Roles and groups reports
Role assignments
Purpose: Provides information about the users assigned to roles.
Executable: roleassignment
Criteria | Description |
|---|---|
Roles | Select one or more roles to include in the report. |
User ID | Type a profile ID to only display role assignments for the specified user. Alternatively, you can search for one or more profile IDs. |
Role assignment attributes to display | Select one or more role membership attributes to include in the report. |
Role assignment attributes | Select a role membership attribute on which to filter. You can select up to four attributes. The union of all attributes configured will be returned. |
Summarize report | Select this checkbox to show summary information for each role. |
Minimum number of users | Filter out rows that have less than the specified threshold value for number of users with the role. This option is only available if Summarize report is selected. |
Graph type | Select a type of graph to generate for the report. This option is only available if Summarize report is selected.
|
Number of rows for graph | The maximum rows for graph to display. The selected rows will be displayed with the number of entitlements in descending order. |
The report has two modes: detailed and summary.
When Summarize report is not selected, the report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
User ID | The profile ID of the assigned user. |
User name | The full name of the assigned user. |
When Summarize report is selected, the report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
Number of users | The number of users assigned to this role. |
Role definitions
Purpose: Lists either the resources that are members of each role or authorizers that are assigned to each role.
Executable: roledefinitions
Criteria | Description |
|---|---|
Roles | Select one or more roles to include in the report. |
Managed groups | Type the long ID of one or more managed groups for which you want to run the report. Only roles that contain the specified groups are included in the report. All groups are included by default. Alternatively, you can search for one or more managed groups. |
Template accounts | Select one or more template accounts. Only roles that contain the specified template accounts are included in the report. |
Sub-roles | Select one or more sub-roles. Only roles that contain the specified sub-roles are included in the report. |
Resource attribute | Filter results using a resource attribute and criteria. The type of criteria is dependent on the attribute selected. Up to four resource attribute filters can be defined. |
Resource attribute to display | Choose which resource attributes to display. |
Necessity | Select the necessity (Required, Optional, Legacy), to only include role-members with the specified necessity. The default is Show all. |
Show authorizer | Select this checkbox if you want generate a report listing the authorizers for each matching role. |
Show deprecated | Select this checkbox to include only deprecated roles in the report. |
Summarize report | Select this option to summarize the report. In this mode, the report includes a count of the number of members and authorizers for each matching role. |
If you do not specify any search criteria, the report output includes all (non-deprecated) roles and their members.
If JavaScript is enabled, then Template accounts and Sub-roles only appear if they exist as role entitlements. For example, if a template account is added as a role entitlement, then Template accounts option appears for this report.
The report has two modes: detailed and summary.
When Summarize report is not selected, the report output includes the following columns. The columns displayed depend on whether Show authorizer is selected:
Column | Condition | Description |
|---|---|---|
Authorizer source | Show authorizer selected | The source of the authorizer: Explicit or User class. |
Role ID | Always | The role identifier. |
Role description | Always | The description of the role. |
Authorizer ID | Show authorizer selected | The profile ID of the authorizer. |
Phase | Show authorizer selected | The authorization phase. |
Member type | Not show authorizer | The type of role member (group, template, or sub-role). |
Member ID | Not show authorizer | The member identifier. |
Member description | Not show authorizer | The description of the member. |
Necessity | Not show authorizer | Whether the member is required or optional. |
Deprecated | Show deprecated selected | The date the role was deprecated. |
When Summarize report is selected, the report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
Total sub-roles | The number of sub-roles. |
Total non-role members | The number of non-role members (groups and templates). |
Explicit authorizers | The number of explicitly assigned authorizers. |
User class authorizers | The number of user class authorizers. |
Role exceptions
Purpose: Lists approved exceptions to role enforcement violations.
