 5. Roles violating segregation of duties rules report search criteria

Criteria

Description

Roles

Select one or more roles to include in the report.

Segregation of duties rules

Select one or more SoD rules to include in the report.



Groups

Purpose: Provides details about membership and statistics of managed groups. Also reports unmanaged groups.

Executable: groupmembership

Table 6. Groups report search criteria

Criteria

Description

Group ID

Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, ’*’ representing any string of characters and ’?’ representing any single character. All groups are included by default.

Report type

Select a report type:

  • Show managed groups summary: Select this option to only show groups that are managed, and the total number of members for each group. Selecting this report type displays the Resource attribute to display input field.

  • Show managed group and authorization summary: Select this option to only show groups that are managed. In this mode, the report output also includes the total number of members and authorizers for each group.

  • Show managed group members: Select this option to only show groups that are managed, and to list their direct and indirect members (both accounts and child groups). Selecting this report type displays the Include deleted memberships and Memberships deleted by: input fields.

  • Show unmanaged groups : Select this option to only show groups that are not managed.

  • Show managed group authorizers : Select this option to only show groups that are managed, and to list their authorizers. The report includes all authorizers for all managed groups.

Override authorization configuration

Select a override type:

  • Show all : Only include managed groups regardless of authorization configuration inheritance.

  • Only use inherited configuration: Only include managed accounts groups that include only authorization configuration from the target system.

  • Do not inherit any configuration: Only include managed groups that do not include any authorization configuration inheritance set by the target system.

  • Include inherited configuration: Only include managed groups that include any authorization configuration inheritance set by the target system.

  • None: Only include managed groups where the target does not include inheritance.

Resource attribute to display

Available for the all report types except Show unmanaged groups report type. Choose which resource attributes to display alongside the managed groups.

Member type

Only available for the Show managed group members report type. Select the member types to display:

  • Account

  • Group

    Leaving it blank is the same as selecting all types.

Minimum depth

Only available for the Show managed group members report type. The report will only output members that have a depth greater than or equal to this value. The default value is 1.

Depth indicates what level of membership an account or group has to the managed group. A depth of 1 means they are a direct member of the group. A depth of 2 means they are a member of a direct child group.

Maximum depth (-1=infinite)

Only available for the Show managed group members report type. The report will only output members that have a depth less than or equal to this value. A value of -1 means it will output all members that have a depth greater than or equal to the Minimum depth. The default value is -1.

Target system ID

Type a comma-and-space-delimited list of target system IDs for which you want to run the report. Alternatively, you can search for one or more target systems.

Include invalid groups

Include or exclude groups that may have become invalid during the last auto discovery.

Only include groups without direct owners

Presented only when report type is set to Show managed group and authorization summary . When this option is enabled only groups without direct owners will be listed. Owners via groups that own a subgroup are not considered as direct owners.

Include deleted memberships

Include deleted group memberships in the results. This option is only available for the Show managed group members report type, and will only return the most recent deletion from each group, per user.

Membership deleted by:

Filter results when including deleted memberships to only include deletions initiated from a specific source.

  • (All): Include all deleted memberships in results

  • Bravura Security Fabric : Only include group memberships deleted via Bravura Security Fabric , including: processed user requests, automatic management operations, and exit traps.

  • Out-of-band: Only include group memberships deleted by means outside the control of the Bravura Security Fabric , including local deletion from the group’s target system. This option will only return results for managed groups with the Track Changes option enabled.

Resource attribute

Filter results using a resource attribute and criteria. The type of criteria is dependent on the attribute selected. Up to four resource attribute filters can be defined.



Users who belong to the user class configured in the Manage the system > Modules> Manage reports (RPT) > GROUPAPP REPORT ACCESS field can run this report from the Groups app.

Group changes

Purpose: Provides details about changes affecting managed groups.

Executable: groupchanges

Table 7. Group changes report search criteria

Criteria

Description

Report type

Select a report type:

  • Group changes - Select this option to only show changes to groups that are managed. Selecting this report type displays the Create group, Delete group, and Update group as selectable inputs in Display operations.

  • Group membership changes - Select this option to show changes to group membership. Selecting this report type displays the Assign group, Revoke group, Add child group, and Delete child group as selectable inputs in Display operations.

  • Group ownership changes - Select this option to show changes to managed group ownership. Selecting this report type displays the Add group owner, Delete group owner, Add owner group, and Delete owner group as selectable inputs in Display operations.

Leaving it blank is the same as selecting all types.

Display operations

Select an operation:

  • Create group -Groups that are created are displayed in report.

  • Delete group - Groups that are deleted are displayed in report.

