Report: Who Has Access to What and Why

Last modified 10 May 2023 08:32 +02:00

This is main IGA report. It is assignment report displaying data in business terminology. For specified set of users, it reports their actual assignments of business and application roles and their membership in organizational structure.

Assignment of an application role represents access of the user to an application. Assignment of the business role may represent user’s working position. Assignment of an organizational unit represents user’s position in the organization or in a project.

Reason

Literally this report display information exactly according its name:

Who - identification of the user
has access - the assignment. It is the line in the report.
to what - role name and application. Application defines target to which the user has access, role name explain level of access in business terminology.
and why - policy, request, assigned business role or membership in organization unit why the user has the assignment

The report is designed to provide means for:

analyzing user access for defined scope of users
compare assignments among set of users and identify business patterns of access
identify unnecessary access
analyze access for scope of users

Providing such information in the form of report enables export of the data for further analysis outside midPoint.

Audience

Role manager, Security officers, but also business managers for some business needs e.g. analyzing access of all his subordinates.

Scope of users

The report should be run on limited set of users only.

Primary reason is business - it mostly makes sense to compare access within limited scope of users - within people in organizational unit or comparing similar working positions in different units.

Secondary - building such report is quite resource intensive. Listing direct or indirect assignments is not an issue. But displaying "WHY" is. Showing that user has role X assigned, because this role is included in the business roles A and B requires detail analysis of all his assignments and can’t be performed just by reading the database data.

Additionally - the amount of data may be quite large. Multiplying thousands of users with up to a hundred of assignments may provide quite large sets of data for easy business analysis.

And the last reason is security. As any with any other report - exporting information outside the midPoint increases risk of unauthorized access to the information. And the more information is exported, the worse may be the impact of unauthorized access.

Report details

The report should provide information as seen on the picture:

Who has access to what report

Additional details are in the excel spreadsheet.

For specified list of users the report should provide:

Column	Information provided	Note
Name	User’s name or other identification of the user	Necessary column
Role	The role or organization unit assigned to the user. This field defines the access level.	Necessary column
Role type	Business identification of the assignment - whether it is position in organization, assigned business role, assigned application role, or application / application resource	Necessary column
Application	Name of the application that the role is allowing access to. Only displayed for application roles.	Necessary column, This may be multivalue column.
Relation / Access level	Relation of the assignment - only displayed if not default.	The relation describes access level for assignment of applications and application resources
Reason	Identification of "WHY" the user has the assignment. Assignment may be assigned: directly indirectly via role membership in other role indirectly via role membership in an organization	Necessary column if we need to display "why" the user has the assignment.
Why(Source)	Identification of the source of the assignment. request, task, assignment policy or manual assignment for direct assignments role or organization in indirect assignments.	Necessary column if we need to display "why" the user has the assignment.
Details	Identification of the source of assignment. Ticket ID, request ID, or task name.
Since	Date since the assignment is active.	Not necessary
Additional information	Some additional information about assigment. E.g. defined end time.	Not necessary

Column

Information provided

Note

Name

User’s name or other identification of the user

Necessary column

Role

The role or organization unit assigned to the user. This field defines the access level.

Necessary column

Role type

Business identification of the assignment - whether it is position in organization, assigned business role, assigned application role, or application / application resource

Necessary column

Application

Name of the application that the role is allowing access to. Only displayed for application roles.

Necessary column,
This may be multivalue column.

Relation / Access level

Relation of the assignment - only displayed if not default.

The relation describes access level for assignment of applications and application resources

Reason

Identification of "WHY" the user has the assignment. Assignment may be assigned:

directly
indirectly via role membership in other role
indirectly via role membership in an organization

Necessary column if we need to display "why" the user has the assignment.

Why(Source)

Identification of the source of the assignment.

request, task, assignment policy or manual assignment for direct assignments
role or organization in indirect assignments.

Necessary column if we need to display "why" the user has the assignment.

Details

Identification of the source of assignment. Ticket ID, request ID, or task name.

Since

Date since the assignment is active.

Not necessary

Additional information

Some additional information about assigment. E.g. defined end time.

Not necessary

Ordering: The report should be ordered by User’s name, Role type (Orgs, Business roles, Application roles) and role name. Such ordering helps analysis and overview of the roles.

The report may include additional rows displaying attributes of the user, assigned role or the assignment itself.

Was this page helpful?

YES NO

Thanks for your feedback