Executable: roleexceptions
Criteria | Description |
|---|---|
User ID | Type a user's profile ID to only list exceptions that apply to that user. Alternatively, you can search for one or more profile IDs. |
Roles | Select one or more roles to include in the report. |
Managed groups | Type the long ID of one or more managed groups for which you want to run the report. Only exceptions that apply to the specified groups are included in the report. Alternatively, you can search for one or more managed groups. |
Templates accounts | Select one or more template accounts. Only exceptions that apply to the specified templates are included in the report. |
Show authorizer | Select this checkbox if you want the report output to list the authorizers for each exception. |
Authorizer ID | Type a user's profile ID to list the exceptions for which the user is an authorizer. Alternatively, you can search for one or more profile IDs. You must also select the Show authorizer checkbox. |
Role exception | Select the type of exception to include in the report: Deficit or Surplus. The default is Deficit. |
Show summary | Select this checkbox to summarize the report. In this mode, the report includes a count of the number of matching exceptions for each user and role combination. |
Graph type | Select a type of graph to generate for the summarized report. This option shows when the Show summary option is checked.
|
Number of rows for graph | The maximum rows for graph to display, the selected rows will be displayed with the number of requests in descending order. This option will show when the Horizontal bar chart is selected as the graph type. |
The report output includes the following columns. The columns displayed depend on the search criteria and mode selected:
Column | Condition | Description |
|---|---|---|
User ID | Always | The profile ID of the user. |
Role ID | Always | The role identifier. |
Exception summary | Summary mode | A summary of the exception. |
Resource type | Detail mode | The type of resource. |
Resource ID | Detail mode | The resource identifier. |
Exception type | Detail mode | The type of exception (surplus or deficit). |
Resource | Drill-down mode | The resource (combined link). |
Authorizer ID | Show authorizer selected | The profile ID of the authorizer. |
Phase | Show authorizer selected | The authorization phase. |
Role history
Purpose: Audit trail of changes to role definitions.
Executable: roleaudit
Criteria | Description |
|---|---|
Roles | Select one or more roles to include in the report. |
User ID | Type in the console user to audit. |
Choose date range | Choose a date range for role operations. |
Operation | Select one or more operations that you want an audit report for. Default is all operations. |
The report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
User ID | The profile ID of the user who made the change. |
User name | The full name of the user. |
Operation | The operation performed. |
Member type | The type of member affected. |
Member ID | The identifier of the affected member. |
Necessity | Whether the member is required or optional. |
Audit date | The date the change was made. |
Incomplete roles
Purpose: Identify roles that have users with too many surpluses or deficits.
Which roles have many users that, in turn, have many out-of-role entitlements? How many out-of-role entitlements do users assigned each role have, on average? This suggests either incomplete role definitions (add entitlements) or users that do not fit well into a role model.
Executable: roleincomplete
Criteria | Description |
|---|---|
Roles | Select one or more roles to include in the report. |
Minimum number of users | Filter out rows that have less than the specified threshold value for number of users with the role. |
Lower bound on the average number of out-of-role entitlements held by users in the role | Filter out rows that have less than the specified threshold value for average number of out-of-role (surplus) entitlements. |
Summarize report | Select this checkbox to summarize the report details. |
The report has two modes: detailed and summary.
When Summarize report is not selected, the report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
User ID | The profile ID of the user. |
User name | The full name of the user. |
Issue | The type of incompleteness (surplus or deficit). |
Entitlement type | The type of entitlement. |
Entitlement ID | The entitlement identifier. |
Entitlement description | The description of the entitlement. |
When Summarize report is selected, the report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
Number of users | The number of users assigned to this role. |
Percentage of matches | The percentage of users with complete role entitlements. |
Percentage of surpluses | The percentage of users with surplus entitlements. |
Percentage of deficits | The percentage of users with deficit entitlements. |
Average non-role entitlements | The average number of entitlements not covered by the role. |
Distinct out-of-role entitlements | The number of distinct entitlements not part of the role. |
Roles violating segregation of duties rules
Purpose: Identify roles whose definition violates segregation of duties rules.