  • Update group - Groups that have group attribute updates are displayed in report.

  • Assign group - Groups which new members join are displayed in report.

  • Revoke group - Groups which members leave are displayed in report.

  • Add child group - Groups that have new child groups are displayed in report.

  • Delete child group - Groups from which child groups are deleted are displayed in report.

  • Remove unknown object from a group - Groups from which unknown members are removed are displayed in report.

  • Add group owner - Groups that have new owners are displayed in report.

  • Delete group owner - Groups whose owners are removed are displayed in report.

  • Remove unknown owner from a group - Groups from which unknown owners are removed are displayed in report.

  • Add owner group - Groups that have new group owner are displayed in report.

  • Delete owner group - Groups whose owner group is removed are displayed in report.

Leaving it blank is the same as selecting all operations.

Resource attribute to display

Select resource attributes to be displayed in report.

Time range

Select time range.

  • Use relative date - Selecting this time range displays the Choose relative request entry date input field with a list of inputs to select

  • Use selected date: Selecting this time range displays the Earliest request entry start date and Latest request entry start date input fields.

  • Use within the last N days -Selecting this time range displays the Number of days input field.

  • Use N or more days ago -Selecting this time range displays the Number of days input field.

Resource attribute

Filter results using a resource attribute and criteria. The type of criteria is dependent on the attribute selected. Up to four resource attribute filters can be defined.

Authorizer ID

Type a comma-and-space-delimited list of authorizer IDs. Alternatively, you can search for one or more authorizers.

Requester ID

Type a comma-and-space-delimited list of requester IDs. Alternatively, you can search for one or more requesters.

Managed groups

Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, ’*’ representing any string of characters and ’?’ representing any single character. All groups are included by default.

Group owner

Type a comma-and-space-delimited list of group owners. Alternatively, you can search for one or more group owners.



Users who belong to the user class configured in the Manage the system > Modules> Manage reports (RPT) > GROUPAPP REPORT ACCESS field can run this report from the Groups app.

Group membership consistency

Purpose: Identifies group memberships with a consistency score based on comparing users by attribute values.

Executable: consistencygroups

Table 8. Group membership consistency report search criteria

Criteria

Description

User ID

Search for one or more users for which you want to run the report. All users are included by default. Alternatively, you can type the short ID of a user or a pattern of user IDs using wildcard characters, ’*’ representing any string of characters and ’?’ representing any single character

Group ID

Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, ’*’ representing any string of characters and ’?’ representing any single character. All groups are included by default.

Target system ID

Type a comma-and-space-delimited list of target system IDs for which you want to run the report. Alternatively, you can search for one or more target systems.

User attributes to collect users into peer groups

Select at least one attribute to collect users into peer groups. A peer group is a group of users with some attribute in common; for example, users working at the same location or department, or having the same manager.

Minimum size of a user peer group

Specify the size of a peer group. If a peer group has fewer members than this, their entitlement consistency will not be calculated. Instead, an information icon will be displayed in the consistency column for these users in the report. Default value is 2: The value should be 2 or greater.

Mark items as inconsistent if fewer than this percent of peers share the item

Edit the value to determine how out-of-pattern entitlements will be highlighted. By default, if consistency calculations are enabled and fewer than 20% of users share an entitlement, it will be highlighted in the review.

Mark items as consistent if at least this percent of peers share the item

Edit the value to determine how in-pattern entitlements will be highlighted. By default, if consistency calculations are enabled and at least 80% of user share an entitlement, is will be highlighted in the review.



This report can be a bit slow when you try to run for a lot of data, in order to generate a report, you can schedule the report to run at a later time, with options to email or export the output.

Membership

Purpose: Provides details about managed groups membership.

Executable: membership

Table 9. Membership report search criteria

Criteria

Description

User ID

Search for one or more users for which you want to run the report. All users are included by default. Alternatively, you can type the short ID of a user or a pattern of user IDs using wildcard characters, ’*’ representing any string of characters and ’?’ representing any single character.

Group ID

Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, ’*’ representing any string of characters and ’?’ representing any single character. All groups are included by default.

Profile attribute

Filter results using a profile attribute and criteria. The type of criteria is dependent on the attribute selected. Up to two profile attribute filters can be defined.

User attributes to display

Select user attributes to display in reports.

Membership attributes to display

Select attributes on group account membership or child group membership to display in reports.

Member type

Select the member types to display:

  • Account

  • Group

  • Unknown object

    Leaving it blank is the same as selecting all types.

    Group members and group owners are considered unknown when:

  • They are not in the same OU as that of the managed group, or;

  • They are of a type other than account or group; that is, contact or computer object.

