[MUSIC PLAYING] We're now going to take a look at a few of the audit and report capabilities that comes with Identity Manager. Identity Manager includes out of the box a long list of reports, it includes the ability to create reports, and also to, of course, modify or use the existing reports for new reports.
I'm going to log onto the web portal as one of the managers. One of the team members for this manager is Hamid, and Hamid was one of the users that we, in a previous video-- he actually was detected to have a segregation of duty violation through a role membership.
So if we click on Hamid and we click on the history view of Hamid, we will see a graphical timeline. Now, you can go backwards and forwards in this graphical timeline, but more importantly, as you can see, it says 13 events here. It means that we can zoom in at this particular point in time. And I continue to zoom in. And what I will see that is actually quite a lot of events happening here, very close to each other.
So I can see that there were some entitlements added to Hamid, some of them were removed, and that was due to the fact that he lost a role membership from-- as you can see, he was complained of violation detected. And then we took away entitlements from that violation, so he's no longer violating the segregation or duty rule. And afterwards, we have also manually requested some more entitlements for this user.
So by zooming in and out, we can be very specific. And once you find some kind of event here, you can just simply click on the event and you can click on the Compare button. And sometimes you need to actually go back a minute or something just to be able to see exactly what was changed. And now you can see that these are Active Directory group memberships that are they are now assigned, but historically they were not assigned.
Now if you change things like, let's say that he changed his name or something like that, and then you will see the previous value and a new value. You can also do a comparison and look at the events from a list view like this. Now, one of the features we have is also the possibility to filter based on different things here.
So once we click on those filter icons, it's also a possibility to filter out, but also the group by this column. So let's say that we want to group by this column. It effectively means that you see different kind of object types here. And you can just see, for instance, if we open up Active Directory groups, we can see that this particular individual has 21 group memberships in Active Directory.
Once I click on one of those, I can also see more information about it over here right on sight. Whenever you have these kind of views on the screen, it's possible also to directly from here create the report. You just click on the View Setting and say, I want to export this view. Now you can export it directly to PDF, but you can also say export and show as a web page. What that means is that you get something that looks like a graphical report on the screen grouped in the way that we selected previously. And the Save button up here allows you to say this report in your desired format, if you want it in a Microsoft Excel or Microsoft Word format, for example.
So this was the historical view of the user Hamid. There is a lot of built-in reports, as I mentioned. If I click on the master data on this individual, there is a Generate Report button here. This is actually also available for the end user themselves. When they log on and look at their profile, they can generate a report upon themselves.
So what I'm going to do here I'm going to press Generate Report, and then I'm going to select the checkbox "Generate report including history." I click on Generate Report. This is not going to be a big report, so it gets generated immediately. Now, the first page shows you all the information about the identity, all the information that's actually stored in Identity Management solution itself regarding the identity or the person. So you can see some information about where it's located, what kind of organizational belonging and so forth.
And on the following pages, you will see any kind of assignments that entitle this individual. And as you can see, as an example here on the roles and organization, the role user acceptance tester is actually not valid anymore, it was assigned until. And also we can go further down. We can see his Active Directory account and the group memberships. And three of these groups were actually removed at a certain point in time. And at the bottom of it we can also see that he lost a system role. And this comes from the fact that we took away the segregation rule violation, but the history report will show you that he actually had that access previously.
Now, when we mention report, if I am, for instance, a manager, I can be entitled the permission to subscribe to other reports. Now, when you subscribe to reports, they are typically something that also gets delivered to you based on a schedule. So if I go to subscriptions here, I can see I have no subscription. I say ad subscription, and I can select, for instance, the report, "rule violations by direct subordinates." I will select this report. I want to subscribe to that one.
Now, since this is going to be delivered to me either by email or it can also be placed on my home folder on a file server or something like that, I want it to be delivered in a specific format. So I want it to be delivered as a PDF file, for instance. And this is just simply a wizard, so you go through it. So now I have a report subscription. So I selected the monthly, so it's going to be delivered to me monthly, but it can actually directly now click on the little email icon here on the right-hand side and the message says that it is now being delivered to my email address.
Now, obviously, I need to have an email box, of course. So I will log on to the email system. And as you can see, I've got a new email from a subscription and it's being delivered to me as a PDF file. Obviously, I can open that PDF file. Now, this was just a sample report rule violation from direct software ordinates. I can say that I had a rule violation previously from this Hamid. So it's just to show you the feature of mail reports being subscribed.
Now, finally, one thing that we're going to look at is-- and this is extremely important when you talk about identity audit, is the possibility to trace the origin or why an identity have certain entitlement or access to certain applications and why they belong to an organization or why they have a role, membership, or whatever.
So, again, we're going to look at the user Hamid. I click on the Hamid. I'm still logged in, as before, as the user Carl. I'm the manager of this individual, Hamid. So one of the things that we can do when we look at entitlements-- now, entitlements are things that are being assigned to a user. It can be anything from membership in an organization or role membership to entitlements that you have in target systems. For instance, that the fact that you have a group membership in Active Directory, for instance.
So when we look at entitlements here, the first one that comes up is the fact that he has a cost center entitlement. I can see they've been primary assigned. But I can also, on the right-hand side, reel down and see that this comes-- it's a primary membership in the cost center for development, and this has not been modified.
Now, it tells me a lot. It probably means that this comes from the fact that he was on-boarded from an HR system, most probably. But if I look at the second one, for instance, I can see that it is an indirect assignment. It has an account in an Active Directory. And how come he has an account in an Active Directory? Well I have to drill down quite deeply into it to see the reason why he has it. It comes from the fact that he has a membership in a role called Full-time Employee.
Now, the reason why it has that membership is because it's being calculated. That's the way we have configured this demonstration environment. The fact that he is a full-time employee, he automatically gets the role membership that gives him an account in Active Directory. Now, we can filter and we can group based on object types here in the very same way as we do in other views.
So I'm going to filter on Active Directory group memberships only here. And as you can see, there is quite a few of them. And some of them are direct and some of them are indirect. If we select one that is direct, we can see that it's directly assigned to a group called All staff Sweden. And it's probably something that was assigned to him natively in Active Directory. We detected it, but we don't know why he has it. But if we look at Indirect Assignment, and we take the next group, All Staff in UK, we can drill down on that side and we can see something completely different. The reason why he has this is because it comes from the fact that he has a primary location in a location called UK London. So the group memberships come from the fact that he's located in London.
Now, we can also further on drill down and look at others. And just picking one down here called Application SQL Server Studio, we can see that while this one comes from a request-- so if I click on the request here, I can actually see the actual request and I can see the workflow on the screen as well. So I can see that, OK, it was granted access by his manager at this point in time. So by tracing the origin, we can be sure that we know exactly why a person has a certain target system entitlement or why a person belongs to an organization or why a person has a certain role membership. We actually trace everything backwards. And that sums the entitlement region.
[MUSIC PLAYING]
12:06