Executable: roledefviolatingsod
Criteria | Description |
|---|---|
Roles | Select one or more roles to include in the report. |
Segregation of duties rules | Select one or more SoD rules to include in the report. |
The report output includes the following columns:
Column | Description |
|---|---|
Role ID | The role identifier. |
Role description | The description of the role. |
SoD rule ID | The SoD rule identifier. |
SoD rule description | The description of the SoD rule. |
Number of violations | The number of SoD rule violations for this role. |
Groups
Purpose: Provides details about membership and statistics of managed groups. Also reports unmanaged groups.
Executable: groupmembership
Criteria | Description |
|---|---|
Group ID | Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. All groups are included by default. |
Report type | Select a report type:
|
Override authorization configuration | Select a override type:
|
Resource attribute to display | Available for the all report types except Show unmanaged groups report type. Choose which resource attributes to display alongside the managed groups. |
Member type | Only available for the Show managed group members report type. Select the member types to display:
|
Minimum depth | Only available for the Show managed group members report type. The report will only output members that have a depth greater than or equal to this value. The default value is 1. Depth indicates what level of membership an account or group has to the managed group. A depth of 1 means they are a direct member of the group. A depth of 2 means they are a member of a direct child group. |
Maximum depth (-1=infinite) | Only available for the Show managed group members report type. The report will only output members that have a depth less than or equal to this value. A value of -1 means it will output all members that have a depth greater than or equal to the Minimum depth. The default value is -1. |
Target system ID | Type a comma-and-space-delimited list of target system IDs for which you want to run the report. Alternatively, you can search for one or more target systems. |
Include invalid groups | Include or exclude groups that may have become invalid during the last auto discovery. |
Only include groups without direct owners | Presented only when report type is set to Show managed group and authorization summary . When this option is enabled only groups without direct owners will be listed. Owners via groups that own a subgroup are not considered as direct owners. |
Include deleted memberships | Include deleted group memberships in the results. This option is only available for the Show managed group members report type, and will only return the most recent deletion from each group, per user. |
Membership deleted by: | Filter results when including deleted memberships to only include deletions initiated from a specific source.
|
Resource attribute | Filter results using a resource attribute and criteria. The type of criteria is dependent on the attribute selected. Up to four resource attribute filters can be defined. |
Users who belong to the user class configured in the Manage the system > Modules> Manage reports (RPT) > GROUPAPP REPORT ACCESS field can run this report from the Groups app.
The report has two modes: detailed and summary.
When a detailed report type is selected (such as Show managed group members), the report output includes the following columns. The columns displayed depend on the search criteria selected:
Column | Condition | Description |
|---|---|---|
Group ID | Always | The managed group identifier. |
Group description | Always | The description of the managed group. |
Target system ID | Always | The target system short ID. |
Target system description | Always | The target system display name. |
Valid | Show invalid groups selected | Whether the group is valid. |
Removal date | Show invalid groups selected | The date the invalid group will be removed. |
Depth | Show child groups selected | The nesting depth of the group. |
User ID | Show members selected | The profile ID of the member. |
Account | Show members selected | The account of the member. |
Deleted by | Show deleted members selected | Who deleted the membership. |
Deletion date | Show deleted members selected | The date the membership was deleted. |
Child group ID | Show child groups selected | The child group identifier. |
Child group description | Show child groups selected | The child group description. |
Child target ID | Show child groups selected | The child target system ID. |
Child target description | Show child groups selected | The child target system description. |
Membership type | Always | The type of membership (direct or indirect). |
Authorizer type | Show authorizer selected | The type of authorizer assignment. |
