Entitlements analysis reports
Note
Some entitlement analysis reports are expected to take longer than other reports. Consider scheduling these reporting tasks at an appropriate time.
SSH Web of Trust
Purpose: Allows you to query on the current configuration of the SSH web of trusted accounts.
Note
You may need to run auto discovery before running the report in order to include temporary SSH trust relationships created from privileged access check-outs.
Executable: sshtrustweb
Criteria | Description |
|---|---|
Report type | There are three types of reports to select from:
|
Source account | Type a comma-and-space-delimited list of IDs of source accounts to include in the report. This option is only available when Report type is set to "Account details" or" Source account summary" . Alternatively, search for one or more account IDs. |
Source system | Type a comma-and-space-delimited list of IDs of source target systems to include in the report. This option is only available when Report type is set to "Account details" or "Source account summary" . Alternatively, search for one or more target system IDs. |
Source profile | Type a comma-and-space-delimited list of source profile IDs to include in the report. This option is only available when the Report type is set to "Account details" or "Source account summary" . Alternatively, search for one or more profile IDs. |
Destination account | Type a comma-and-space-delimited list of IDs of destination accounts to include in the report. This option is only available when Report type is set to "Account details" or "Destination account summary" . Alternatively, search for one or more account IDs. |
Destination system | Type a comma-and-space-delimited list of IDs of destination target systems to include in the report. This option is only available when the Report type is set to "Account details" or "Destination account summary". Alternatively, search for one or more target system IDs. |
Minimum total access count | Type the minimum number of total access each account must have in the report. This option is only available when the Report type is set to "Source account summary" or "Destination account summary". |
Graph type | Select a type of graph to generate for the summarized report. This option is only available when Report type is set to "Source account summary" or "Destination account summary" .
|
The report output depends on the selected report type.
Source account summary
Column | Description |
|---|---|
Source system | The target system ID of the source account. |
Source account | The account ID of the source account. |
Direct trust count | The number of destination accounts that the source account can directly access. |
Indirect trust count | The number of destination accounts that the source account can indirectly access through other trusted accounts. |
Total trust count | The total number of destination accounts accessible by the source account (direct plus indirect). |
Destination account summary
Column | Description |
|---|---|
Destination system | The target system ID of the destination account. |
Destination account | The account ID of the destination account. |
Direct trust count | The number of source accounts that can directly access the destination account. |
Indirect trust count | The number of source accounts that can indirectly access the destination account through other trusted accounts. |
Total trust count | The total number of source accounts that can access the destination account (direct plus indirect). |
Account details — Direct trust
Column | Description |
|---|---|
Source system | The target system ID of the source account. |
Source account | The account ID of the source account. |
Destination system | The target system ID of the destination account. |
Destination account | The account ID of the destination account that the source account can directly access. |
Account details — Indirect trust
Column | Description |
|---|---|
Source system | The target system ID of the source account. |
Source account | The account ID of the source account. |
Destination system | The target system ID of the destination account. |
Destination account | The account ID of the destination account that the source account can indirectly access. |
Hop count | The number of intermediate accounts between the source and destination accounts. |
Destination summary
Column | Description |
|---|---|
Destination system | The target system ID of the destination account. |
Destination account | The account ID of the destination account. |
Total trust count | The total number of source accounts that have direct trust to the destination account. |
Total trust count | The total number of source accounts that have direct or indirect trust to the destination account. |
User and entitlement cluster discovery
Purpose: Discover clusters of users and entitlements by combining the ones who have the same profile attributes.
Executable: rolemining
Criteria | Description |
|---|---|
Profile attribute | Select a profile attribute ID, up to a maximum of four to compare entitlements of users. |
Value type | The value type of the profile attribute comparator. Becomes visible once a Profile attribute has been selected. |
Value | Only available for certain Value type settings. The value of the profile attribute. |
Minimum number of users with the same values for each of the specified attributes | Input a minimum amount of users that need to have the same value for each specified attribute. Set to 1 by default. |
Minimum number of roles a user must have | Input a minimum amount of roles that a user must have in order to be included in the report results. Set to 0 by default. |
Maximum number of roles a user may have (-1=infinite) | Input a maximum amount of roles that a user may have in order to be included in the report results. Set to -1 (infinite) by default. |
Include target systems | Select whether to include target systems in the report output. |
Minimum number of target systems in cluster | Only visible when Include target systems checkbox is checked. Choose the minimum amount of target systems for a single cluster to be displayed by the report. Set to 0 by default. |
Minimum threshold for target systems (%) | Only visible when Include target systems checkbox is checked. Choose a threshold percentage of users for any profile attribute that a target system must have in order to be displayed by the report. Set to 0 by default. |
Target system ID | Only visible when Include target systems checkbox is checked. Specify which target systems are to be included in the report. Inputting no target systems will make the report include all target systems in its output. |
Target system type | Only visible when Include target systems checkbox is checked. Specify which target system types are to be included in the report. Selecting no target system types will make the report include all target system types in its output. |
Include groups | Select whether to include groups in the report output. |
Minimum number of groups in cluster | Only visible when Include groups checkbox is checked. Choose the minimum amount of groups for a single cluster to be displayed by the report. Set to 0 by default. |
Minimum threshold for target systems (%) | Only visible when Include groups checkbox is checked. Choose a threshold percentage of users for any profile attribute that a group must have in order to be displayed by the report. Set to 0 by default. |
Target system ID | Only visible when Include groups checkbox is checked. Specify which groups are to be included in the report. Selecting no groups will make the report include all groups in its output. |
Show summary | Choose whether to summarize the report output. |
The report output depends on whether the Show summary option is selected.
