Data quality reports
Users with no managers
Purpose: Shows users who do not have a manager in the OrgChart.
Executable: usersnomanagers
Criteria | Description |
|---|---|
Report type | Select a report type:
|
The top manager is not considered a user with no manager.
The report output depends on the selected report type.
Summary mode
When Show subordinates is not selected, the report displays a summary of users with no managers.
Column | Description |
|---|---|
User ID | The profile ID of the user who has no manager. |
User name | The full name of the user. |
Number of subordinates | The number of subordinates the user has. This column is displayed when Show subordinates is selected. |
Subordinate list mode
When Show subordinates is selected, the report lists each user along with their subordinates.
Column | Condition | Description |
|---|---|---|
User ID | Show subordinates selected | The profile ID of the user who has no manager. |
User name | Show subordinates selected | The full name of the user. |
Subordinate ID | Show subordinates selected | The profile ID of the subordinate. |
Subordinate name | Show subordinates selected | The full name of the subordinate. |
Type | Show subordinates selected | Indicates whether the subordinate is a direct or indirect report. |
Inconsistent account attributes
Purpose: Reports on users with corresponding account attributes that have inconsistent values.
Executable: inconsisacctattrib
Criteria | Description |
|---|---|
Attribute | Select one or more profile attributes for which to report inconsistencies. Attributes are only displayed here if they can be applied to a user profile (not request-only). |
User ID | Type the ID of the user for whom you want to generate the report. Alternatively, search for one or more user profile IDs for which to report inconsistencies. |
The report output lists users whose profile attribute values do not match the corresponding account attribute values on target systems.
Column | Description |
|---|---|
User name | The full name of the user. |
User ID | The profile ID of the user. |
Attribute | The name of the attribute with inconsistent values. |
Profile attribute value | The value of the attribute stored in the user profile. |
Target system ID | The ID of the target system where the inconsistency was found. |
Account ID | The account ID on the target system. |
Account attribute value | The value of the attribute stored on the account on the target system. |
Invalid user attributes
Purpose: Reports on users with profile attribute values that do not meet validation rules.
Executable: invaliduserattr
Criteria | Description |
|---|---|
Attribute | Select one or more attributes from the list of profile attributes. By default, the report will search for all attributes. Attributes are only displayed here if they can be applied to a user profile (not request-only). |
Report type | Select a report type:
|
The report output lists users whose profile attribute values do not meet validation rules.
Column | Description |
|---|---|
User name | The full name of the user. |
User ID | The profile ID of the user. |
Attribute ID | The identifier of the profile attribute. |
Attribute value | The current value of the attribute for the user. |
Attribute type | The data type of the attribute. |
Violation type | The type of validation violation detected (for example, empty, too short, invalid format). |
Disappeared groups
Purpose: Shows managed groups where the corresponding target system has disappeared.
Executable: disappearedgroups
Criteria | Description |
|---|---|
Target system ID | Type a comma-and-space-delimited list of target system IDs to list invalid managed groups from those systems. Alternatively, you can search for one or more target systems. |
Show resources | Select this checkbox if you want to display resources that use the disappeared group. |
The report output lists managed groups whose corresponding target system has disappeared.
Column | Description |
|---|---|
Group description | The description of the managed group. |
Target system ID | The ID of the target system the group belongs to. |
Group ID | The identifier of the managed group. |
Resource type | The type of resource that uses the disappeared group. Displayed when Show resources is selected. |
Resource ID | The identifier of the resource that uses the disappeared group. Displayed when Show resources is selected. |
Description | The description of the resource. Displayed when Show resources is selected. |
Users with inactive roles
Purpose: Shows users with deprecated, disabled, or not assignable roles.
Executable: inactiveroles
Criteria | Description |
|---|---|
Roles | Type a comma-and-space-delimited list of roles to include in the report. Alternatively, you can search for one or more roles. |
Role status | Select one or more role statuses to include in the report:
|
Duplicate entries can appear in report output if you select multiple role statuses and a role has multiple statuses of invalidity, or a user has multiple roles which are in different statuses of invalidity.
For example, if a role is both deprecated and unassigned, and a user has both roles, then that user is reported twice.
The report output lists users who are assigned roles that are deprecated, disabled, or not assignable.
Column | Description |
|---|---|
User name | The full name of the user. |
User ID | The profile ID of the user. |
Role description | The description of the inactive role. |
Role ID | The identifier of the inactive role. |
Status | The status of the role (deprecated, disabled, or unassignable). |
Entitlements with invalid authorizers
Purpose: Reports on entitlements with invalid or insufficient authorizers.
Executable: invalidauthor
Criteria | Description |
|---|---|
Report type | Select a report type:
|
Entitlement type | This is the type of resource from which you want to list invalid or insufficient authorizers. Select an entitlement type:
|
Target system ID | Type a comma-and-space-delimited list of target system IDs to list entitlements from those systems. Alternatively, you can search for one or more target systems. This option is only displayed if Entitlement type is set to Target system , Template account , or Managed group . |
Managed groups | Type a comma-and-space-delimited list of managed groups to list entitlements for those groups. Alternatively, you can search for one or more managed groups. This option is only displayed if Entitlement type is set to Managed group . |
Roles | Select one or more roles. This option is only displayed if Entitlement type is set to Role and there is at least one role defined. |
Segregation of duties rules | Select one or more SoD rules. By default, all SoD rules are included in the report output. This option is only displayed if Entitlement type is set to Segregation of duties rules and there is at least one SoD rule defined. |
Include discovery templates | Select to include discovery templates for target systems. This option is only displayed if Entitlement type is set to Target system . |
The report output depends on the selected report type and entitlement type. The columns displayed vary by resource type.
Invalid authorizers mode
When Report type is set to Invalid authorizers, the report lists authorizers that are no longer valid. The columns vary depending on the selected entitlement type:
Column | Description |
|---|---|
Template ID | The identifier of the template account. Displayed when Entitlement type is set to Template account. |
Template name | The name of the template account. Displayed when Entitlement type is set to Template account. |
Target system ID | The ID of the target system. Displayed when Entitlement type is set to Template account or Target system. |
Target system description | The description of the target system. Displayed when Entitlement type is set to Target system. |
Role ID | The identifier of the role. Displayed when Entitlement type is set to Role. |
Description | The description of the role, group, or SoD rule. Displayed when Entitlement type is set to Role, Managed group, or Segregation of duties rules. |
Group ID | The identifier of the managed group. Displayed when Entitlement type is set to Managed group. |
SoD rule ID | The identifier of the segregation of duties rule. Displayed when Entitlement type is set to Segregation of duties rules. |
SoD rule description | The description of the segregation of duties rule. Displayed when Entitlement type is set to Segregation of duties rules. |
Invalid authorizer details | Details about the invalid authorizer, including the authorizer ID and reason for invalidity. |
Insufficient authorizers mode
When Report type is set to Insufficient authorizers, the report lists resources that have fewer than the minimum required number of authorizers. The columns include the same resource-type columns as above, plus:
Column | Description |
|---|---|
Template ID | The identifier of the template account. Displayed when Entitlement type is set to Template account. |
Template name | The name of the template account. Displayed when Entitlement type is set to Template account. |
Target system ID | The ID of the target system. Displayed when Entitlement type is set to Template account or Target system. |
Target system description | The description of the target system. Displayed when Entitlement type is set to Target system. |
Role ID | The identifier of the role. Displayed when Entitlement type is set to Role. |
Description | The description of the role, group, or SoD rule. |
Group ID | The identifier of the managed group. Displayed when Entitlement type is set to Managed group. |
SoD rule ID | The identifier of the segregation of duties rule. Displayed when Entitlement type is set to Segregation of duties rules. |
SoD rule description | The description of the segregation of duties rule. Displayed when Entitlement type is set to Segregation of duties rules. |
Phase | The authorization phase. |
Number needed | The minimum number of authorizers required. |
Number defined | The number of authorizers currently defined. |
Invalid reviewers
Purpose: Invalid reviewers assigned to active certification campaigns.
Executable: invalidcertifiers
Criteria | Description |
|---|---|
Campaign description | Type the description of one or more certification campaigns to only include those rounds in the report. Alternatively, you can search for one or more certification campaigns. |
Certification method | Select a value to only include saved configurations with a matching certification method. The possible values are:
|
Choose start date | Define a date range. |
The report output lists invalid reviewers assigned to active certification campaigns.
Column | Description |
|---|---|
Certifier ID | The profile ID of the invalid reviewer. |
Certifier name | The full name of the invalid reviewer. |
Certification round | The certification campaign round the reviewer is assigned to. |
Segment | The segment within the certification campaign. |
Start date | The start date of the certification round. |
Profile attribute histogram
Purpose: Show the distribution of profile attribute.
Executable: profileattrhistogram
Criteria | Description |
|---|---|
Profile attribute to analyze | The profile attribute which is used tally. |
Profile attribute to search | Select a profile attribute and the value to filter the users that are considered to be included in the results. |
Comparator | This field is displayed if a Profile attribute to search field is other than Attribute not required. Select the value type of comparator to apply on the profile attribute to search.
|
Value | This field is displayed and required if a Comparator field is set to is equal to or is not equal to . Type the value of the string to compare with. This searches against the attribute's stored string value in the database, regardless of attribute type. |
User class ID | Select the single participant user classes to filter the users that are considered in the totals. |
Minimum value | The minimum value to include. |
Maximum value | The maximum value to include. |
Size of bands | The size of bands that are tallied. |
Graph type | The graph type to display the data bands. |
The report output depends on the view mode.
Summary mode
The summary view displays the distribution of the selected profile attribute across defined bands.
Column | Description |
|---|---|
Attribute | The profile attribute being analyzed. |
Band label | The label for the histogram band. |
Minimum value | The minimum value of the band range. |
Maximum value | The maximum value of the band range. |
Number of users | The number of users whose attribute value falls within this band. |
Drill-down mode
Clicking on a band displays the individual users within that band.
Column | Description |
|---|---|
User ID | The profile ID of the user. |
Attribute | The profile attribute being analyzed. |
Value | The attribute value for the user. |
Profile attribute frequency
Purpose: For a given attribute or a set of two profile attributes, show all values (or combinations of two values) that appear at least a specified number of times. This includes individual values of multi-valued attributes as well as duplicate values where multiple values and duplicates are allowed for an attribute.
Executable: profileattrfreq
Criteria | Description |
|---|---|
Attribute | Enter the profile attribute for which to count the value frequency. |
Attribute value to search | Type the value of the profile attribute. |
Attribute | Optionally, enter the second profile attribute for which to count the value frequency in combination with the first one. |
Attribute value to search | This field is displayed if the second attribute is other than "Attribute not required". Type the value of the profile attribute. |
Minimum frequency | Enter the minimum appearance count for an attribute value to be displayed. |
Graph type | Select the graph type:
|
Number of rows for graph | The maximum rows for graph to display. The selected rows will be displayed with the frequency of attributes in descending order. |
The report output depends on the view mode.
Standard mode
The standard view displays the frequency of attribute values. The columns are dynamic based on the selected attributes.
Column | Description |
|---|---|
Attribute values | Dynamic columns based on the selected attributes. One column is displayed for each selected attribute, showing the attribute value. |
Number of users | The number of users who have this attribute value or combination of values. |
Drill-down mode
Clicking on a frequency count displays the individual users with that attribute value.
Column | Description |
|---|---|
User | The user name combined with a link to the user profile. |
Mismatched role assignments
Purpose: Lists roles per user where the user has been assigned the role and has some or all of the entitlements, but the correct information is not reflected in the Bravura Security Fabric database. For example, a user is assigned a role that includes only template accounts. A managed group is later added to the role, and the user is added to the group out of band. In this case the user meets the role requirements, but the database does not contain correct information.
Executable: mismatchedrole
Criteria | Description |
|---|---|
Reference role | The roles to show surpluses or deficiencies for. |
Show mismatch based on expanded role definitions | The mismatched items are expanded on sub-roles to display deficient and surplus entitlements. |
The report output lists users with role assignments that do not match the expected entitlements in the Bravura Security Fabric database.
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Role ID | The identifier of the mismatched role. |
Entitlement type | The type of entitlement (for example, template account, managed group). |
Entitlement ID | The identifier of the entitlement that is mismatched. |
Mismatch type | The type of mismatch detected (surplus or deficiency). |
Users with missing accounts
Purpose: Lists users that do not have an account on a target.
Executable: missingaccounts
Criteria | Description |
|---|---|
UserID | Type the ID of the user or search to find a user for whom you want to generate the report. |
Attribute | Select a profile attribute from the drop-down list. A value is required once an attribute is selected. |
Target system ID | Type in the target system ID or search to find the target system to report users that do not have an account. |
The report output lists users who do not have an account on the specified target system.
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Target system ID | The ID of the target system where the user does not have an account. |
Profile attribute coverage
Purpose: Show the number of times a given profile attribute is used.
Executable: profileattrcoverage
Criteria | Description |
|---|---|
Minimum number of distinct values: | Type a positive integer to display only profile attributes that have the "Number of distinct values" greater than or equal to this integer. It is set to 1 by default. |
Maximum number of distinct values (-1=infinite): | Type a positive integer to display only profile attributes that have the "Number of distinct values" less than or equal to this integer. It must be greater than or equal to "Minimum number of distinct values" and is set to infinite (-1) by default. |
Minimum percentage of users with a value (%): | Type an integer between 0 and 100 to display only profile attributes that have the "Percentage of users with a value" greater than or equal to this integer. It is set to 0 by default. For each profile attribute, the "Percentage of users with a value" is calculated as its "Number of users with a value" divided by "Number of users excluding console users and superusers". |
Maximum percentage of users with a value (%): | Type an integer between 0 and 100 to display only profile attributes that have the "Percentage of users with a value" less than or equal to this integer. It must be less than or equal to "Minimum percentage of users with a value" and is set to 100 by default. For each profile attribute, the "Percentage of users with a value" is calculated as its "Number of users with a value" divided by "Number of users excluding console users and superusers". |
The report output shows the coverage of profile attributes across users.
Column | Description |
|---|---|
Attribute | The name of the profile attribute. |
Coverage by users | The number or percentage of users who have a value for this attribute. |
Coverage by value | The number of distinct values for this attribute across all users. |
OrgChart loop
Purpose: Lists loops in the source data (for example, the "manager" account attribute in an Active Directory system) used to build the OrgChart.
The results are returned as a path in the following manner: UserA, UserC, UserB, UserA
What this means is UserA is a manager of UserB, UserB is a manager of UserC, and UserC is a manager of UserA.
Executable: orgchartloop
Search Criteria: None
The report output lists detected loops in the OrgChart hierarchy.
Column | Description |
|---|---|
Loop path | A comma-separated list of user IDs that form the loop. The first and last user in the path are the same, indicating the cycle. |
Group loops
Purpose: Lists cyclic groups found on target systems.
The results are returned as a path in the following manner: GroupA, GroupB, GroupC, GroupD, GroupE
What this means is GroupB is a member of GroupA, GroupC is a member of GroupB, and so on and so forth. The final group, GroupD is the owner of the first group, GroupA
Executable: grouploops
Criteria | Description |
|---|---|
GroupID | Type the ID of the group or search to find a group for which you want to generate the report. |
Target system ID | Type in target system ID or search to find target system to report all cyclic groups on that target. |
The report output lists detected cyclic group memberships on target systems.
Column | Description |
|---|---|
Loop path | A comma-separated list of group IDs that form the cycle. Each group in the path is a member of the preceding group, with the last group owning the first. |
Resource attributes
Purpose: Returns resources based on their attributes.
Executable: resourceattributes
Criteria | Description |
|---|---|
Resource type | Select a resource type:
|
Resource attribute | Select a resource attribute on which to filter resources. You can select up to eight attributes. The union of all attributes configured will be returned. For detailed reporting, only the resource attributes for the resource type configured are available. For summarized reporting, all resource attributes are available. If no attributes are specified, the report lists all resources filtered by resource type. |
Comparison | This field is displayed if a Resource attribute field is something other than Attribute not required . Select the comparator to apply on the selected resource attribute. Comparators available depend on the resource attribute type.
|
Value | This field is displayed and required if a Comparison field is set to something other than is empty or is not empty . Type or select the value to compare. |
Resource attribute to display | Choose which resource attributes to display alongside the resources. |
Summarize report | Select this option to summarize the report. In this mode, the report includes a count of each resource type. |
If you do not specify any search criteria, the report output includes all resources.
The report output depends on whether the report is detailed or summarized, and on the selected resource type.