Authorizer ID | Show authorizer selected | The profile ID of the authorizer. |
Authorizer name | Show authorizer selected | The full name of the authorizer. |
Owner group ID | Show authorizer selected | The owner group identifier. |
Owner group description | Show authorizer selected | The owner group description. |
Owner target system ID | Show authorizer selected | The owner target system ID. |
Owner target system description | Show authorizer selected | The owner target system description. |
Phase | Show authorizer selected | The authorization phase. |
When a summary report type is selected (such as Show managed groups summary), the report output includes the following columns:
Column | Condition | Description |
|---|---|---|
Group ID | Always | The managed group identifier. |
Group description | Always | The description of the managed group. |
Target system ID | Always | The target system short ID. |
Target system description | Always | The target system display name. |
Valid | Show invalid groups selected | Whether the group is valid. |
Removal date | Show invalid groups selected | The date the invalid group will be removed. |
Direct members | Always | The number of direct members. |
Indirect members | Always | The number of indirect members. |
Direct child groups | Always | The number of direct child groups. |
Indirect child groups | Always | The number of indirect child groups. |
Deleted memberships | Always | The number of deleted memberships. |
Explicit authorizers | Show authorizer selected | The number of explicit authorizers. |
User class authorizers | Show authorizer selected | The number of user class authorizers. |
Inherited explicit authorizers | Show authorizer selected | The number of inherited explicit authorizers. |
Inherited user class authorizers | Show authorizer selected | The number of inherited user class authorizers. |
Override target authorizer | Show authorizer selected | Whether the target authorizer is overridden. |
Group changes
Purpose: Provides details about changes affecting managed groups.
Executable: groupchanges
Criteria | Description |
|---|---|
Report type | Select a report type:
Leaving it blank is the same as selecting all types. |
Display operations | Select an operation:
Leaving it blank is the same as selecting all operations. |
Resource attribute to display | Select resource attributes to be displayed in report. |
Time range | Select time range.
|
Resource attribute | Filter results using a resource attribute and criteria. The type of criteria is dependent on the attribute selected. Up to four resource attribute filters can be defined. |
Authorizer ID | Type a comma-and-space-delimited list of authorizer IDs. Alternatively, you can search for one or more authorizers. |
Requester ID | Type a comma-and-space-delimited list of requester IDs. Alternatively, you can search for one or more requesters. |
Managed groups | Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. All groups are included by default. |
Group owner | Type a comma-and-space-delimited list of group owners. Alternatively, you can search for one or more group owners. |
Users who belong to the user class configured in the Manage the system > Modules> Manage reports (RPT) > GROUPAPP REPORT ACCESS field can run this report from the Groups app.
The report output includes the following columns:
Column | Description |
|---|---|
Operation | The type of change operation. |
Group ID | The managed group identifier. |
Group description | The description of the managed group. |
Target system ID | The target system short ID. |
Target system description | The target system display name. |
Child user ID | The profile ID of the affected user (for user member changes). |
Child account | The account of the affected user (for user member changes). |
Child group ID | The child group identifier (for group member changes). |
Child group description | The child group description (for group member changes). |
Child target ID | The child target system ID (for group member changes). |
Child target description | The child target system description (for group member changes). |
Owner ID | The owner user ID (for ownership changes). |
Owner group ID | The owner group ID (for group ownership changes). |
Owner group description | The owner group description. |
Owner target system ID | The owner target system ID. |
Owner target system description | The owner target system description. |
Object type | The group object type. |
Object name | The group object name. |
Requester | The user who requested the change. |
Authorizer ID | The profile ID of the authorizer. |
Request date | The date the change was requested. |
Operation status | The status of the operation. |
Group membership consistency
Purpose: Identifies group memberships with a consistency score based on comparing users by attribute values.
Executable: consistencygroups
Criteria | Description |
|---|---|
User ID | Search for one or more users for which you want to run the report. All users are included by default. Alternatively, you can type the short ID of a user or a pattern of user IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character |
Group ID | Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. All groups are included by default. |
Target system ID | Type a comma-and-space-delimited list of target system IDs for which you want to run the report. Alternatively, you can search for one or more target systems. |
User attributes to collect users into peer groups | Select at least one attribute to collect users into peer groups. A peer group is a group of users with some attribute in common; for example, users working at the same location or department, or having the same manager. |
Minimum size of a user peer group | Specify the size of a peer group. If a peer group has fewer members than this, their entitlement consistency will not be calculated. Instead, an information icon will be displayed in the consistency column for these users in the report. Default value is 2: The value should be 2 or greater. |
Mark items as inconsistent if fewer than this percent of peers share the item | Edit the value to determine how out-of-pattern entitlements will be highlighted. By default, if consistency calculations are enabled and fewer than 20% of users share an entitlement, it will be highlighted in the review. |
Mark items as consistent if at least this percent of peers share the item | Edit the value to determine how in-pattern entitlements will be highlighted. By default, if consistency calculations are enabled and at least 80% of user share an entitlement, is will be highlighted in the review. |
This report can be a bit slow when you try to run for a lot of data, in order to generate a report, you can schedule the report to run at a later time, with options to email or export the output.
The report output includes the following columns:
Column | Description |
|---|---|
Group ID | The managed group identifier. |
Group description | The description of the managed group. |
Target system ID | The target system short ID. |
Target system description | The target system display name. |
User ID | The profile ID of the member. |
Account | The account of the member. |
Member target ID | The target system ID where the member account resides. |
Member target description | The description of the member's target system. |
Consistency | The consistency status. |
Percentage | The consistency percentage. |
Membership
Purpose: Provides details about managed groups membership.
Executable: membership
Criteria | Description |
|---|---|
User ID | Search for one or more users for which you want to run the report. All users are included by default. Alternatively, you can type the short ID of a user or a pattern of user IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. |
Group ID | Search for the group you want to report on. Alternatively, you can type the long ID of a group or a pattern of group IDs using wildcard characters, '*' representing any string of characters and '?' representing any single character. All groups are included by default. |
Profile attribute | Filter results using a profile attribute and criteria. The type of criteria is dependent on the attribute selected. Up to two profile attribute filters can be defined. |
User attributes to display | Select user attributes to display in reports. |
Membership attributes to display | Select attributes on group account membership or child group membership to display in reports. |
Member type | Select the member types to display:
|
Membership type | Select the membership types to display:
|
Target system ID | Type a comma-and-space-delimited list of target system IDs for which you want to run the report. Alternatively, you can search for one or more target systems. |
Include deleted memberships | Include deleted group memberships in the results. |
Include invalid users and accounts | Include or exclude users and accounts that may have become invalid during the last auto discovery. |
Membership attribute | Filter results using a membership attribute and criteria. The type of criteria is dependent on the attribute selected. Up to two membership attribute filters can be defined. |
Users who belong to the user class configured in the Manage the system > Modules> Manage reports (RPT) > GROUPAPP REPORT ACCESS field can run this report from the Groups app.
The report output includes the following columns. The columns displayed depend on the search criteria selected:
Column | Condition | Description |
|---|---|---|
Group ID | Always | The managed group identifier. |
Group description | Always | The description of the managed group. |
Target system ID | Always | The target system short ID. |
Target system description | Always | The target system display name. |
User ID | Show members selected | The profile ID of the member. |
Account | Show members selected | The account of the member. |
Child group ID | Show child groups selected | The child group identifier. |
Child group description | Show child groups selected | The child group description. |
Member target ID | Show child groups selected | The target system ID of the child group. |
Member target description | Show child groups selected | The description of the child group's target system. |
Object name | Show group objects selected | The group object name. |
Deleted by | Show deleted members selected | Who deleted the membership. |
Deletion date | Show deleted members selected | The date the membership was deleted. |
Path | Show group loops selected | The loop path. |
Auto-assignment surplus and deficit
Purpose: Variances between roles and groups that users do have and roles and groups that users should have, based on policy.
