RSA IGL Recipes: Risk Analytics Dashboard

Document created by Ahmed Nofal Employee on Jul 23, 2020Last modified by RSA Link Admin on Sep 18, 2020
Version 8Show Document
  • View in full screen mode

RSA IGL Version: V 7.1.0 P04 +, V 7.1.1 +, V 7.2.0 +

Modules: Governance

Product Area: Dashboards, JSP, Reports

VideoRSA IGL Risk Analytics Dashboard - Video Demo 

Time to apply: ~1 hour

 

Summary:

The Risk Analytics dashboard was created to provide a swift & high level view of risk related data points. These are shown as statistics/alarms/indicators, divided into dashboard items and displayed in a simple and compact view that is easy to understand using a traffic light system. 

The goal of this dashboard is to help you focus attention on where you have risks that should be addressed. 

 

Key Notes:

  • This dashboard is supplied "as is" - any modification of this dashboard is done at your own risk. 
  • If you would like to enhance this dashboard to add more metrics, then RSA PS is available to help. Please contact your local sales rep or reply below and we can discuss this with you. 

 

Details:

The dashboard consists of a JSP which contains 6 dashboard items.

  1. Orphan Account %
  2. Violations Open > 7 Days
  3. Exceptional Access
  4. Dormant Accounts
  5. Users with No Manager
  6. Terminated Users with Active Accounts

 

Almost each of the dashboard items contain traffic lights  where each of the traffic lights acts as an indicator.
Green = Good, Orange = Action Required (Intermediate Severity), Red = Action Required (High Severity)

 

Taking a deeper dive into the dashboard item conditions and traffic light colors:

 

 

Each dashboard item is also hyperlinked to lead to a relevant report. Taking the Orphan Account dashboard item, when clicked upon (if you have orphan account counts showing up), redirects you to the OOTB Orphan Accounts report. The rest of the items have reports created for them which will be discussed more in the deployment/implementation phase.

 

Prior to V 7.2 :

 

V 7.2 + :

 

Implementation:

Important Pre-Requisites&Notes to follow:

  1. You MUST follow standard change request process and apply this solution in your lower environments first, before moving this to Production.
  2. While the Risk Analytics dashboard object itself can have a constraint not to get viewed except for a specific subset of people, the JSP is also designed to get viewed only by the users within the user constraint of the Risk Analytics dashboard; meaning that people who aren't within the constraint cannot even view the JSP standalone using the IG&L fixed JSP URL. The JSP treats AveksaAdmin as a super user thus AveksaAdmin is able the view the JSP from the URL accordingly.
  3. The dashboard name has to be fixed as "Risk Analytics".
  4. All the report names created have to be named according to what this post states. The reason for that is the constraint capability in point no.2 and the report mapping to the dashboard item via a click.
  5. There are two dashboard items revolving around violations which automatically don't show up if there are no SoD or User Access rules in an 'Active' state.
  6. The "Users without a Supervisor" dashboard item shows a message if the supervisor user attribute is not collected, and therefore gives a green light.
  7. Alert pop-ups appear if users click on dashboard items that either give 0 results or do not have the correspondent report created for it.
  8. The JSP comes with some System.Out lines to print out debug info within the aveksaServer.log to make sure everything is working. Kindly test this dashboard on a test environment first to make sure everything is going well.If you aren't able to remove it yourself if you don't need it or require further assistance on any of the dashboard aspect, please reply below

 

Intro:

While the implementation of the dashboard is valid starting V 7.1.0 P04, the UI general style changed starting V 7.2. The bellow steps are the same of all of the RSA IG&L versions that the dashboard supports, however the dashboard files will be different with V 7.2 + :

Risk Analytics Dashboard - Before V 7.2.zip -- valid starting V 7.1.0 P04 to V 7.1.1 latest patch

Risk Analytics Dashboard - V 7.2 +.zip -- valid with V 7.2 +

 

The zip file contains a JSP file and an images folder.

 

Steps:

1. Log in as a user with admin privileges and upload the required files:

  • Head to admin > User Interface > Files > select "Images" from the drop-down and upload the following 9 images present in the images folder inside the zip file:

    Exceptional_Access.png
    information.png
    orphan_accounts.png
    Terminated_User_Active_Account.png
    User_No_Manager.png
    violations.png
    Green_Traffic_Light.png
    Orange_Traffic_Light.png
    Red_Traffic_Light.png

 

  • Head to admin > User Interface > Files > select "JSP Pages" from the drop-down and upload the "RiskAnalytics.jsp" file present in the zip file:

 

 

 

2. Create & Configure the Risk Analytics Dashboard:

  • Head to Admin > Dashboards > Welcome Dashboards > Create Dashboard
  • Name the dashboard Risk Analytics > Choose Layout Option as "Proportional Layout" with the first option that has only '1' in its screen > Check the Enabled Checkbox

 

  • Head to the Dashboard Components tab > Add Component > choose custom user link > select "-- select URL --" from the drop-down > put the full URL string value as "custom.jsp?page=RiskAnalytics.jsp" > Style = Inline display and un-check the border checkbox

 

  • Add a user constraint according to whom you wish to see the dashboard (default will be all users seeing it).