Membership type

Select the membership types to display:

  • Direct

  • Indirect

    Leaving it blank is the same as selecting all types.

Target system ID

Type a comma-and-space-delimited list of target system IDs for which you want to run the report. Alternatively, you can search for one or more target systems.

Include deleted memberships

Include deleted group memberships in the results.

Include invalid users and accounts

Include or exclude users and accounts that may have become invalid during the last auto discovery.

Membership attribute

Filter results using a membership attribute and criteria. The type of criteria is dependent on the attribute selected. Up to two membership attribute filters can be defined.



Users who belong to the user class configured in the Manage the system > Modules> Manage reports (RPT) > GROUPAPP REPORT ACCESS field can run this report from the Groups app.

Auto-assignment surplus and deficit

Purpose: Variances between roles and groups that users do have and roles and groups that users should have, based on policy.

Executable: autoassignmentdetails

Table 10. Auto-assignment surplus and deficit report search criteria

Criteria

Description

Resource type

Select a resource type:

  • Managed group : Select this option to only show managed groups.

  • Role : Select this option to only show roles.

Group ID

If Resource Type "Managed group" is selected, search for one or more managed groups for which you want to run the report. Alternatively, you can type the long ID of a managed group.

Roles

If Resource Type "Role" is selected, search for one or more roles for which you want to run the report. Alternatively, you can type the ID of a role.

Type of variance

Select an auto assignment deviance type:

  • (All): Select this option to show all surpluses and deficits.

  • Deficit : Select this option to only show deficits.

  • Surplus : Select this option to only show surpluses.

Auto-assignment status

Select an auto-assignment status:

  • (All): Select this option to show all auto assignments.

  • Enabled : Select this option to only show enabled auto assignments.

  • Disabled : Select this option to only show disabled auto assignments.

Profile attribute to display

Select the profile attributes to show for each user listed.

Summarize report

Select this option to summarize the report.

In this mode, the report includes a count of the number of members and members not in compliance for each selected resource.



Auto-assignment deviations

Purpose: Provides surplus and deficit deviations statistical summary of auto resource assignments for managed groups and roles.

Executable: autoassigndeviation

Table 11. Auto-assignment deviations report search criteria

Criteria

Description

Resource type

Select a resource type:

  • Managed group: Select this option to only show managed groups.

  • Roles: Select this option to only show roles.

Group ID

If Resource Type "Managed groups" is selected, search for one or more managed groups for which you want to run the report. Alternatively, you can type the long ID of a managed group.

Roles

If Resource Type "Roles" is selected, Search for one or more roles for which you want to run the report. Alternatively, you can type the ID of a role.

Auto-assignment status

Select an auto-assignment status:

  • (All): Select this option to show all auto assignments.

  • Enabled : Select this option to only show enabled auto assignments.

  • Disabled : Select this option to only show disabled auto assignments.

Minimum deficits remaining

Only display resources with the minimum number of deficits remaining.

Minimum deficits requested

Only display resources with the minimum number of deficits requested.

Minimum surpluses remaining

Only display resources with the minimum number of surpluses remaining.

Minimum surpluses requested

Only display resources with the minimum number of surpluses requested.



Auto-assignment setup

Purpose: Reports on configuration of roles and groups that are assigned and/or revoked as a matter of policy.

Executable: autoassignconfig

Table 12. Auto-assignment setup report search criteria

Criteria

Description

Resource type

Select a resource type:

  • Managed group: Select this option to only show managed groups.

  • Role: Select this option to only show roles.

Group ID

If Resource Type "Managed group" is selected, Search for one or more managed groups for which you want to run the report. Alternatively, you can type the long ID of a managed group.

Roles

If Resource Type "Role"is selected, Search for one or more roles for which you want to run the report. Alternatively, you can type the ID of a role.

Auto-assignment status

Select an auto-assignment status:

  • (All): Select this option to show all auto assignments.

  • Enabled : Select this option to only show enabled auto assignments.

  • Disabled : Select this option to only show disabled auto assignments.



Auto-assignment policy compliance per user

Purpose: User centric view of surplus and deficit deviations in auto resource assignments for managed groups and roles.

Executable: autoassignusers

Table 13. Auto-assignment policy compliance per user report search criteria

Criteria

Description

User ID

Type a user’s profile ID to only list the surpluses and deficits that apply to that user. Alternatively, you can search for one or more profile IDs.

Type of variance

Select an auto assignment deviance type:

  • (All) : Select this option to show all surpluses and deficits.

  • Deficit : Select this option to only show deficits.

