ReportsReports

Reports provide access to logged information, and current information about the users, administrators, and system activity in a deployment. This information is useful for troubleshooting, auditing security issues, and demonstrating compliance with various policies.

You create a report using one of the supplied templates. Each template allows you to choose the types of information being reported and the parameters to apply in order to refine that information. For example, you can use the All Users template to create a report that generates a list of all the users in your deployment by first and last name who are enabled for risk-based authentication.

After you have created and saved a report, an administrator can run the report manually at any time. For instructions, see Run a Report Job. You can also schedule the report to run automatically on a given day and time. For instructions, see Schedule a Recurring Report Job.

You can view the report output in the Security Console, or download the report as a CSV, XML, or HTML file.

RSA Authentication Manager inserts a blank (space) character before any CSV file report field that starts with an equals to (=), plus (+), minus (-), or at (@) character. This prevents spreadsheet programs, such as Microsoft Excel, from interpreting the data as a formula.

Reports Permitted for Each Administrative Reports Permitted for Each Administrative RoleRole

Administrative permissions determine which reports each administrator can run. Each predefined administrative role has default reporting permissions.The following table lists the default permissions for the predefined administrative roles, and the reports that each role has permission to run. You can modify a predefined role if you want it to have broader scope.

Note: Administrators who do not have view permissions for security domains have limited reporting capabilities. RSA recommends that you allow administrators to view security domains.

Administrator Role
Report Name	Help Desk Admin	User Admin	Agent Admin	Security Domain Admin	Super Admin
Administrator Activity					X
Administrators of a Security Domain		X	X	X	X
Administrators with a Specified Role				X	X
Administrators with Fixed Passcode		X	X	X	X
Agents not updated by auto-registration more than a given number of days		X	X	X	X
Agents with Unassigned IP Address		X	X	X	X
All User Groups		X	X	X	X
All Users		X	X	X	X
Authentication Activity					X
Distributed Token Requests					X
Expired User Accounts		X	X	X	X
Imported Users and Tokens Reports		X	X	X	X
List all RADIUS clients				X	X
List All Authentication Agent Records		X	X	X	X
List All Installed Agents		X	X	X	X
List all RSA Agent with assigned RADIUS client/RADIUS server		X	X	X	X
List all RSA Agents with assigned RADIUS profile		X	X	X	X
List all User Alias		X	X	X	X
List all Users with assigned RADIUS profile		X	X	X	X
Object Lifecycle Activity (Non User/User Group)					X
Risk-Based Authentication (RBA) Activity					X
Risk-Based Authentication (RBA) Users		X	X	X	X
Software Token		X	X	X	X
System Log Report					X
Token Expiration Report		X	X	X	X
User and User Group Lifecycle Activity					X
User and User Groups Missing from Identity Source		X	X	X	X
Users Enabled for On-Demand Authentication		X	X	X	X
Users Enabled for On-Demand Authentication Who Have Never Logged In		X	X	X	X
Users never logged in with token		X	X	X	X
Users with days since last login using specific token		X	X	X	X
Users with Disabled Accounts		X	X	X	X
Users with Tokens		X	X	X	X
Users with tokens set to online emergency access tokencode		X	X	X	X

Custom ReportsCustom Reports

You can create and run customized reports describing system events and objects.

For example, you might create a report that shows all user accounts that are disabled. You can design the report to include relevant information such as User ID, name, identity source, and security domain.

You can create a report that shows administrator activities. For example, you can report on activities for all administrators, or you can display detailed information on one administrator.

You can create custom reports using the predefined report templates provided with Authentication Manager. Each template includes predefined variables, column headings, and other report information.

The template is the foundation for your custom report. The template offers a starting point for sets of data, including input parameters and output columns. You can decide which columns to show, apply data filters, and modify run options.

Note: 1. "Last Authentication Date” will not be available for cloud-managed tokens in the "Users with Token" report.

Note: 2. "Users never logged in with token", "Token Expiration Date", and "Users with days since last login using specific token" reports will exclude cloud-managed tokens.

Sample ReportsSample Reports

This section provides sample reports using the following report templates:

• All Users
• Users with Tokens
• Administrators with Fixed Passcode
• Authentication Activity
• List All Authentication Agent Records
• List All Installed Agents
• System Log

Sample All Users ReportSample All Users Report

The All Users report provides information about users in your deployment. You can filter results based on input values such as custom user attributes, security domain, or group.

For example, you can generate a report to list all users in a specific department, if the department is defined as a custom user attribute.

In this example, Departments is a custom user attribute with Human Resources, Finance and IT as predefined values.

Suppose you want to generate a report that lists all users in the Human Resources department along with their User ID, Last Name, Email, and Locked Out status. On the Add a New Report page, select Departments and Human Resources in the Custom User Attribute field. Enter the search string as Human Resources. Include the following columns under Show in Report:

The following figure shows the report output. The column headers highlighted in red are the same as those defined in the Add Report page.

As another example of the All Users report, suppose you want to list all users who have been assigned a fixed passcode. On the Add a New Report page, the Has Fixed Passcode column has been selected to indicate which users in the report have been assigned a fixed passcode, and the Has Fixed Passcode input parameter field is set to Yes.

The following figure shows the report output. Because the Has Fixed Passcode field was set to Yes, only users with fixed passcodes are listed in the report.

Sample Users with Tokens ReportSample Users with Tokens Report

The Users with Tokens report provides a list of users who are assigned tokens. You can narrow the search using input parameter values such as customer user attributes.

For example, suppose you want to generate a report that lists the User ID, First Name, Last Name of users in the Human Resources department, and the lockout status of each account. Specify the output columns and input parameters as shown in the following figure.

The following figure shows the report output. The column headers highlighted in red are the same as those defined in the Add New Report page.

As another example of the Users with Tokens report, suppose you want to generate a list all users who have software tokens. On the Add New Report page, select the Token Type column, and set the Token Type input parameter field to SecurID Software Token.

The following figure shows the report output. Users with two software tokens are listed twice.

Sample Administrators with Fixed Passcode ReportSample Administrators with Fixed Passcode Report

The Administrators with Fixed Passcode report lists all administrators who have been assigned a fixed passcode.

In this example, the report is running for All security domains, including subdomains, and the output will not display email addresses, although this could be useful information, or the Yes column, which always displays Yes to indicate that each administrator in the report has been assigned a fixed passcode.

The following figure shows the report output. The User's Timestamp column indicates when the fixed passcode was assigned to each administrator or when the administrator last authenticated with the fixed passcode.

Sample Authentication Activity ReportSample Authentication Activity Report

The Authentication Activity report helps you track the following types of authentication activities:

• Security and Operations Console login
• Users with tokens
• Agents on the server

For example, suppose you want to generate an authentication activity report that lists the User ID, Date and Time of authentication, Result of the attempt, and type of activity that took place across multiple identity sources. Specify the output columns and input parameter values as shown in the following figure.

The following figure shows the report output. The column headers highlighted in red are same as those defined in the Add New Report page.

Sample List All Authentication Agent Records ReportSample List All Authentication Agent Records Report

The List All Authentication Agent Records report provides information on the authentication agents that have been added to RSA Authentication Manager. For example, you can view the user groups and security domains assigned to each agent, how many times each authentication agent is installed in your deployment, and whether each agent is enabled or disabled.

The Installed Agent Count lists how many authentication agents that use the REST protocol are installed for each Authentication Manager agent record. One REST protocol authentication agent record in Authentication Manager can represent more than one installed agent. For example, you can install and configure the RSA Authentication Agent 8.0 or later for PAM on hundreds of servers, and then add the PAM agent one time in Authentication Manager. In this example, you can edit one authentication agent record to configure multiple installed agents. The Installed Agent Count does not apply to authentication agents that use the UDP protocol, and some REST protocol agents, such as the PAM Agent 8.0 or later, require additional configuration steps to send agent details to Authentication Manager.

The following figure shows the report output. All of the agents are enabled.

Each authentication agent in the report has one agent record in Authentication Manager. However, the Installed Agent Count column displays 0 for the RADIUS Server agent that is not installed in the Authentication Manager deployment, and 2 for a Standard Agent in the Application_Admin user group because that agent is deployed in two locations. Only REST Protocol authentication agents can provide the additional parameter that Authentication Manager uses for the Installed Agent Count. Authentication agents that use the UDP protocol does not provide the additional parameter, and so the Installed Agent Count would be 0 for such agents.

Sample List All Installed Agents ReportSample List All Installed Agents Report

The List All Installed Agents report provides the following details for each installed authentication agent in your deployment that has corresponding record in Authentication Manager:

• Version number
• Platform
• Hostname and IP address that was last used. The IP address is obtained from the machine on which the agent is installed or from proxy-related HTTP headers, such as X-Forwarded-For (XFF), if your deployment uses an HTTP proxy or a load balancer.
• Time and date of the last authentication
• Security domain
• Name of the corresponding authentication agent record in Authentication Manager.

In the following example, the Software Identifier column is selected for the report. Some newer authentication agents that use the REST protocol provide a unique identifier for each installed agent. An agent might have one record in Authentication Manager, but the agent can be installed on multiple machines with a unique identifier for each installation. Authentication agents that use the UDP protocol do not provide this information. Some REST protocol agents require additional configuration steps to send agent details to Authentication Manager.

Only some agents provide the information in the Version, Component, and Platform columns. All agents can provide information about their security domain and the last authentication.

In the following output, the first row displays dashes for information that an older authentication agent cannot provide. RSA Authentication Agent 8.0 for PAM provides the information. If the PAM agent does not send the requested information, then the field displays "Unknown" for that installed agent.

Sample System Log ReportSample System Log Report

The System Log report lists log entries from the system log. You can narrow the search to a specific time period using input parameter values.

For example, suppose you want to generate a report that lists the Result, Activity Result Key, Date and Time, and Description of events in the system log for the last one week. Specify the output columns and input parameters as shown in the following figure.

The following figure shows the report output. The column headers highlighted in red are same as those defined in the Add New Report page.

Add a Add a ReportReport

Add a report to generate information about your deployment. You select a report template for the type of report you want to add, and customize the template for the specific information you want the report to provide.

Procedure

1. In the Security Console, click Reporting > Reports > Add New.

2. On the Select Template page, select a template for the report.

   Each template contains different input parameters and output columns. The Description column provides a summary of each template.

3. Click Next.

4. From the Security Domain menu, select the security domain where you want the report to be managed.

   The security domain designates which administrators can manage the report.

5. In the Report Name field, enter a unique name for the report.

   Do not exceed 64 characters.

6. Select one of the following options for Run As:

   • The administrator running the report job. The report data is limited to the scope of the administrator who runs the report.

   • The report creator. The report data is limited to the scope of the administrator who created the report. If the administrator running the report has a narrower scope than the report creator, the report will include data from the broader scope of the report creator.

   Only the administrator who created the report can change the Run As option.

7. Under Output Columns, move the items that you want to display in the report from the Available column to the Show in Report column.

8. Under Input Parameter Values, either enter values or leave the fields blank.

   If you leave the fields blank, administrators can set values when they run the report. If you enter values, the administrator must use these values when running the report. To include administrators with a specific role in a report, you must specify the role name. This name is case sensitive.

9. Under Email Recipients, either select the checkboxes or leave them blank:

   • Configured Email Recipients is a standard group of administrator email addresses that you configure. For instructions, see Configure Report Notification.

   • Individual Email Addresses allows you to enter additional email addresses. Separate each email address with a semicolon.

   When you run the report and the report is complete, an email notification is sent to the selected email addresses. The email notification includes the report name and a link to the report.

10. Click Save.

After you finish

You can run the report manually, or schedule the report to run at specified times.

Run a Report JobRun a Report Job

To generate output from a report that you have created, you must run the report. After you run the report, you can view the report output in a browser, or save the report as a CSV, XML, or HTML file.

When you run the report, make sure that you download it to your local machine, and view it using the associated applications.

You may only run reports that fall within the scope of your administrative role. If an error indicates that you have insufficient privileges, review your permissions carefully. The report fails if it needs to access data that you are not permitted to view. For example, the All Users report requires permission to view all of the security domains in the deployment because it accesses the security domains to which the reported users belong. For a complete list of reports permitted for each administrative role, see Reports Permitted for Each Administrative Role.

Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.

2. Click the report that you want to run, and click Run Report Job Now.

3. Enter any input parameters required by the report.

4. Click Run Report.

5. Click the Completed tab to view the report output.

Scheduled Report Scheduled Report JobsJobs

A scheduled report job creates a report according to a specified schedule. When creating a scheduled report job, you can configure these parameters.

Job Starts. The date to run the first instance of the recurring report job.

Frequency. The frequency of the recurring report:

• Daily or Weekly - You can run the report each day, or on a specific day or multiple days.

• Monthly - You can run the report every month, or on certain months. You can also specify the day on which the report is run.

Run Time. The time of day that the report is run.

Job Expires. The date when the recurring report job expires. You can choose a job that does not expire, or you can enter a specific date.

Input Parameters. Filter the report results. The available values vary depending on the report. For example, for a report on disabled user accounts, the report can show only disabled accounts belonging to users with a certain first name.

Schedule a Recurring Report JobSchedule a Recurring Report Job

You can schedule report jobs to automatically run at preset days, times, and intervals.

Procedure

1. In the Security Console, click Reporting > Scheduled Report Jobs > Add New.

2. Select the report that you want to schedule, and click Next.

3. In the Scheduled Report Job Name field, enter a name for the scheduled report.

4. In the Job Starts field, enter the date when you want the report to begin running. If the start date is set earlier than the current date, the job will run on the current date.

5. In the Frequency fields, enter the days or months when the report runs.

6. In the Run Time field, enter the time when the report runs. If the run time is set earlier than the current time, the job will run at the current time.

7. In the Job Expires field, enter the date when the report stops running. If the expiration date is set earlier than the start date, the job does not run.

8. Enter any necessary input parameter values.

9. Click Save.

View a Report TemplateView a Report Template

You can view a list of all saved report templates. After the list displays, you may edit or run the reports in the list.

Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.