Executable: autoassignmentdetails
Criteria | Description |
|---|---|
Resource type | Select a resource type:
|
Group ID | If Resource Type "Managed group" is selected, search for one or more managed groups for which you want to run the report. Alternatively, you can type the long ID of a managed group. |
Roles | If Resource Type "Role" is selected, search for one or more roles for which you want to run the report. Alternatively, you can type the ID of a role. |
Type of variance | Select an auto assignment deviance type:
|
Auto-assignment status | Select an auto-assignment status:
|
Profile attribute to display | Select the profile attributes to show for each user listed. |
Summarize report | Select this option to summarize the report. In this mode, the report includes a count of the number of members and members not in compliance for each selected resource. |
The report has two modes: summary and detailed.
When Summarize report is selected, the report output includes the following columns:
Column | Description |
|---|---|
Request type | The type of deviation (surplus or deficit). |
Requested | Whether a request has been submitted. |
Auto-assignment enabled | Whether auto-assignment is enabled. |
Target system ID | The target system short ID (for groups). |
Group ID | The managed group identifier (for groups). |
Group description | The description of the managed group (for groups). |
Role ID | The role identifier (for roles). |
Role description | The description of the role (for roles). |
Member count | The number of users with this deviation. |
Number of deviations | The total number of deviations. |
When Summarize report is not selected, the report output includes the following columns:
Column | Description |
|---|---|
Request type | The type of deviation (surplus or deficit). |
Requested | Whether a request has been submitted. |
Auto-assignment enabled | Whether auto-assignment is enabled. |
Target system ID | The target system short ID (for groups). |
Group ID | The managed group identifier (for groups). |
Group description | The description of the managed group (for groups). |
Role ID | The role identifier (for roles). |
Role description | The description of the role (for roles). |
User ID | The profile ID of the user. |
User name | The full name of the user. |
Account long ID | The account long ID (for group deviations). |
Dynamic attribute columns | Additional columns based on selected profile attributes. |
Auto-assignment deviations
Purpose: Provides surplus and deficit deviations statistical summary of auto resource assignments for managed groups and roles.
Executable: autoassigndeviation
Criteria | Description |
|---|---|
Resource type | Select a resource type:
|
Group ID | If Resource Type "Managed groups" is selected, search for one or more managed groups for which you want to run the report. Alternatively, you can type the long ID of a managed group. |
Roles | If Resource Type "Roles" is selected, Search for one or more roles for which you want to run the report. Alternatively, you can type the ID of a role. |
Auto-assignment status | Select an auto-assignment status:
|
Minimum deficits remaining | Only display resources with the minimum number of deficits remaining. |
Minimum deficits requested | Only display resources with the minimum number of deficits requested. |
Minimum surpluses remaining | Only display resources with the minimum number of surpluses remaining. |
Minimum surpluses requested | Only display resources with the minimum number of surpluses requested. |
The report output depends on the resource type selected. The columns vary as follows:
Column | Condition | Description |
|---|---|---|
Target system ID | Resource type is Group | The target system short ID. |
Group ID | Resource type is Group | The managed group identifier. |
Group description | Resource type is Group | The description of the managed group. |
Role ID | Resource type is Role | The role identifier. |
Role description | Resource type is Role | The description of the role. |
Auto-assignment enabled | Always | Whether auto-assignment is enabled for this resource. |
Deficit remaining | Always | The number of remaining deficit deviations. |
Deficit requested | Always | The number of deficit deviations with pending requests. |
Surplus remaining | Always | The number of remaining surplus deviations. |
Surplus requested | Always | The number of surplus deviations with pending requests. |
Auto-assignment setup
Purpose: Reports on configuration of roles and groups that are assigned and/or revoked as a matter of policy.