Detailed mode
Column | Condition | Description |
|---|---|---|
Dynamic attribute columns | Always displayed | One column for each selected profile attribute, showing the attribute value for the cluster. |
Users | Always displayed | The number of users in the cluster that share the same profile attribute values. |
Targets with account | When Include target systems is selected | The target systems where users in the cluster have accounts. |
With all matched targets | When Include target systems is selected | The number of users in the cluster that have accounts on all matched target systems. |
Groups | When Include groups is selected | The groups that users in the cluster are members of. |
With all matched groups | When Include groups is selected | The number of users in the cluster that are members of all matched groups. |
Summary mode
Column | Condition | Description |
|---|---|---|
Dynamic attribute columns | Always displayed | One column for each selected profile attribute, showing the attribute value for the cluster. |
Users | Always displayed | The number of users in the cluster. |
Targets with account | When Include target systems is selected | The number of target systems where users in the cluster have accounts. |
With all matched targets | When Include target systems is selected | The number of users that have accounts on all matched target systems. |
Not matched targets | When Include target systems is selected | The number of target systems that did not meet the matching threshold. |
Perfect account users | When Include target systems is selected | The number of users that have accounts on all target systems in the cluster. |
Groups | When Include groups is selected | The number of groups that users in the cluster are members of. |
With all matched groups | When Include groups is selected | The number of users that are members of all matched groups. |
Not matched groups | When Include groups is selected | The number of groups that did not meet the matching threshold. |
Perfect group users | When Include groups is selected | The number of users that are members of all groups in the cluster. |
Perfect users | Always displayed | The number of users that have all matched target system accounts and all matched group memberships. |
Compare users
Purpose: Compare entitlements between users who have the same profile attributes.
Executable: entitlementscomparison
Criteria | Description |
|---|---|
Profile attribute | Select a profile attribute on which to compare users. You can select up to eight attributes. You can also select the same attribute multiple times. All profile attributes are available, except for request-only attributes. At least one profile attribute is required for the report to run. |
Value type | This field is displayed if a Profile attribute field is other than Attribute not required . Select the value type of comparator to apply on selected the profile attribute. Different types of attributes have access to different sets of value types.
|
Value | This field is displayed and required if a Value type field is set to something other than is empty or is not empty . Type or select the value to compare with. |
Entitlements to show | Select the type of entitlement that will be included in the report:
|
Target system ID | Type a comma-and-space-delimited list of target system IDs to only include Accounts and Managed groups from those systems in the report. Alternatively, you can search for one or more target systems. |
Transpose output | Select this checkbox to display all the entitlements held by a set of users. When the number of users is modest but the number of entitlements is very large, the original layout of the report has users as rows and entitlements as columns, which is hard to read. The transpose option presents report data in a user friendly way and lets the viewer easily see what entitlements the users have in common. |
The columns displayed depend on the selected entitlements and whether the Transpose output option is enabled.
Regular mode
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Dynamic entitlement columns | One column per selected entitlement (account, managed group, or role). Each cell indicates whether the user has that entitlement. |
Transposed mode
Column | Description |
|---|---|
Property | The entitlement name or property being compared. |
Dynamic user columns | One column per user. Each cell indicates whether the user has the entitlement listed in the Property column. |
Compare roles
Purpose: Compares entitlements in selected roles.
