Entitlements analysis reports
Note
Some entitlement analysis reports are expected to take longer than other reports. Consider scheduling these reporting tasks at an appropriate time.
SSH Web of Trust
Purpose: Allows you to query on the current configuration of the SSH web of trusted accounts.
Note
You may need to run auto discovery before running the report in order to include temporary SSH trust relationships created from privileged access check-outs.
Executable: sshtrustweb
Criteria | Description |
|---|---|
Report type | There are three types of reports to select from:
|
Source account | Type a comma-and-space-delimited list of IDs of source accounts to include in the report. This option is only available when Report type is set to "Account details" or" Source account summary" . Alternatively, search for one or more account IDs. |
Source system | Type a comma-and-space-delimited list of IDs of source target systems to include in the report. This option is only available when Report type is set to "Account details" or "Source account summary" . Alternatively, search for one or more target system IDs. |
Source profile | Type a comma-and-space-delimited list of source profile IDs to include in the report. This option is only available when the Report type is set to "Account details" or "Source account summary" . Alternatively, search for one or more profile IDs. |
Destination account | Type a comma-and-space-delimited list of IDs of destination accounts to include in the report. This option is only available when Report type is set to "Account details" or "Destination account summary" . Alternatively, search for one or more account IDs. |
Destination system | Type a comma-and-space-delimited list of IDs of destination target systems to include in the report. This option is only available when the Report type is set to "Account details" or "Destination account summary". Alternatively, search for one or more target system IDs. |
Minimum total access count | Type the minimum number of total access each account must have in the report. This option is only available when the Report type is set to "Source account summary" or "Destination account summary". |
Graph type | Select a type of graph to generate for the summarized report. This option is only available when Report type is set to "Source account summary" or "Destination account summary" .
|
User and entitlement cluster discovery
Purpose: Discover clusters of users and entitlements by combining the ones who have the same profile attributes.
Executable: rolemining
Criteria | Description |
|---|---|
Profile attribute | Select a profile attribute ID, up to a maximum of four to compare entitlements of users. |
Value type | The value type of the profile attribute comparator. Becomes visible once a Profile attribute has been selected. |
Value | Only available for certain Value type settings. The value of the profile attribute. |
Minimum number of users with the same values for each of the specified attributes | Input a minimum amount of users that need to have the same value for each specified attribute. Set to 1 by default. |
Minimum number of roles a user must have | Input a minimum amount of roles that a user must have in order to be included in the report results. Set to 0 by default. |
Maximum number of roles a user may have (-1=infinite) | Input a maximum amount of roles that a user may have in order to be included in the report results. Set to -1 (infinite) by default. |
Include target systems | Select whether to include target systems in the report output. |
Minimum number of target systems in cluster | Only visible when Include target systems checkbox is checked. Choose the minimum amount of target systems for a single cluster to be displayed by the report. Set to 0 by default. |
Minimum threshold for target systems (%) | Only visible when Include target systems checkbox is checked. Choose a threshold percentage of users for any profile attribute that a target system must have in order to be displayed by the report. Set to 0 by default. |
Target system ID | Only visible when Include target systems checkbox is checked. Specify which target systems are to be included in the report. Inputting no target systems will make the report include all target systems in its output. |
Target system type | Only visible when Include target systems checkbox is checked. Specify which target system types are to be included in the report. Selecting no target system types will make the report include all target system types in its output. |
Include groups | Select whether to include groups in the report output. |
Minimum number of groups in cluster | Only visible when Include groups checkbox is checked. Choose the minimum amount of groups for a single cluster to be displayed by the report. Set to 0 by default. |
Minimum threshold for target systems (%) | Only visible when Include groups checkbox is checked. Choose a threshold percentage of users for any profile attribute that a group must have in order to be displayed by the report. Set to 0 by default. |
Target system ID | Only visible when Include groups checkbox is checked. Specify which groups are to be included in the report. Selecting no groups will make the report include all groups in its output. |
Show summary | Choose whether to summarize the report output. |
Compare users
Purpose: Compare entitlements between users who have the same profile attributes.
Executable: entitlementscomparison
Criteria | Description |
|---|---|
Profile attribute | Select a profile attribute on which to compare users. You can select up to eight attributes. You can also select the same attribute multiple times. All profile attributes are available, except for request-only attributes. At least one profile attribute is required for the report to run. |
Value type | This field is displayed if a Profile attribute field is other than Attribute not required . Select the value type of comparator to apply on selected the profile attribute. Different types of attributes have access to different sets of value types.
|
Value | This field is displayed and required if a Value type field is set to something other than is empty or is not empty . Type or select the value to compare with. |
Entitlements to show | Select the type of entitlement that will be included in the report:
|
Target system ID | Type a comma-and-space-delimited list of target system IDs to only include Accounts and Managed groups from those systems in the report. Alternatively, you can search for one or more target systems. |
Transpose output | Select this checkbox to display all the entitlements held by a set of users. When the number of users is modest but the number of entitlements is very large, the original layout of the report has users as rows and entitlements as columns, which is hard to read. The transpose option presents report data in a user friendly way and lets the viewer easily see what entitlements the users have in common. |
Compare roles
Purpose: Compares entitlements in selected roles.
