Skip to main content

Reporting and Monitoring Mass Operations

Mass operations (onboarding and password reset) provide two methods for monitoring and reporting:

  1. SQLite Database Reporting: Detailed operation-level tracking when enabled

  2. REST API Monitoring: Real-time session log access through API endpoints

Method 1: SQLite Database Reporting

Enabling SQLite Reports

Configure SQLite reporting through the external data store in the hid_global_configuration table:

  1. Log in to Bravura Pass as a product administrator.

  2. Click Manage external data store.

  3. Navigate to the hid_global_configuration data table.

  4. Configure the rules listed below.

Mass Password Reset Operations:

  • Namespace: MASS_PASSWORD_RESET

  • Setting: REPORT

  • Value: True

Mass Onboarding Operations:

  • Namespace: MASS_PASSWORD_ONBOARD

  • Setting: REPORT

  • Value: True

When enabled, it automatically generates SQLite reports for all operations.

SQLite Report Location:

  • File name: mass_onboard*.db or mass_password_reset*.db

  • Location: C:\Program Files\Bravura Security\Bravura Security Fabric\Logs\<instance>

Database Schema

Operation Table Structure
CREATE TABLE operation (
    id TEXT NOT NULL,           -- Account/User identifier
    host TEXT NOT NULL,         -- Target system
    name TEXT NOT NULL,         -- Account/User name
    type TEXT NOT NULL,         -- Operation type (account, group, new_group)
    phase TEXT NOT NULL,        -- Process phase
    result TEXT NOT NULL,       -- success/failure
    details TEXT                -- Error details (populated on failure)
);

Mass Operation Phases

Mass Onboarding

  1. user-group-create (type: new_group): Creates new groups in target systems

  2. user-group-member-add (type: group): Adds users to groups

  3. generate-passwords (type: account): Creates passwords for new accounts

  4. replace-passwords (type: account): Deploys passwords to target systems

Mass Password Reset

  1. generate-passwords (type: account): Creates new passwords for existing accounts

  2. replace-passwords (type: account): Deploys passwords to target systems

  3. synchronize-to-vault (type: account): Synchronizes passwords to vault system

Key SQLite Reporting Queries

Overall Success Rate Analysis
SELECT 
    result,
    COUNT(*) as total_operations,
    ROUND(COUNT(*) * 100.0 / (SELECT COUNT(*) FROM operation), 2) as percentage
FROM operation 
GROUP BY result;
Per-Phase Success/Failure Breakdown
SELECT 
    phase,
    result,
    COUNT(*) as count,
    ROUND(COUNT(*) * 100.0 / SUM(COUNT(*)) OVER (PARTITION BY phase), 2) as phase_percentage
FROM operation 
GROUP BY phase, result 
ORDER BY phase, result;
System Distribution Analysis
SELECT 
    host,
    type,
    COUNT(*) as operations,
    SUM(CASE WHEN result = 'success' THEN 1 ELSE 0 END) as successful,
    SUM(CASE WHEN result = 'failure' THEN 1 ELSE 0 END) as failed
FROM operation 
GROUP BY host, type 
ORDER BY host, type;
Error Analysis
SELECT 
    phase,
    type,
    COUNT(*) as failure_count,
    details
FROM operation 
WHERE result = 'failure' 
GROUP BY phase, type, details
ORDER BY failure_count DESC;

SQLite Monitoring Recommendations

Alert Thresholds

  • Overall success rate below 90%

  • Any phase with success rate below 80%

  • Repeated failures on specific systems

  • Vault synchronization success rate below 70%

Troubleshooting Workflow

  1. Check overall success rate across all phases.

  2. Identify problematic phases using per-phase breakdown.

  3. Analyze system-specific failures.

  4. Review error details for specific failure patterns.

  5. Correlate failures with system availability or configuration changes.

Method 2: REST API Reporting

Prerequisites

Required User Classes:

  • _REPORT_READERS_: Provides access to session log data

  • _EXPLICIT_REST_API_USERS_: Enables REST API authentication

Session Log Queries

Mass Password Reset Operations
GET /api/rest/v2/sessionLogs
$filter=operation eq 'OPC4'
$expand=requester,data
$orderby=metadata/lastUpdatedDateTime desc
Group Creation Operations
GET /api/rest/v2/sessionLogs
$filter=operation eq 'CRTG'
$expand=requester,data(expand=group,targetSystem)
$orderby=metadata/lastUpdatedDateTime desc
Group Assignment Operations
GET /api/rest/v2/sessionLogs
$filter=operation eq 'GRUA'
$expand=requester,data(expand=account,targetSystem,group)
$orderby=metadata/lastUpdatedDateTime desc
Account Creation Operations
GET /api/rest/v2/sessionLogs
$filter=operation eq 'ACUA'
$expand=requester,data(expand=account,targetSystem)
$orderby=metadata/lastUpdatedDateTime desc
Password Change Operations
GET /api/rest/v2/sessionLogs
$filter=operation eq 'ACHG'
$expand=requester,data(expand=account,targetSystem)
$orderby=metadata/lastUpdatedDateTime desc

Operation Codes

  • Mass Password Reset: OPC4

  • Group Creation: CRTG

  • Group Assignment: GRUA

  • Account Creation: ACUA

  • Password Change: ACHG

Batch ID Correlation

Operations within the same mass process share a common batchId in the session logs, enabling correlation between:

  • High-level mass operation requests (OPC4)

  • Individual component operations (CRTG, GRUA, ACUA, ACHG)

Error Handling

Common Error Scenarios

  • Lock Timeout: Another mass operation is running

  • Invalid Targets: Target systems not found or not configured

  • REST API Failures: Authentication or connectivity issues

  • Password Generation Failures: Policy violations or system errors

  • Account Update Failures: Permission or connectivity issues

Result Types

  • Success: All operations completed successfully

  • Partial: Some operations failed, some succeeded

  • Failure: All operations failed

  • NoInitialToken: Failed to authenticate with REST API

  • NotPrimaryNode: Operation attempted on non-primary cluster node

  • LockTimeout: Could not acquire exclusive lock

Common Error Patterns

  • HTTP 500 Internal Server Error: System integration issues

  • API Endpoint Issues: Network or authentication problems

  • Authentication Failures: Credential or permission issues

  • Vault Synchronization Errors: Vault system connectivity or configuration issues

See also

Reporting on mass password reset operations

Workflow integration 

The Mass Password Reset scenario component integrates with Bravura Fabric workflow through the following pre-defined requests (PDRs) for authorization and execution:

  • MPR_ONBOARD (operation CUST66) - Mass Password Onboard

  • MPR_RESET (operation CUST65) - Mass Password Reset

The PDRs perform the specified operations through REST API calls.

 

In this section: