IGA Reporting
The system governance is about of having good overview of the data in the system - the data must be transformed to information. What is data and what is information depends on your business requirements.
When you are managing access, it does not help you much to know that you have 50 300 accounts in company Active directory. Or that you have 3000 users with an average of 200 attributes each.
But it does make perfect sense to see list of people having access to multiple critical systems, knowing who has access to some costly cloud service or having list of all accesses of particular person who is being accused from a fraud.
Different information is often required in different forms. It could be said in different height of view. Midpoint can provide the information in the form of reports, dashboards or object details.
The form of provided information is often crucial for its interpretation. Sometimes you need to see all details, sometimes the details must be removed to get good overall view over the whole or part of the environment. And sometimes, the details must be abstracted by some better interpretation.
And the business level of information is such better interpretation in Identity Governance world - the information consists of users, roles, applications and their assignments.
Types of reports:
-
Big picture & Assignments reports
-
Process monitoring reports
Big picture & Assignments reports
These reports should provide good overview of the data in the system. Not only static snapshot of the assignments but also what has happened in the system on object level - what was created or modified.
- Big picture over assignments
-
In most cases, these reports are most useful over defined set of users - not all users in the system. Not only, that reporting all assignments of all users may be quite large and resource intensive, but in most cases it makes better business sense to see access for the users from e.g. specific org unit. So, specification of scope of such reports is necessary.
-
Who has access to what (and why) - this is the main IGA report - report of user assignments (roles or applications) for defined scope of users.
Detail description and example of the report is here. -
assignments of roles - how many assignments has each role (scope may be limited)
-
assignments of applications - how many assignments has each application
-
role assignments per users - how many assignments each user has
-
- Per object assignments reports
-
-
who has this role assigned
-
who has access to this application
-
what roles has the user assigned (directly or indirectly)
-
what applications have the user access to
-
user’s assignment history
-
reasons for the assignment - information why the user has the access - identification of request, operation or policy providing the access
-
- Big picture over data in the system
-
For defined time period or scope, the system should provide information What has happened in the system.
-
how many users were created / modified / disabled / removed
-
create / modify / delete operations per resource
-
new / removed assignments
-
- Policy reports
-
System shall provide business description of assignment policies together with list of the policies and assignment counts.
- Risk based reports
-
-
Who are privileged users
-
Users with the highest risk profile
-
Process monitoring reports and dashboards
These reports should provide information about specific process, and it’s performance over defined time.
- Role Engineering process monitoring
-
All the reports mentioned here should be designed for specified time period:
-
New requests - how many role creation/update/decommissioning requests was created
-
Process throughput - how many requests (of all requests created within the time period) were closed within e.g. 21 days.
-
Process speed - how fast was e.g. 90% of the requests closed (of all requests created within specified time period)
-
Closure rate - percentage of requests already closed
-
Success rate - percentage of already closed requests that are closed successfully
-
Requests with excessive processing times - all opened requests not closed within e.g. 60 days.
-
- Access request process monitoring
-
Following dashboards and reports are designed with the aim to help Role manager and IGA administrators manage the process of access request.
All the dashboards / reports mentioned here should be designed for specified time period:
- Process dashboards
-
Dashboards provide actual picture of the process. Provides basic information to IGA administrator or Role manager.
-
New requests - how many access requests was created
-
Process throughput - how many requests (of all requests created within the time period) were closed within e.g. 7 days.
-
Process speed - how fast was e.g. 95% of the requests closed (of all requests created within specified time period)
-
Closure rate - percentage of requests already closed
-
Success rate - percentage of already closed requests that are closed successfully
-
- Reports and views
-
Reports and views are providing more detail data over the process. IGA administrator can identify excessive or failed requests or requests with specific parameters.
-
Overview of the access request process - all requests with basic statistics from defined time period.
Example of the Access request report. -
Requests with excessive processing times - all opened requests not closed within e.g. 21 days.
-
Requests per applications - to identify users / organization units utilizing the system - hints for including application roles to business role
-
Requests per users / organizations - to identify users / organization units utilizing the system - hints for business role preparation
-