Report: Who Has Access Where and Why

Last modified 02 May 2022 13:53 +02:00

This is main IGA report. It is assignment report displaying data in business terminology. For specified set of users, it reports their actual assignments of business and application roles and his membership in organizational structure.

Assignment of an application role represents access of the user to an application. Assignment of the business role may represent user’s working position. Assignment of an organizational unit represents user’s position in the organization or in a project.

Reason

Literally this report display information exactly according its name:

  • Who - identification of the user

  • has access - the assignment. It is the line in the report.

  • where - role name and application. Application defines target where the user has access, role name explain level of access in business terminology.

  • and why - policy, request or another reason why the user has the assignment

The report is designed to provide means for:

  • analyzing user access for the defined scope of users

  • compare assignments among set of users and identify business patterns of access

  • identify unnecessary access

  • analyze access for scope of users

Providing such information in the form of report enables export of the data for further analysis outside midPoint.

Audience

Role manager, Security officers, but also business managers for some business needs e.g. analyzing access of all his subordinates.

Scope of users

The report should be run on limited set of users only.

Primary reason is business - it mostly makes sense to compare access within limited scope of users - within people in organizational unit or comparing similar working positions in different units.

Secondary - building such report is quite resource intensive. Listing direct or indirect assignments is not an issue. But displaying "WHY" is. Showing that user has role X assigned, because this role is included in the business roles A and B requires detail analysis of all his assignments and can’t be performed just by reading the database data.

Additionally - the amount of data may be quite large. Multiplying thousands of users with up to a hundred of assignments may provide quite large sets of data for easy business analysis.

And the last reason is security. As any with any other report - exporting information outside the midPoint increases risk of unauthorized access to the information. And the more information is exported, the worse may be the impact of unauthorized access.

Report details

The report should provide information as seen on the picture: Who has access where report

For specified list of users the report should provide:

Column Information provided Note

Org

Organizational unit - column listing organization where the user is sitting.

Not necessary

Name

User’s name or other identification of the user

Necessary column

Role

The role or organization unit assigned to the user. This field defines the access level.

Necessary column

Role type

Business identification of the assignment - whether it is position in organization, assigned business role or assigned application role

Necessary column

Application

Name of the application that the role is allowing access to. Only displayed for application roles.

Necessary column,
This may be multivalue column.

Reason

Identification of "WHY" the user has the assignment. Assignment may be assigned:
- directly
- indirectly via role membership in other role
- indirectly via role membership in an organization

Necessary column if we need to display "why" the user has the assignment.

Source

Identification of the source of the assignment.
- request, assignment policy or manual assignment for direct assignments - role or organization in indirect assignments.+

Necessary column if we need to display "why" the user has the assignment.
This may be multivalue column.

Since

Date since the assignment is active.

Not necessary

Additional information

Some additional information about assigment. E.g. relation for organizations, or defined end time.

Not necessary

Ordering

The report should be ordered by User’s name, Role type (Orgs, Business roles, Application roles) and role name. Such ordering helps analysis and overview of the roles.

The report may include additional rows displaying attributes of the user, assigned role or the assignment itself.