Social Enterprise
5.4. The need for intermediation
The reporting system enables users to generate reports from the Tivoli Identity Manager database based on selected criteria. Reports organize system activity
information according to specific criteria and display the results in a format that users can view or print.
Report data is staged through a data synchronization process, which gathers data from the Tivoli Identity Manager directory information store and prepares it for the reporting engine. Data synchronization can be run on demand, or it can be scheduled to occur regularly.
Tivoli Identity Manager provides two types of reports:
Standard reports that are supplied with Tivoli Identity Manager
Custom reports
Allreports, including standard reports and custom reports, are generated using report templates. A report template defines the layout of a report and the filter criteria that determines the contents of the report. When you select a report to run, you are selecting the report template used to generate the report.
All reports are generated in standard PDF format and need Adobe® Acrobat®
Reader for reading. Additionally, reports can be generated in comma-separated value (CSV) format, which gives additional flexibility for report data to be imported in additional tools for analysis.
Tivoli Identity Manager provides a large set of standard report templates that are designed to help you manage system resources and monitor the status of various activities and accounts. You can keep the standard report templates in their original form to generate reports, examine them to determine how to design custom report templates, or modify the standard report templates to meet the needs of your organization. You modify standard report templates using the Design Report task in the console.
Custom reports are generated using report templates that are designed using either the built-in report designer or a third-party report designer, such as the Crystal Reports report designer. The Crystal Reports designer is run separately, outside of the Tivoli Identity Manager console. If you do not configure the Crystal Reports designer to design, view, and generate reports, only the built-in report designer is made available in the console.
When you, as an administrator, create a custom report, you must also create report ACIs and entity ACIs manually for that custom report. These ACIs allow users who are not administrators, such as auditors, to run the custom report and to view data in the custom report.
By default, users or members of the Help Desk group cannot access reports.
Besides administrators, there are default report ACIs for the Manager, Service Owner, and Auditor groups.
Chapter 4. Implementation 145 By default, the following categories of reports are available:
Requests
– Account Operations: A report that lists all account requests. Allows filtering by account operation, service and other fields.
– Account Operations Performed by an Individual: A report that lists account requests made by a specific user. Allows filtering by the user who made the request in addition to other fields.
– Approvals and Rejections: A report that lists request approval activities that were approved or rejected. Allows filtering by activity approver, service and other fields.
– Operation Report: A report that lists all operations submitted in the system. Allows filtering by requestee, operations, and requests start and end date.
– Pending Approvals: A report that lists the request activities submitted but not yet approved. Allows filtering by service, activity status and other fields.
– Rejected Report: A report that lists all rejected requests. Allows filtering by requestee and request start and end date.
– User Report: A report that lists all requests, shows the set of operations that were requested, who the operations were requested for, and who requested them. Allows filtering by requestor, requestee, request start and end date
User and Accounts
– Account Report: A report that lists services that user can select from to generate accounts report for a business unit. Allows filtering by service and business unit.
– Accounts/Access Pending Recertification Report: A report that lists all pending recertification activities. Allows filtering by account/access owner, service type, and service.
– Individual Access: A report that lists all user accesses and their owners.
Allows filtering by a user that owns accesses, business unit of the user, access entitlement defined in the system, and service where access is supported.
– Individual Accounts: A report that lists the accounts and their owners.
Allows filtering by user.
– Individual Accounts by Role associated with Provisioning Policy: A report that lists accounts owned by users of a specific role which is a member of provisioning policy. Allows for filtering by role and business unit.
– Recertification Change History Report: A report that lists recertification history of accounts and user accesses. Allows filtering by account/access owner, recertification response, start and end dates, and other fields.
– Suspended Individuals: A report that lists all individuals that have been suspended. Allows filtering by date
Services
– Reconciliation Statistics: A report that shows the activities that
happened during the last completed reconciliation of a service, regardless of when the report data was synchronized. Remote services provide reconciliation statistics during a reconciliation. This report contains data from the last service reconciliation. Data synchronization is not a report prerequisite. Allows filtering by service.
– Services: A report that lists services currently defined in the system.
Allows filtering by service type, service, owner, and business unit.
– Summary of Accounts on Service: A report that lists the accounts on a particular service. Allows filtering by service and account status.
Audit and Security
– Access Control Information (ACIs): A report that lists all access control items in the system. Allows filtering by access control item name,
protection category, object type, scope, and business unit.
– Access Report: A report that lists all access entitlements defined in the system. Allows filtering by access type, access entitlement, service type, service and administration owner of an access entitlement.
– Audit Events: A report that lists all audit events. Allows filtering by audit event category, action, initiator, start date, and end date.
– Dormant Accounts: A report that lists the accounts that have not been used recently. Reconciliation needs to be performed on a service. Allows filtering by service and dormant period.
– Entitlements Granted to an Individual: A report that lists all users with the provisioning policies that they have been entitled. Allows filtering by user.
– Non-Compliant Accounts: A report that lists all accounts that are non-compliant. Allows filtering by service and non-compliance reason.
– Orphan Accounts: A report that lists all accounts that do not have an owner. Allows filtering by service and account status.
– Policies: A report that lists target and memberships of the provisioning policies in the system. Allows filtering by name of the policy.
Chapter 4. Implementation 147 – Policies Governing a Role: A report that lists all provisioning policies for
a given organization role. Allows filtering by role name.
– Recertification Policies Report: A report that lists all recertification policies. Allows filtering by policy target type, service type, service, access type, and access.
– Suspended Accounts: A report that lists the accounts that have been suspended. Allows filtering by user, account, service and date.
Custom
The administrator must define a schema for each custom report template that is created, (including designer reports and Crystal Reports) because entities and attributes are not included in custom reports. To create a report schema, you must run the Design Schema task in the console.
A report schema specifies which entities and attributes can be included in reports. Before an entity and its associated attributes can be specified as reporting criteria and included in custom report data, a report schema must be defined.
The schemes are installed for all of the standard reports during product installation. The administrator does not define schemes for standard reports.
By defining the schema, you select directory entities that will be staged as tables in the Tivoli Identity Manager database. Defining the schema involves mapping attributes. After mapping the entities and attributes, you must synchronize the data to make the data available for reporting. Only the entities and attributes for which you want to generate custom reports or Crystal reports should be mapped, because these mappings directly impact the performance of Tivoli Identity Manager. All of the data from the directory server is copied to the database each time a data synchronization is performed.
4.12 Post office
Tivoli Identity Manager uses an e-mail subsystem, based on the SMTP standard protocol, that can generate various e-mail notifications. Relying solely on an SMTP-based e-mail system has some limitations and can create problems and bottlenecks. For example, Tivoli Identity Manager might send a great number of identical or similar e-mails to people that are participants in workflow activities.
An increased frequency and volume of e-mail notifications can also cause enterprise problems such as increased network traffic and increased load on mail servers.
To resolve these kinds of issues, Tivoli Identity Manager uses a post office. The post office provides a mechanism for reducing the number of e-mail notifications a user receives regarding similar tasks in Tivoli Identity Manager. The post office can be configured to collect similar notifications for a period of time and combine those into one notification that is then sent to a user.
Figure 4-2 shows configuration parameters for the post office. The figure shows that you can enable or disable the post office (by using the Enable store
forwarding check box) and set the time interval (Collection interval field) that the post office uses to collect messages and aggregate them into single e-mail. You can also customize the e-mail template that is used to generate the aggregate message that is sent to the recipients.
The post office e-mail template can use dynamic content. Dynamic content includes dynamic content message tags, JavaScript code, and tags that replace variables with other values, or reference a property that allows translation with the use of a CustomLabels.properties file.
The following post office dynamic content custom tags can be used to get data:
<POGetAllBodies/>
Returns a string containing the text body of each of the original notifications separated by a new line.
<POGetAllSubjects/>
Returns all subjects from the notifications associated with the aggregate e-mail notification as a string that is separated by a new line.
<POGetEmailAddress/>
Returns the e-mail address that is the destination for the aggregate e-mail notification as a string with no new line.
<POGetNumOfEmails/>
Returns the number of e-mails that are associated with the aggregate e-mail notifications as a string with no new line.
Chapter 4. Implementation 149 Figure 4-2 Post office configuration screen
If the post office is enabled, the message aggregation will not happen until the manual activities that generate notifications have the Use Group E-mail Topic option enabled. Only in that case, the post office intercepts e-mail notifications that the system generates for those manual activities and holds them for a specified interval.
When the collection interval expires and notifications are aggregated, if there is only one notification for a given Group E-mail Topic value and e-mail address, that message is sent in its original form (the post office e-mail template is not applied). Note that although the notification is sent in its original form, the notification is delayed until the post office collection interval expires.
If there are any errors while attempting to aggregate the individual e-mails, the messages are sent in their original form, and an error message is written to the log. Thus, notifications might be delayed in being sent, but the delay should not result in the loss of any notifications. The Test button located on the Post Office page is useful for troubleshooting template errors.
It is good practice to test and validate the post office e-mail aggregation template that you created before sending it to an activity participant. When performing the test, you must specify an e-mail address to receive the test message. The test, performs validation of the e-mail aggregation template, and if successful, a sample e-mail notification is sent to the e-mail address you specified. The e-mail message contains simulated system information, which is supplied by default in the properties file and is presented in the post office e-mail template that you created.
4.12.1 E-mail notifications templates
Tivoli Identity Manager sends e-mail notifications for specific type of account requests and for specific events in the workflow system. The notification can be enabled or disabled based on the request type or event type; and the notification template can be customized for each type of notification.
The following is a list of account requests in which an e-mail notification can be generated:
New account
New password
Change account
Deprovision account
Suspend account
Restore account
The following is a list of workflow system events in which an e-mail notification can be generated:
Activity timeout
Process timeout
Process complete
Approval work item
Request for input work item
Work order
Compliance alert
Work item reminder
Tivoli Identity Manager can also be configured to send activity notifications and to-do list item reminders through e-mail to workflow participants after a
configured amount of time. Tivoli Identity Manager provides the ability to create default notifications for a type of activity in the form of templates. Notification templates provide a consistent notification style and content across manual activities and system activities such as adding accounts and changing passwords.
Chapter 4. Implementation 151