 

 

3. Create the reports that will be linked to the dashboard items upon clicking:

 

The following reports need to be created for the dashboard items to redirect upon click to the corresponding report based on the results. Head to Reports > Tabular > Create Report > Input Name as stated with each report bellow > Head to the "Query" tab > Paste the specified query with each report as stated bellow > Press Ok
**Note: Make sure that the names of the reports are exactly as specified bellow. You can modify the queries based on your requirements if needed.

 

7 reports are to be created:

       

 1. Report Name: Violations Open > 7 Days
     Report Query:

( SELECT
v.user_display_name,
v.entitlement_name,
v.application_name,
v.detection_date,
v.rule_name
FROM
avuser.v_av_violations v
WHERE
v.state = 'OP'
AND v.id IS NOT NULL
AND trunc(sysdate) - trunc(v.detection_date) >= 7
)

 

2. Report Name: Violations Open < 7 Days
Report Query:

( SELECT
v.user_display_name,
v.entitlement_name,
v.application_name,
v.detection_date,
v.rule_name
FROM
avuser.v_av_violations v
WHERE
v.state = 'OP'
AND v.id IS NOT NULL
AND trunc(sysdate) - trunc(v.detection_date) < 7
)

 

3. Report Name: Exceptional Access
Report Query:

( SELECT
entitlement_name AS "ENTITLEMENT NAME",
app_name AS "Application",
user_disp_name AS "User",
granted_by_disp_name AS "Granted By",
expires_on AS "Expiry Date",
notes
FROM
avuser.v_exceptional_access
WHERE
trunc(expires_on - sysdate) >= 0
)


 4. Report Name: Terminated Users with Active Accounts
Report Query:

( SELECT DISTINCT
( ux.user_id ) AS "User Id",
vu.last_name
|| ', '
|| vu.first_name AS "Name",
vu.department,
vu.email_address AS "Email Address",
vu.is_terminated AS "Is Terminated?",
(
CASE vu.deletion_date
WHEN NULL THEN
'False'
ELSE
'TRUE'
END
) AS "Is Deleted?",
vu.violation_count AS "Violation Count"
FROM
avuser.pv_user_account_mapping ux
LEFT JOIN avuser.pv_users vu ON vu.id = ux.user_id
WHERE
ux.user_id IN (
SELECT
id
FROM
avuser.pv_users
WHERE
trunc(sysdate) - trunc(termination_date) >= 1
)
AND ux.account_id IN (
SELECT
id
FROM
avuser.pv_account
WHERE
deletion_date IS NULL
AND ( is_locked = 0
OR is_disabled = 0 )
)
AND ux.deletion_date IS NULL
)

 

 5. Report Name: Users without a Supervisor
Report Query:

( SELECT
user_id AS "User Id",
last_name
|| ', '
|| first_name AS "Name",
department,
email_address AS "Email Address",
(
CASE is_terminated
WHEN 1 THEN
'Yes'
WHEN 0 THEN
'No'
ELSE
'UNDEFINED_VALUE'
END
) AS "Is Terminated?",
(
CASE is_deleted
WHEN 1 THEN
'Yes'
WHEN 0 THEN
'No'
ELSE
'UNDEFINED_VALUE'
END
) AS "Is Deleted?",
violation_count AS "Violation Count",
data_collector_name AS "IDC Name"
FROM
avuser.v_users
WHERE
supervisor_id IS NULL
)

 

6. Report Name: Dormant Accounts > 30 Days & < 90 Days
Report Query:

( SELECT
acc.name,
acc.id,
acc.last_login_date AS "Last Login Date",
app.name AS "Application/Directory Name"
FROM
avuser.pv_account acc
JOIN (
SELECT
id,
name
FROM
avuser.pv_application
UNION
SELECT
id,
name
FROM
avuser.pv_directory
) app ON app.id = acc.application_id
WHERE
acc.orphaned_date IS NULL
AND trunc(sysdate) - trunc(last_login_date) BETWEEN 30 AND 89
AND acc.is_shared = 'n'
AND acc.is_disabled = 0
AND acc.is_locked = 0
)

 

7. Report Name: Dormant Accounts > 90 Days
Report Query:

( SELECT
acc.name,
acc.id AS "Account ID",
acc.last_login_date AS "Last Login Date",
app.name AS "Application/Directory Name"
FROM
avuser.pv_account acc
JOIN (
SELECT
id,
name
FROM
avuser.pv_application
UNION
SELECT
id,
name
FROM
avuser.pv_directory
) app ON app.id = acc.application_id
WHERE
acc.orphaned_date IS NULL
AND trunc(sysdate) - trunc(acc.last_login_date) >= 90
AND acc.is_shared = 'n'
AND acc.is_disabled = 0
AND acc.is_locked = 0
)


After configuring the reports, the implementation steps for the dashboard are now complete.

 

Thank you!

 

Please "hit reply" and share your feedback - we would love to see an image of this working in your environments.

 

We also want to know your ideas around similar kinds of dashboards/dashboard items that you want to see created

Outcomes