Executable: autoassignconfig
Criteria | Description |
|---|---|
Resource type | Select a resource type:
|
Group ID | If Resource Type "Managed group" is selected, Search for one or more managed groups for which you want to run the report. Alternatively, you can type the long ID of a managed group. |
Roles | If Resource Type "Role"is selected, Search for one or more roles for which you want to run the report. Alternatively, you can type the ID of a role. |
Auto-assignment status | Select an auto-assignment status:
|
The report output includes the following columns:
Column | Description |
|---|---|
Resource type | The type of resource (group or role). |
Target system ID | The target system short ID (for groups). |
Group ID | The managed group identifier (for groups). |
Group description | The description of the managed group (for groups). |
Role ID | The role identifier (for roles). |
Role description | The description of the role (for roles). |
Auto-assignment enabled | Whether auto-assignment is enabled. |
Urgent | Whether the assignment is marked as urgent. |
Remove surplus | Whether surplus entitlements are automatically removed. |
Remove child surplus | Whether child surplus entitlements are removed. |
User class relationship | The user class relationship type. |
User class description | The description of the associated user class. |
Auto-assignment policy compliance per user
Purpose: User centric view of surplus and deficit deviations in auto resource assignments for managed groups and roles.
Executable: autoassignusers
Criteria | Description |
|---|---|
User ID | Type a user's profile ID to only list the surpluses and deficits that apply to that user. Alternatively, you can search for one or more profile IDs. |
Type of variance | Select an auto assignment deviance type:
|
Auto-assignment status | Select an auto-assignment status:
|
Profile attribute to display | Select the profile attributes to show for each user listed. |
Summarize report | Select this option to summarize the report. In this mode, the report includes a count of the number of roles and groups that may be surplus or deficient for each user selected. |
Minimum number of total surpluses | Filter out rows that have less than the specified threshold value for number of surpluses with the role. |
Graph type | Select a type of graph to generate for the report.
|
Number of rows for graph | The maximum rows for graph to display. The selected rows will be displayed with the number of entitlements in descending order. |
The report has two modes: summary and detailed.
When Summarize report is selected, the report output includes the following columns:
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Group surpluses | The number of group surplus deviations. |
Role surpluses | The number of role surplus deviations. |
Group deficits | The number of group deficit deviations. |
Role deficits | The number of role deficit deviations. |
Total surpluses | The total number of surplus deviations. |
When Summarize report is not selected, the report output includes the following columns:
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Request type | The type of deviation (surplus or deficit). |
Resource type | The type of resource (group or role). |
Resource ID | The resource identifier. |
Resource description | The description of the resource. |
Requested | Whether a request has been submitted for this deviation. |
Auto-assignment enabled | Whether auto-assignment is enabled. |
Dynamic attribute columns | Additional columns based on selected profile attributes. |
Compare numbers of group memberships
Purpose: Compare numbers of group memberships by counting:
Group memberships that are consistent or not consistent with assigned roles
Group memberships that are consistent or not consistent with auto-assignment
Group memberships by how they were assigned
Executable: comparenumberofgroupmemberships
Criteria | Description |
|---|---|
Data set 1 label | Type a label for data set 1. |
Assignment by role (data set 1) | Select:
|
Assignment by policy (data set 1) | Select:
|
Assignment source (data set 1) | Select:
|
Date (data set 1) | This is the date when the group membership was added. Choose one of the following options to define a date range:
|
Data set 2 label | Type a label for data set 2. |
Assignment by role (data set 2) | Select:
|
Assignment by policy (data set 2) | Select:
|
Assignment source (data set 2) | Select:
|
Date (data set 2) | This is the date when the group membership was added. Choose one of the following options to define a date range:
|
Graph type | Select a type of graph to generate for the report.
|
The report has two modes: standard and drill-down.
The standard report output includes the following columns:
Column | Description |
|---|---|
Data set | The comparison category. |
Count | The number of items in this category. |
When drilling down into a data set, the report output includes the following columns:
Column | Description |
|---|---|
User | The user (combined name and profile link). |
Target system | The target system. |
Group | The managed group. |