Executable: rolesentitlementscomparison
Criteria | Description |
|---|---|
Roles to compare | Type a comma and space delimited list of role IDs to compare. Alternatively, search for one or more roles. |
Entitlement type | List of entitlements to search for and display:
All are displayed by default. |
Minimum number of roles containing entitlement | Type a number in this field to only include entitlements that are contained by more than the specified number of Roles. |
Expand sub-roles | Include indirectly assigned entitlements (via sub-roles) when showing entitlements assigned to a role. |
Show how entitlements are attached | Display Required and Optional for role entitlements. If the option to expand sub-roles is enabled, display the sub-roles from which they were inherited. |
Summarize report | Select this checkbox to summarize the report details. In this mode, role columns will be converted to a comma-separated list. |
Users with common entitlements
Purpose: Users who have a minimum number of entitlements from a set.
Executable: entitlementcommonuser
Criteria | Description |
|---|---|
Memberships in these managed groups | Select or search for zero or more managed user groups. |
Accounts on these target systems | Select or search for zero or more target systems At least one of the above is required. |
Number of entitlements selected above that users must have | Users must have at least this many of the above entitlements to be listed |
Profile attribute to display | Select the profile attributes to show for each user listed. |
Show accounts | Check to include account IDs in full for each target system and group membership (instead of check marks) |
Summarize report | Check to only show the number of users matching the criteria above, instead of the list |
Overlapping roles
Purpose: Lists roles that share a given number of entitlements (accounts, group memberships, sub-roles) with a given reference role.
Executable: rolessharingentitlements
Criteria | Description |
|---|---|
Reference role | The reference role to compare with. |
Minimum number of shared entitlements | The minimum number of overlaps that the other listed roles must have with the reference role. |
Expand sub-roles | Include indirectly assigned entitlements (that is, entitlements assigned via sub-roles) when counting the overlapping entitlements. |
Effective role assignment
Purpose: For a selected reference role, the report shows all users who meet the required, optional and legacy entitlements specified for this role with their entitlement statistics and the roles those users have been assigned to.
Executable: effectiverole
Criteria | Description |
|---|---|
Reference role | Enter or search for the role to check effective assignment for. |
Include explicitly assigned users | Select this checkbox to include those users that have been assigned to the reference role. |
Minimum percentage of required entitlements | Type an integer between 0 and 100 to only display users that have the "Percentage of role’s required entitlements" greater than or equal to this integer. It is set to 0 by default. |
Minimum percentage of optional entitlements | Type an integer between 0 and 100 to only display users that have the "Percentage of role’s optional entitlements" greater than or equal to this integer. It is set to 0 by default. |
Minimum percentage of legacy entitlements | Type an integer between 0 and 100 to only display users that have the "Percentage of role’s legacy entitlements" greater than or equal to this integer. It is set to 0 by default. |
Roles with common users
Purpose: Shows Roles assigned to the same users.
Executable: rolessharingusers
Criteria | Description |
|---|---|
Reference role | Enter or search for a role to compare with. |
Display roles sharing a minimum number of users | The minimum number of users that another role must have in common with the reference role. |
Expand sub-roles | Consider sub-roles (roles attached to other roles) when deciding if a user is assigned to a role. |
Assigned entitlements
Purpose: Shows users assigned a specific set of entitlements (accounts, group memberships or roles).
Executable: assignedentitlements
Criteria | Description |
|---|---|
Entitlement type | Select which type of entitlements to search for. |
Managed groups | When searching for managed groups, this input is made available to specify which group or set of groups to search for assigned users. |
Roles | When searching for roles, specify which roles to search for assigned users. |
Include sub-roles | When searching for roles, select this option to include information about roles that are implicitly assigned. |
Target system ID | Specify which target systems to search for users’ accounts. |
User ID | Specify the profile ID of the user to list entitlements of. Alternatively, you can search for one or more profile IDs. |
Summarize report | Select this option to report the numbers of users and accounts assigned instead of naming each of them. |
Maximum number of users with entitlement (0 is treated as all) | The maximum number of users that a single entitlement can have to display in the report. Default number is 10. |
Graph type | Select a type of graph to generate for the summarized report.
|
Number of rows for graph | The maximum rows for graph to display. The selected rows will be displayed with the number of entitlements in descending order. |
Entitlements not included in roles
Purpose: Shows entitlements (template accounts, managed groups or roles) which have not been included in any roles.
Executable: identifyentitlements
Criteria | Description |
|---|---|
Entitlement type | Select which type(s) of entitlements to search for. |
Target system ID | When searching for managed groups, this input is made available to specify a target system. |
Role entitlement leverage
Purpose: Shows the leverage provided by roles by calculating the percentage of entitlements from roles and entitlements not included in roles.
Executable: roleentitlementleverage
Criteria | Description |
|---|---|
Graph type | Select a type of graph.
|