  • Surplus : Select this option to only show surpluses.

Auto-assignment status

Select an auto-assignment status:

  • (All): Select this option to show all auto assignments.

  • Enabled : Select this option to only show enabled auto assignments.

  • Disabled : Select this option to only show disabled auto assignments.

Profile attribute to display

Select the profile attributes to show for each user listed.

Summarize report

Select this option to summarize the report.

In this mode, the report includes a count of the number of roles and groups that may be surplus or deficient for each user selected.

Minimum number of total surpluses

Filter out rows that have less than the specified threshold value for number of surpluses with the role.

Graph type

Select a type of graph to generate for the report.

  • None : no graph will be generated.

  • Horizontal bar chart : a horizontal bar chart will be generated for the report.

Number of rows for graph

The maximum rows for graph to display. The selected rows will be displayed with the number of entitlements in descending order.



Compare numbers of group memberships

Purpose: Compare numbers of group memberships by counting:

  • Group memberships that are consistent or not consistent with assigned roles

  • Group memberships that are consistent or not consistent with auto-assignment

  • Group memberships by how they were assigned

Executable: comparenumberofgroupmemberships

Table 14. Compare numbers of group memberships report search criteria

Criteria

Description

Data set 1 label

Type a label for data set 1.

Assignment by role (data set 1)

Select:

  • (All) : Select this option to count all group memberships.

  • Consistent with assigned roles : Select this option to only count group memberships consistent with a role.

  • Not consistent with assigned roles : Select this option to only count group memberships not predicted by assigned roles.

Assignment by policy (data set 1)

Select:

  • (All) : Select this option to count all group memberships.

  • Consistent with auto-assignment via user class membership : Select this option to only count group memberships consistent with auto-assignment policy for a group or a role with group entitlement.

  • Consistent with auto-assignment via user class membership : Select this option to only count group memberships not consistent with auto-assignment policy.

Assignment source (data set 1)

Select:

  • (All) : Select this option to count all group memberships.

  • Automatically assigned via user class : Select this option to only count group memberships automatically assigned directly or via role.

  • Requested via workflow, excluding auto-assignment : Select this option to only count group memberships that were requested, but not by auto-assignment policy.

  • Discovered on target system : Select this option to only count group memberships that were discovered on the target system.

Date (data set 1)

This is the date when the group membership was added. Choose one of the following options to define a date range:

  • Date not required : This is the default setting. Group memberships are counted regardless of the time they are added.

  • Use relative date : Group memberships are only included in the report output if they are added within the selected relative date range.

  • Use selected date : Group memberships are only included in the report output if they are added within the selected date range. Use the:first set of date / time controls to select the earliest time to include, and the second set of date / time controls to select the latest time to include.

  • Use within the last N days : Group memberships are only included in the report output if the date they are added falls within the specified last number of days.

Data set 2 label

Type a label for data set 2.

Assignment by role (data set 2)

Select:

  • (All) : Select this option to count all group memberships.

  • Consistent with assigned roles : Select this option to only count group memberships consistent with a role.

  • Not consistent with assigned roles : Select this option to only count group memberships not predicted by assigned roles.

Assignment by policy (data set 2)

Select:

  • (All) : Select this option to count all group memberships.

  • Consistent with auto-assignment via user class membership : Select this option to only count group memberships consistent with auto-assignment policy for a group or a role with group entitlement.

  • Consistent with auto-assignment via user class membership : Select this option to only count group memberships not consistent with auto-assignment policy.

Assignment source (data set 2)

Select:

  • (All) : Select this option to count all group memberships.

  • Automatically assigned via user class : Select this option to only count group memberships automatically assigned directly or via role.

  • Requested via workflow, excluding auto-assignment : Select this option to only count group memberships that were requested, but not by auto-assignment policy.

  • Discovered on target system : Select this option to only count group memberships that were discovered on the target system.

Date (data set 2)

This is the date when the group membership was added. Choose one of the following options to define a date range:

  • Date not required : This is the default setting. Group memberships are counted regardless of the time they are added.

  • Use relative date : Group memberships are only included in the report output if they are added within the selected relative date range.

  • Use selected date : Group memberships are only included in the report output if they are added within the selected date range. Use the first set of date / time controls to select the earliest time to include, and the second set of date / time controls to select the latest time to include.

  • Use within the last N days : Group memberships are only included in the report output if the date they are added falls within the specified last number of days.

Graph type

Select a type of graph to generate for the report.

  • (None): no graph will be generated.

  • Horizontal bar chart: a horizontal bar chart will be generated for the report.

  • Pie chart : a pie chart will be generated for the report



In this section: