Report: Who Has Access to What and Why

Last modified 10 May 2023 08:32 +02:00

This is main IGA report. It is assignment report displaying data in business terminology. For specified set of users, it reports their actual assignments of business and application roles and their membership in organizational structure.

Assignment of an application role represents access of the user to an application. Assignment of the business role may represent user’s working position. Assignment of an organizational unit represents user’s position in the organization or in a project.


Literally this report display information exactly according its name:

  • Who - identification of the user

  • has access - the assignment. It is the line in the report.

  • to what - role name and application. Application defines target to which the user has access, role name explain level of access in business terminology.

  • and why - policy, request, assigned business role or membership in organization unit why the user has the assignment

The report is designed to provide means for:

  • analyzing user access for defined scope of users

  • compare assignments among set of users and identify business patterns of access

  • identify unnecessary access

  • analyze access for scope of users

Providing such information in the form of report enables export of the data for further analysis outside midPoint.


Role manager, Security officers, but also business managers for some business needs e.g. analyzing access of all his subordinates.

Scope of users

The report should be run on limited set of users only.

Primary reason is business - it mostly makes sense to compare access within limited scope of users - within people in organizational unit or comparing similar working positions in different units.

Secondary - building such report is quite resource intensive. Listing direct or indirect assignments is not an issue. But displaying "WHY" is. Showing that user has role X assigned, because this role is included in the business roles A and B requires detail analysis of all his assignments and can’t be performed just by reading the database data.

Additionally - the amount of data may be quite large. Multiplying thousands of users with up to a hundred of assignments may provide quite large sets of data for easy business analysis.

And the last reason is security. As any with any other report - exporting information outside the midPoint increases risk of unauthorized access to the information. And the more information is exported, the worse may be the impact of unauthorized access.

Report details

The report should provide information as seen on the picture:

Who has access to what report

Additional details are in the excel spreadsheet.

For specified list of users the report should provide:

Column Information provided Note


User’s name or other identification of the user

Necessary column


The role or organization unit assigned to the user. This field defines the access level.

Necessary column

Role type

Business identification of the assignment - whether it is position in organization, assigned business role, assigned application role, or application / application resource

Necessary column


Name of the application that the role is allowing access to. Only displayed for application roles.

Necessary column,
This may be multivalue column.

Relation / Access level

Relation of the assignment - only displayed if not default.

The relation describes access level for assignment of applications and application resources


Identification of "WHY" the user has the assignment. Assignment may be assigned:

  • directly

  • indirectly via role membership in other role

  • indirectly via role membership in an organization

Necessary column if we need to display "why" the user has the assignment.


Identification of the source of the assignment.

  • request, task, assignment policy or manual assignment for direct assignments

  • role or organization in indirect assignments.

Necessary column if we need to display "why" the user has the assignment.


Identification of the source of assignment. Ticket ID, request ID, or task name.


Date since the assignment is active.

Not necessary

Additional information

Some additional information about assigment. E.g. defined end time.

Not necessary


The report should be ordered by User’s name, Role type (Orgs, Business roles, Application roles) and role name. Such ordering helps analysis and overview of the roles.

The report may include additional rows displaying attributes of the user, assigned role or the assignment itself.

Was this page helpful?
Thanks for your feedback