Detailed mode
The detailed view lists individual resources with their attributes. The columns vary depending on the selected resource type:
Column | Description |
|---|---|
Group ID | The identifier of the managed group. Displayed when Resource type is set to Managed group. |
Group description | The description of the managed group. Displayed when Resource type is set to Managed group. |
Target system ID | The ID of the target system. Displayed when Resource type is set to Managed group, Target system, or Template account. |
Target system description | The description of the target system. Displayed when Resource type is set to Target system. |
Target system type | The type of the target system. Displayed when Resource type is set to Target system. |
Role ID | The identifier of the role. Displayed when Resource type is set to Role. |
Role description | The description of the role. Displayed when Resource type is set to Role. |
SoD rule ID | The identifier of the segregation of duties rule. Displayed when Resource type is set to Segregation of duties. |
SoD rule description | The description of the segregation of duties rule. Displayed when Resource type is set to Segregation of duties. |
Template ID | The identifier of the template account. Displayed when Resource type is set to Template account. |
Template name | The name of the template account. Displayed when Resource type is set to Template account. |
Policy ID | The identifier of the managed system policy. Displayed when Resource type is set to Managed system. |
Policy name | The name of the managed system policy. Displayed when Resource type is set to Managed system. |
Policy type | The type of the managed system policy. Displayed when Resource type is set to Managed system. |
Account | The managed account identifier. Displayed when Resource type is set to Managed account. |
Managed system ID | The identifier of the managed system. Displayed when Resource type is set to Managed account. |
Dynamic attribute columns | Additional columns are displayed based on the resource attributes selected in Resource attribute to display. |
Summary mode
When Summarize report is selected, the report displays a count of resources by type.
Column | Description |
|---|---|
Resource type | The type of resource (for example, template account, target system, managed group, role). |
Total count | The total number of resources of this type that match the search criteria. |
Entitlements with invalid implementers
Purpose: Reports on entitlements with invalid or no implementers.
Executable: invalidimplementers
Criteria | Description |
|---|---|
Report type | Select a report type:
|
Entitlement type | This is the type of resource from which you want to list invalid or no implementers. Select an entitlement type:
|
Target system ID | Type a comma-and-space-delimited list of target system IDs to list entitlements from those systems. Alternatively, you can search for one or more target systems. This option is only displayed if Entitlement type is set to Target system or Managed group |
Managed groups | Type a comma-and-space-delimited list of managed groups to list entitlements for those groups. Alternatively, you can search for one or more managed groups. This option is only displayed if Entitlement type is set to Managed group . |
Template accounts | Select one or more accounts. This option is only displayed if Entitlement type is set to Template account and there is at least one template account defined. |
Include inherited implementers | Select to include implementers inherited from the target system. This option is only displayed if Entitlement type is set to Template account or Managed group . |
Include discovery templates | Select to include discovery templates for target systems. This option is only displayed if Entitlement type is set to Target system . |
The report output depends on the selected report type and entitlement type. The columns displayed vary by resource type.
Invalid implementers mode
When Report type is set to Invalid implementers, the report lists implementers that are no longer valid. The columns vary depending on the selected entitlement type:
Column | Description |
|---|---|
Template ID | The identifier of the template account. Displayed when Entitlement type is set to Template account. |
Template name | The name of the template account. Displayed when Entitlement type is set to Template account. |
Target system ID | The ID of the target system. Displayed when Entitlement type is set to Template account or Target system. |
Target system description | The description of the target system. Displayed when Entitlement type is set to Target system. |
Group ID | The identifier of the managed group. Displayed when Entitlement type is set to Managed group. |
Description | The description of the group or target system. |
Invalid implementer details | Details about the invalid implementer, including the implementer ID and reason for invalidity. |
Insufficient implementers mode
When Report type is set to No implementer, the report lists resources that have no implementers or empty user class as implementers. The columns include the same resource-type columns as above:
Column | Description |
|---|---|
Template ID | The identifier of the template account. Displayed when Entitlement type is set to Template account. |
Template name | The name of the template account. Displayed when Entitlement type is set to Template account. |
Target system ID | The ID of the target system. Displayed when Entitlement type is set to Template account or Target system. |
Target system description | The description of the target system. Displayed when Entitlement type is set to Target system. |
Group ID | The identifier of the managed group. Displayed when Entitlement type is set to Managed group. |
Description | The description of the group or target system. |