Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Creating Custom Groups

Subject

Custom groups enable you to sort or filter data in a report according to criteria specific to your enterprise.

Description

There are three possible groups that can be used in most reports:

  • Groups of users of groups on a population.
  • Groups of access points.
  • Groups of accounts.

These groups are defined in CSV files in UTF-8 format; which you must set in the C:\Program Files\Common Files\One Identity\IAR\datasources\CSV folder (for more information on the format of these files, see Custom Group Files Format).

To help you with this task, you can use the file creation tool, but only for the user and/or access point groups, as these are objects that you can find in the directory.

For example, you can create a group file called UsersByCountry that represents the people grouped by country. Next time you generate a report, you will be able to use this file to order your data by country and/or only see one specific country by selecting this filter criteria.

Other groups can be made up such as groups of users by building, by region, by geographical area, etc.

These examples apply in the same way to the access points.

The use of groups of accounts is reduced and enables you to group the accounts by application; as a result you can obtain reports on the existing accounts for an application unknown by E-SSO for example.

When a group is requested for a report, any object that is not attached to a group is displayed in a separate category with no name.

Before starting
  • To manage the custom groups, you must own the following right: Reporting: Administration: to manage the configuration of the report generation requests.
  • The created file is editable but the configuration of the file by the generation tool is not saved; which means that you have to recreate this configuration for each modification.

    IMPORTANT: You must create this file in UTF-8 format.

Procedure

  1. In the Report menu, click Generate custom group file.
  2. Select the report generation service if needed.
    • The Generate a custom file window appears.

  3. Select the object type you want to group: Users or Computers.
  4. Click Add to define a new group of objects.
    • The Add a custom group window appears.

  5. Name the group in the corresponding field and click Set.
    For example, enter the group name United States to represent the users from the United States and select the population or the users to add.
  6. Select the population to add to the custom group and click OK.
  7. Click Add.

    NOTE: You can add as many custom groups as you want.
  8. Enter an explicit name for your user group file that you have defined, for example: UsersByCountry.
  9. Once you have finished adding groups, click Generate.
    • A confirmation message appears.
    • A file is created on the controller and can be used for all the next report generations by selecting the parameter corresponding to the custom group file.

On-demand Generation

Before starting

To generate PDF reports, you must own the following rights:

  • Reporting: Creation/modification: to authorize the administrators to create/modify all the report generation requests.
  • Reporting: Report Deletion: to authorize the administrators to delete the report generation requests and the associated reports.
  • Reporting: View reports: to authorize the administrators to download a report.

NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the Reporting panel > PDF reports tab, click Generate.
    • The report generation request creation wizard appears.
  2. Click Next and follow the instructions in the table hereunder:

 

When this window appears

Do the following

NOTE: if you are working on a controller, this first screen does not appear. You must use the reporting service installed on this controller.
  1. Select the Domain and the Reporting server. If you:
    • Are in multi-domain mode, select the UAS domain.
    • Have several reporting servers, you must select one of them.
  2. Click Next.
    • The reporting server is tested. If it does not respond, you must select another one.

  1. Select the display language of the report model in the Language drop down list.
  2. Select a report model amongst the available report models.
  3. Click Next.

NOTE: the selection of a report model will determine the sequence of the next steps and elements to configure. Indeed, depending on the selected model, some steps of the wizard can be modified or even skipped.

NOTE: this window appears only if the selected model contains date parameters.
The dates can be mandatory or optional (check boxes can appear to make them mandatory).
  1. Select the Begin and End of the period dates during which the events are included in the report.
  2. Click Next.

  1. Select the following options if needed:
    • Notify the end of report generation by email: when the report is generated, an e-mail is automatically sent to the recipient of the report.
      To configure the email, refer to Configuration.
    • Sign the generated report: enables you to prove the integrity of the generated report by indicating the time of the signature; which therefore proves that the report has not been modified.
    • Encrypt report during storage: the generated PDF report is encrypted when it is saved.
  1. Click Next.

  1. Enter the Name of the report (<50 characters).
  2. Click Set to select the rights with which the report will be generated.
  3. Select the language of the report generation.
  4. If necessary, fill-in the different parameters linked to the selected model. The mandatory parameters are displayed in Bold. In that case, you cannot go to the next step as long as you have not completed all the parameters.
    See Report Models and Parameters List for more information on the different parameters of the predefined models and how to complete them.
  5. Click Next.

NOTE: this window only appears if you have chosen to notify the end of the generation by e-mail.
  1. Create a list of recipients who will receive an e-mail once the report is generated, notifying them that it is available. To do so:
    • Enter the e-mail address of a recipient in the corresponding field and click Set.
    • Click Add to search and select a recipient.
  2. Select a recipient and click To/CC to set him as main recipient or as copy of the e-mail.
  3. Click Next.

  1. Click Add to select the person(s) who will be able to administer or download the report, or click Remove to remove them.
  2. Click Change right to change the user rights on the report.
  3. Click Next.

  • Click Finish to close the wizard.
    • The report generation request has been sent. You can follow its progress in the PDF reports tab.
      The report will be available in this same tab once the generation is completed.
      For more information on this tab, refer to "PDF reports" Tab - Description below.
"PDF reports" Tab - Description

This tab displays all the report generation requests, either on-demand or periodic, as well as their state. Click List to display these report requests.

Here is the information displayed by column:

  • Name of the report: the report name given by the administrator. This name is suffixed with the generation date if it is a periodic request.
  • State of the report:
    • Generating: the report is being generated.
    • Generated: the report has been generated.
    • Error: the report has not been generated. The reason for this error is displayed in the Details column. You can click the Information button to get more details on the error.
  • Generation date: date when the generation request was sent.
  • Controller: name of the EAM controller that generated the report.
  • Generation duration: generation duration of the report.
  • Details on the report state, if:
    • It exists or not.
    • It is signed or not.
    • A notification by e-mail was sent or not.

    NOTE: The data to generate the report does not exist, a report is generated anyway informing you that there is no data.

You can perform the following actions:

  • Manage the permissions (Permissions button).
  • Generate a report (Generate button).
  • Display the report generation requests (List button).
  • Display information on the processing of a report generation request (Information button). The generation of a report is split into different steps:
    • Retrieving the data to include in the report.
    • Correlating the data with the model.
    • Generating the corresponding PDF file.
    • Signing the report if requested.
    • Notifying by e-mail if requested.
  • Download a report (Download button or double-click a report generation request).
  • Delete one or several report generation requests and the associated report (Delete button).

Creating a Periodic Generation

Before starting

To create a periodic generation of the PDF reports, you must own the following rights:

  • Reporting: Creation/modification: to authorize the administrators to create/modify all the report generation requests.
  • Reporting: Report Deletion: to authorize the administrators to delete the report generation requests and the associated reports.
  • Reporting: View reports: to authorize the administrators to download a report.

NOTE: For more information on administration roles, see Section Managing administrators.

Procedure

  1. In the Reporting panel > Periodic PDF reports tab, click Create.
    • The periodic generation request creation wizard appears.
  2. Click Next and follow the instructions in the table hereunder:

 

When this window appears

Do the following

NOTE: if you are working on a controller, this first screen does not appear. You must use the reporting service installed on this controller.
  1. Select the Domain and the Reporting server. If you:
    • Are in multi-domain mode, select the UAS domain.
    • Have several reporting servers, you must select one of them.
  2. Click Next.
    • The reporting server is tested. If it does not respond, you must select another one.

  1. Select the display language of the report model in the Language drop down list.
  2. Select a report model amongst the available models.
  3. Click Next.

NOTE: the selection of a report model will determine the sequence of the next steps and elements to configure. Indeed, depending on the selected model, some steps of the wizard can be modified or even skipped.

Set the periodicity of the report (daily, weekly, monthly, annual) as well as the data range to take into account (only if the selected model contains date parameters) and click Next.

In this example, it is September 1st:

  • A report will be generated daily at 1:00 am.
  • The first report will be generated on September 25th at 10:55 am.
  • The data taken into account is the data from the previous day, i.e September 24th from 00:00:00 to 11:59:59 pm.
  • There is a delay of 1 day to generate the report, therefore the first report will finally be generated on September 26th.

IMPORTANT:

since the Day, Week, Month, Year periods are full calendar periods, selecting 30 days and 1 month will not give the same result:

30 days starting from October 20th will take into account the data from September 20th to October 19th.

1 month starting from October 20th will take into account the data from September 1st to September 30th.

  1. Select the following options if needed:
    • Notify the end of report generation by email: when the report is generated, an e-mail is automatically sent to the recipient of the report.
      To configure the email, refer to Configuration.
    • Sign the generated report: enables you to prove the integrity of the generated report by indicating the time of the signature; which therefore proves that the report has not been modified.
    • Encrypt report during storage: the generated PDF report is encrypted when it is saved.
  2. Click Next.

  1. Enter the Name of the report (<50 characters).
  2. Click Set to select the rights with which the report will be generated.
  3. Select the language of the report generation.
  4. If necessary, fill-in the different parameters linked to the selected model. The mandatory parameters are displayed in Bold. In that case, you cannot go to the next step as long as you have not completed all the parameters.
    See Report Models and Parameters List for more information on the different parameters of the predefined models and how to complete them.
  5. Click Next.

NOTE: this window only appears if you have chosen to notify the end of the generation by e-mail.
  1. Create a list of recipients who will receive an e-mail once the report is generated, notifying them that it is available. To do so:
    • Enter the e-mail address of a recipient in the corresponding field and click Set.
    • Click Add to search and select a recipient.
  2. Select a recipient and click To/CC to set him as main recipient or as copy of the e-mail.
  3. Click Next.

  1. Click Add to select the person(s) who will be able to administer or download the report, or click Remove to remove them.
  2. Click Change right to change the user rights on the report.
  3. Click Next.

  • Click Finish to close the wizard.
    • The report generation request has been sent. You can follow its progress in the PDF reports tab.
      The report will be available in this same tab once the generation is completed.
      For more information on this tab, refer to "PDF reports" Tab - Description below.
"Periodic PDF reports" Tab - Description

This tab displays all the periodic generation requests of PDF reports. Click List to display these definitions.

Here is the information displayed by column:

  • Name: the name of the report to generate.
  • Model name: the model used to generate the report.
  • Controller: name of the EAM controller that generates the report.
  • Periodicity of the generation:
    • Daily.
    • Weekly.
    • Monthly.
    • Annual
  • Next generation date: displays the date of the next generation depending on what you have configured.

You can perform the following actions:

  • Create a periodic generation request of a PDF report (Create button).
  • Display the list of periodic generation requests (List button).
  • Edit a periodic generation request to modify its name, period, parameters (Modify button or double-click a report).
  • Delete a periodic generation request of a PDF report (Delete button).

Generating On-screen reports

In this section:

Related Documents