A common question we get asked... "How many reports are there within RSA IGL"
The answer: LOADS!
Within RSA IGL we have a LOAD of out the box (OTB) reports included and shipped as standard.
All these reports can be found in the UI, by going to “Reports/Tabular” then “Create Report” button at the top.
From here you can find a lot of OTB reports by using the “type” and “Template” dropdowns.
For example, if you wanted a report on all your orphan accounts, you would select “Account” and then “Orphaned Accounts” - thats it! really simple
If you want a simple way to see all the reports you have in the system overall, you can execute the following query, either within something like SQL Developer or create a new a report within the UI itself
Select * from V_LIST_REPORTS;
This table tells you all the reports you have in your enviroment, both OTB and any you have also created as well.
Steps to create this in the UI are as follows
Note: this takes <5minutes to complete
Log in as an admin user or as a user who can create reports
Go to “Reports/Tabular”
Click “Create Report” button
Give you report a title and some details so you know what its for in future.
Click the “Query” tab at the top
Add the following SQL query:
(select * from avuser.V_LIST_REPORTS)
Note: makes sure you wrap you the SQL in parenthesis “(“ and “)”
Click the “Columns” tab
Select only the following columns in the right-hand pane called “Displayed Columns” – everything else should be moved to the right.
Last Modified Date
Click on “preview” button at the bottom to check its worked.
These are more nice to have changes, that might make the report look a bit better, in my opinion
Go to the “Grouping and Sorting” tab
Select “Report Type” under Grouping, so that we can see the groups of reports we have created
A lot of quesitons are asked around how to calculate users within RSA IGL and different totals for each user "type". for people who have left the organisation.
A user "type" could be one of the following, when it comes to their status
They are an active employee, who is part of the organisation still (eg. they are still on the payroll and working for the company)
They are no longer an active employee and part of the organisation (eg. they are not being paid for working at the company any longer.
These can be collected and broken down into 2 different classifications:
Taking a step back and looking at identity collection...
RSA IGL works by collecting identities (individual users) into the system but we NEVER remove them out again. So once an identity is "in" RSA IGL, that’s it, they are there forever.
Even if we remove an identity from the source feed of HR (so an identity is no longer included within an identity collection), that identity will still be seen in RSA IGL.
RSA IGL Flags used for leaver types
All companies do things differently, some companies keep their historic employees that have gone in their HR feeds = these would be covered with an "is_terminated" flag.
Some just keep a HR feed of only active users, so these would be covered with an "is_deleted" flag AND the "is_terminated" flag.
There are 2 different flags that we use to classify tan identity who is a "leaver", due to the way different companies manage their leaver data. These flags are set at the individual idenitty level and can be seen from the main "user" display view, or within any selected identity itself.
Is_terminated = this shows a identity who we are still collected into RSA IGL but HR states they have left the organsiation (maybe with a flag). This is like a positive confirmation someone has gone from the organisation and is a great piece of information to gather if possible.
Is_deleted = this shows a identity who we no longer collected by the RSA IGL identity collection process and so RSA IGL will assume that that they have left the organsiation (as they are no longer in the HR source data). This method is not a positive confirmation someone has left however, as it could just be that there was a mistake and the identity was not included in the HR source data for some reason. In general however, if someone is removed from the HR source, we treat this as confirmed they have left that company.
When an identity is set to "is_deleted = true", we also assume they have left the company. So the "is_terminated = true" flag is ALSO set.
The identity for "Joe Blogs" is found in the HR source with the ID "JBLOGS". This identity is active within the company and a current employee. This identity is collected into RSA IGL as an "active" user and so
Is_terminated = flase (no)
Is_deleted = flase (no)
The identity for "Joe Blogs" is NO LONGER found in the HR Source anymore. So the ID for "JBLOGS" which was in the HR data previous has seen been totally removed from this data source. The identity is NOT collected into RSA IGL, as its not in the HR data.
Is_terminated = true (yes)
Is_deleted = true (yes)
The identity for "Joe Blogs" is STILL found in the HR, however HR has set a flag against the "JBLOGS" for "Leaver" to be "true" - So the HR team is telling RSA IGL that JBLOGS has left the company. The identity for JBLOGS is collected into RSA IGL, but we also have this extra info with the flag being set.
Is_Terminated = true (yes)
Is_Deleted = flase (no)
How can you calculate these different types of identities in RSA IGL?
Option 1 = In the RSA IGL UI itself. (see image below)
Log in to RSA IGL as someone within Admin privilages (who can see all identities in the system)
Click on the "Users" then "Users" menu
Using the "Grouping" drop down, select either "Is_Deleted" or "Is Terminated"
This will then give you the total number of identies for each status.
SO in this example below, we can see there are 85005 identies who are "is_deleted"
NOTE: this method will have some cross-over, as there are some identites in a system who could be set to BOTH "is_deleted = yes" and "is_terminated = yes". See examples above for more info on this
Option 2 = A SQL query against the DB
Run the folllowing SQL query against your DB, to produce a list of the different types of identies.
count(1) as TotalUsers,
sum(is_terminated) as TerminatedCount,
sum(is_deleted) as DeletedCount
Note: The SUM total of "is_deleted" and "is_terminated" might not always add up to the "total_users" value. This is due to the fact that some identites could be set to both "is_deleted = true" and "is_Terminated = true". Please see the example above for more infomation.
Thanks for reading - if you have any quesitons, please ask below.