Executable: rolesentitlementscomparison
Criteria | Description |
|---|---|
Roles to compare | Type a comma and space delimited list of role IDs to compare. Alternatively, search for one or more roles. |
Entitlement type | List of entitlements to search for and display:
All are displayed by default. |
Minimum number of roles containing entitlement | Type a number in this field to only include entitlements that are contained by more than the specified number of Roles. |
Expand sub-roles | Include indirectly assigned entitlements (via sub-roles) when showing entitlements assigned to a role. |
Show how entitlements are attached | Display Required and Optional for role entitlements. If the option to expand sub-roles is enabled, display the sub-roles from which they were inherited. |
Summarize report | Select this checkbox to summarize the report details. In this mode, role columns will be converted to a comma-separated list. |
Column | Description |
|---|---|
Member type | The type of entitlement (role, template account, or managed group). |
Entitlement ID | The identifier of the entitlement. |
Contains | Indicates whether the entitlement is contained in all selected roles. |
Associated | Indicates whether the entitlement is associated with the role (directly or via sub-roles). |
Dynamic role columns | One column per selected role. Each cell indicates whether the role contains the entitlement, and how it is attached (Required, Optional, or inherited via sub-role) when the Show how entitlements are attached option is enabled. |
Users with common entitlements
Purpose: Users who have a minimum number of entitlements from a set.
Executable: entitlementcommonuser
Criteria | Description |
|---|---|
Memberships in these managed groups | Select or search for zero or more managed user groups. |
Accounts on these target systems | Select or search for zero or more target systems At least one of the above is required. |
Number of entitlements selected above that users must have | Users must have at least this many of the above entitlements to be listed |
Profile attribute to display | Select the profile attributes to show for each user listed. |
Show accounts | Check to include account IDs in full for each target system and group membership (instead of check marks) |
Summarize report | Check to only show the number of users matching the criteria above, instead of the list |
The report output depends on whether the Summarize report option is selected.
Detailed mode
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Dynamic entitlement columns | One column per selected entitlement (managed group or target system). Each cell indicates whether the user has that entitlement, or shows the account ID if Show accounts is enabled. |
Profile attribute columns | Optional columns for each selected profile attribute, showing the attribute value for the user. |
Summary mode
Column | Description |
|---|---|
Entitlements | The name or identifier of the entitlement. |
Number of users | The number of users that have the entitlement. |
Overlapping roles
Purpose: Lists roles that share a given number of entitlements (accounts, group memberships, sub-roles) with a given reference role.
Executable: rolessharingentitlements
Criteria | Description |
|---|---|
Reference role | The reference role to compare with. |
Minimum number of shared entitlements | The minimum number of overlaps that the other listed roles must have with the reference role. |
Expand sub-roles | Include indirectly assigned entitlements (that is, entitlements assigned via sub-roles) when counting the overlapping entitlements. |
Column | Description |
|---|---|
Member type | The type of entitlement (role, template account, or managed group). |
Entitlement ID | The identifier of the entitlement. |
Dynamic role columns | One column per selected role. Each cell indicates whether the role contains the entitlement. |
Effective role assignment
Purpose: For a selected reference role, the report shows all users who meet the required, optional and legacy entitlements specified for this role with their entitlement statistics and the roles those users have been assigned to.
Executable: effectiverole
Criteria | Description |
|---|---|
Reference role | Enter or search for the role to check effective assignment for. |
Include explicitly assigned users | Select this checkbox to include those users that have been assigned to the reference role. |
Minimum percentage of required entitlements | Type an integer between 0 and 100 to only display users that have the "Percentage of role's required entitlements" greater than or equal to this integer. It is set to 0 by default. |
Minimum percentage of optional entitlements | Type an integer between 0 and 100 to only display users that have the "Percentage of role's optional entitlements" greater than or equal to this integer. It is set to 0 by default. |
Minimum percentage of legacy entitlements | Type an integer between 0 and 100 to only display users that have the "Percentage of role's legacy entitlements" greater than or equal to this integer. It is set to 0 by default. |
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Explicitly assigned role | Indicates whether the user is explicitly assigned to the selected reference role. |
Explicitly assigned parent roles | Lists the parent roles that the user is explicitly assigned to which include the reference role as a sub-role. |
Explicitly assigned other roles | Lists other roles that the user is explicitly assigned to that are not the reference role or its parent roles. |
Directly assigned entitlements | The number of entitlements that the user has which are directly assigned (not through a role). |
Required entitlements | The percentage of the selected role's required entitlements that the user has. |
Optional entitlements | The percentage of the selected role's optional entitlements that the user has. |
Legacy entitlements | The percentage of the selected role's legacy entitlements that the user has. |
Roles with common users
Purpose: Shows Roles assigned to the same users.
Executable: rolessharingusers
Criteria | Description |
|---|---|
Reference role | Enter or search for a role to compare with. |
Display roles sharing a minimum number of users | The minimum number of users that another role must have in common with the reference role. |
Expand sub-roles | Consider sub-roles (roles attached to other roles) when deciding if a user is assigned to a role. |
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Dynamic role columns | One column per selected role. Each cell indicates whether the user is assigned to that role. |
Assigned entitlements
Purpose: Shows users assigned a specific set of entitlements (accounts, group memberships or roles).
