RSA IGL Version: V 7.1.0 P04 +, V 7.1.1 +, V 7.2.0 +
Product Area: Dashboards, JSP, Reports
Video: RSA IGL Risk Analytics Dashboard - Video Demo
Time to apply: ~1 hour
The Risk Analytics dashboard was created to provide a swift & high level view of risk related data points. These are shown as statistics/alarms/indicators, divided into dashboard items and displayed in a simple and compact view that is easy to understand using a traffic light system.
The goal of this dashboard is to help you focus attention on where you have risks that should be addressed.
The dashboard consists of a JSP which contains 6 dashboard items.
Almost each of the dashboard items contain traffic lights where each of the traffic lights acts as an indicator.
Green = Good, Orange = Action Required (Intermediate Severity), Red = Action Required (High Severity)
Taking a deeper dive into the dashboard item conditions and traffic light colors:
Each dashboard item is also hyperlinked to lead to a relevant report. Taking the Orphan Account dashboard item, when clicked upon (if you have orphan account counts showing up), redirects you to the OOTB Orphan Accounts report. The rest of the items have reports created for them which will be discussed more in the deployment/implementation phase.
Prior to V 7.2 :
V 7.2.X & V 7.5+ :
Important Pre-Requisites&Notes to follow:
While the implementation of the dashboard is valid starting V 7.1.0 P04, the UI general style changed starting V 7.2. The bellow steps are the same of all of the RSA IG&L versions that the dashboard supports, however the dashboard files will be different with V 7.2 + :
Risk Analytics Dashboard - Before V 7.2.zip -- valid starting V 7.1.0 P04 to V 7.1.1 latest patch
Risk Analytics Dashboard - V 7.2.X.zip -- valid with V 7.2.0 & V 7.2.1
Risk Analytics Dashboard - V 7.5+.zip -- valid with V 7.5+
The zip file contains a JSP file and an images folder.
1. Log in as a user with admin privileges and upload the required files:
2. Create & Configure the Risk Analytics Dashboard:
3. Create the reports that will be linked to the dashboard items upon clicking:
The following reports need to be created for the dashboard items to redirect upon click to the corresponding report based on the results. Head to Reports > Tabular > Create Report > Input Name as stated with each report bellow > Head to the "Query" tab > Paste the specified query with each report as stated bellow > Press Ok
**Note: Make sure that the names of the reports are exactly as specified bellow. You can modify the queries based on your requirements if needed.
1. Report Name: Violations Open > 7 Days
( SELECT v.user_display_name, v.entitlement_name, v.application_name, v.detection_date, v.rule_name FROM avuser.v_av_violations v WHERE v.state = 'OP' AND v.id IS NOT NULL AND trunc(sysdate) - trunc(v.detection_date) >= 7 )
2. Report Name: Violations Open < 7 Days
( SELECT v.user_display_name, v.entitlement_name, v.application_name, v.detection_date, v.rule_name FROM avuser.v_av_violations v WHERE v.state = 'OP' AND v.id IS NOT NULL AND trunc(sysdate) - trunc(v.detection_date) < 7 )
3. Report Name: Exceptional Access
( SELECT entitlement_name AS "ENTITLEMENT NAME", app_name AS "Application", user_disp_name AS "User", granted_by_disp_name AS "Granted By", expires_on AS "Expiry Date", notes FROM avuser.v_exceptional_access WHERE trunc(expires_on - sysdate) >= 0 )
4. Report Name: Terminated Users with Active Accounts
( SELECT DISTINCT ( ux.user_id ) AS "User Id", vu.last_name || ', ' || vu.first_name AS "Name", vu.department, vu.email_address AS "Email Address", vu.is_terminated AS "Is Terminated?", ( CASE vu.deletion_date WHEN NULL THEN 'False' ELSE 'TRUE' END ) AS "Is Deleted?", vu.violation_count AS "Violation Count" FROM avuser.pv_user_account_mapping ux LEFT JOIN avuser.pv_users vu ON vu.id = ux.user_id WHERE ux.user_id IN ( SELECT id FROM avuser.pv_users WHERE trunc(sysdate) - trunc(termination_date) >= 1 ) AND ux.account_id IN ( SELECT id FROM avuser.pv_account WHERE deletion_date IS NULL AND ( is_locked = 0 OR is_disabled = 0 ) ) AND ux.deletion_date IS NULL )
5. Report Name: Users without a Supervisor
( SELECT user_id AS "User Id", last_name || ', ' || first_name AS "Name", department, email_address AS "Email Address", ( CASE is_terminated WHEN 1 THEN 'Yes' WHEN 0 THEN 'No' ELSE 'UNDEFINED_VALUE' END ) AS "Is Terminated?", ( CASE is_deleted WHEN 1 THEN 'Yes' WHEN 0 THEN 'No' ELSE 'UNDEFINED_VALUE' END ) AS "Is Deleted?", violation_count AS "Violation Count", data_collector_name AS "IDC Name" FROM avuser.v_users WHERE supervisor_id IS NULL )
6. Report Name: Dormant Accounts > 30 Days & < 90 Days
( SELECT acc.name, acc.id, acc.last_login_date AS "Last Login Date", app.name AS "Application/Directory Name" FROM avuser.pv_account acc JOIN ( SELECT id, name FROM avuser.pv_application UNION SELECT id, name FROM avuser.pv_directory ) app ON app.id = acc.application_id WHERE acc.orphaned_date IS NULL AND trunc(sysdate) - trunc(last_login_date) BETWEEN 30 AND 89 AND acc.is_shared = 'n' AND acc.is_disabled = 0 AND acc.is_locked = 0 )
7. Report Name: Dormant Accounts > 90 Days
( SELECT acc.name, acc.id AS "Account ID", acc.last_login_date AS "Last Login Date", app.name AS "Application/Directory Name" FROM avuser.pv_account acc JOIN ( SELECT id, name FROM avuser.pv_application UNION SELECT id, name FROM avuser.pv_directory ) app ON app.id = acc.application_id WHERE acc.orphaned_date IS NULL AND trunc(sysdate) - trunc(acc.last_login_date) >= 90 AND acc.is_shared = 'n' AND acc.is_disabled = 0 AND acc.is_locked = 0 )
After configuring the reports, the implementation steps for the dashboard are now complete.
Please "hit reply" and share your feedback - we would love to see an image of this working in your environments.
We also want to know your ideas around similar kinds of dashboards/dashboard items that you want to see created