Executable: assignedentitlements
Criteria | Description |
|---|---|
Entitlement type | Select which type of entitlements to search for. |
Managed groups | When searching for managed groups, this input is made available to specify which group or set of groups to search for assigned users. |
Roles | When searching for roles, specify which roles to search for assigned users. |
Include sub-roles | When searching for roles, select this option to include information about roles that are implicitly assigned. |
Target system ID | Specify which target systems to search for users' accounts. |
User ID | Specify the profile ID of the user to list entitlements of. Alternatively, you can search for one or more profile IDs. |
Summarize report | Select this option to report the numbers of users and accounts assigned instead of naming each of them. |
Maximum number of users with entitlement (0 is treated as all) | The maximum number of users that a single entitlement can have to display in the report. Default number is 10. |
Graph type | Select a type of graph to generate for the summarized report.
|
Number of rows for graph | The maximum rows for graph to display. The selected rows will be displayed with the number of entitlements in descending order. |
The report output depends on the selected entitlement type and whether the Summarize report option is selected. The columns vary by entitlement type.
Detailed mode — Managed groups
Column | Description |
|---|---|
User ID | The profile ID of the user (or "User" in drill-down view). |
User name | The full name of the user. |
Target system | The target system ID where the group resides. |
Target system description | The description of the target system. |
Group ID | The identifier of the managed group. |
Group description | The description of the managed group. |
Detailed mode — Accounts
Column | Description |
|---|---|
User ID | The profile ID of the user (or "User" in drill-down view). |
User name | The full name of the user. |
Account ID | The account identifier on the target system. |
Detailed mode — Roles
Column | Description |
|---|---|
User ID | The profile ID of the user (or "User" in drill-down view). |
User name | The full name of the user. |
Role ID | The identifier of the role. |
Role description | The description of the role. |
Assignment type | Indicates whether the role is explicitly or implicitly assigned. Displayed when Include sub-roles is selected. |
Detailed mode — Accounts with roles
Column | Description |
|---|---|
User ID | The profile ID of the user. |
User name | The full name of the user. |
Target system | The target system ID. |
Target system description | The description of the target system. |
Account ID | The account identifier on the target system. |
Summary mode — Managed groups
Column | Description |
|---|---|
Group ID | The identifier of the managed group. |
Group description | The description of the managed group. |
Number of users | The number of users who are members of the group. |
Number of accounts | The number of accounts associated with the group. |
Summary mode — Roles
Column | Description |
|---|---|
Role ID | The identifier of the role. |
Role description | The description of the role. |
Explicit users | The number of users explicitly assigned to the role. |
Explicit and implicit users | The total number of users assigned to the role (explicitly and implicitly via sub-roles). Displayed when Include sub-roles is selected. |
Summary mode — Accounts
Column | Description |
|---|---|
Target system | The target system ID. |
Target system description | The description of the target system. |
Users with accounts | The number of users who have accounts on the target system. |
Number of accounts | The total number of accounts on the target system. |
Entitlements not included in roles
Purpose: Shows entitlements (template accounts, managed groups or roles) which have not been included in any roles.
Executable: identifyentitlements
Criteria | Description |
|---|---|
Entitlement type | Select which type(s) of entitlements to search for. |
Target system ID | When searching for managed groups, this input is made available to specify a target system. |
Column | Description |
|---|---|
Entitlement type | The type of entitlement (template account, managed group, or role). |
Entitlement ID | The identifier of the entitlement. |
Entitlement description | The description of the entitlement. |
Target system | The target system ID associated with the entitlement (applicable for template accounts and managed groups). |
Role entitlement leverage
Purpose: Shows the leverage provided by roles by calculating the percentage of entitlements from roles and entitlements not included in roles.
Executable: roleentitlementleverage
Criteria | Description |
|---|---|
Graph type | Select a type of graph.
|
The report has multiple output modes depending on the view.
When drilling down into a specific entitlement type, the report output includes the following columns:
Column | Description |
|---|---|
Role | The role (combined ID and description link). |
User | The user (combined name and profile link). |
When viewing detailed entitlement information without drill-down, the report output includes the following columns:
Column | Description |
|---|---|
User | The user (combined name and profile link). |
Entitlement type | The type of entitlement. |
Entitlement | The entitlement identifier. |
Target system | The target system. |
The summary report output includes the following columns:
Column | Description |
|---|---|
Entitlement type | The type of entitlement (group or template). |
Total entitlements | The total number of entitlements of this type. |