2. Use the search fields to find the report that you want to view.

3. Click the report, and click View.

Edit a ReportEdit a Report

You can edit a report to change information that is included in the report or to change the information that must be entered when a report is run.

Only the administrator who created the report can change the Run As option.

Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.

2. Select the report that you want to edit, and click Edit.

3. Make any necessary changes to the report.

4. Click Save.

5. If you have not saved your edits, you can click Reset to reset the report to be as it was before you began editing.

Edit a Scheduled Report JobEdit a Scheduled Report Job

You can edit scheduled report jobs to update the frequency and times that the report job runs.

Procedure

1. In the Security Console, click Reporting > Scheduled Report Jobs > Manage Existing.

2. Select the report that you want to edit, and click Edit.

3. Make the necessary changes to the report.

4. Click Save.

   If you have not saved your edits, you can click Reset to reset the report to be as it was before you began editing.

Delete a ReportDelete a Report

Deleting a report is a batch job. If the delete operation fails, the report reappears in the list of reports and the View Batch Job page indicates that the job failed.

Before you begin

If the report job is scheduled to run at preset times, you must delete the scheduled report jobs and any output from the report job. For more information, see Delete a Scheduled Report Job and View An In Progress Report Job.

Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.

2. Use the search fields to find the report that you want to delete.

3. Click the report that you want to delete, and click Delete.

4. Click OK.

Duplicate a ReportDuplicate a Report

If you do not need to add a completely new report, you can duplicate and customize an existing one.

Procedure

1. In the Security Console, click Reporting > Reports > Manage Existing.

2. On the Reports page, use the search fields to find the report that you want to duplicate.

3. From the list of reports, select the report that you want to duplicate, and click the report's name.

4. From the drop-down menu, click Duplicate.

   The system displays the Add New Report page.

5. In the Administrative Control section, from the Security Domain menu, select the security domain in which you want the report to be managed.

6. In the Report Basics section, in the Report Name field, enter a unique name for the report. Do not exceed 64 characters.

7. In the Report Basics section, select a Run As option. The data generated by the report is limited to the scope of the administrator who runs the report.

   For example, if an administrator runs a report as the report owner, and if the report owner has a broader scope than the administrator who runs the report, the report will include data from the broader scope, rather than from the more narrow scope of the administrator.

8. In the Output Columns section, select the Columns that you want to display in the report.

9. In the Input Parameter Values section, either enter values or leave the fields blank. If you leave the fields blank when adding the report, administrators must enter values when they run the report.

10. Click Save.

Duplicate a Scheduled Report JobDuplicate a Scheduled Report Job

If you do not need to add a completely new scheduled report job, you can duplicate and customize an existing one.

Procedure

1. In the Security Console, click Reporting > Scheduled Report Jobs > Manage Existing.

2. Use the search fields to find the scheduled report job that you want to duplicate.

3. Click the scheduled report job that you want to duplicate, and click Duplicate.

4. Enter a name for the new scheduled report job.

5. Click Save.

Delete a Scheduled Report JobDelete a Scheduled Report Job

You can delete a scheduled report job to remove it from the list of scheduled report jobs.

Procedure

1. In the Security Console, click Reporting > Scheduled Report Jobs > Manage Existing.

2. Use the search fields to find the scheduled report job that you want to delete.

3. Click the report that you want to delete, and click Delete.

4. Click OK.

View a Completed ReportView a Completed Report

Perform this procedure to view the output of a completed report saved in the system.

Procedure

1. In the Security Console, click Reporting > Report Output > Completed Reports.

2. Under the Completed tab, click the report job that you want to view, and select how to display it. You can save the report output as a CSV, XML, or HTML file. You can also choose to send the output directly to a web browser for display.

   RSA Authentication Manager inserts a blank (space) character before any CSV file report field that starts with an equals to (=), plus (+), minus (-), or at (@) character. This prevents spreadsheet programs, such as Microsoft Excel, from interpreting the data as a formula.

Be sure to delete reports when they are no longer needed.

View an In Progress Report JobView an In Progress Report Job

You can only view reports that are included in your administrative scope.

Procedure

In the Security Console, click Reporting > Report Output > In Progress.

You can cancel the report job from this tab.

View a Scheduled Report JobView a Scheduled Report Job

You can view a scheduled report job to confirm the details of the job are correct.

Procedure

In the Security Console, click Reporting > Scheduled Report Jobs > Manage Existing.

After the list displays, you can edit the frequency at which a report runs.

Configure Report NotificationConfigure Report Notification

RSA Authentication Manager can notify administrators by email when you run a report. The email notification includes the report name and a link to the report. You configure a standard group of administrator email addresses. When you create a report, you can select this group, and you can enter additional email addresses as needed.

Before you begin

• You must be a Super Admin.

• You must have SMTP mail service configured on the Security Console. For instructions, see Configure the SMTP Mail Service.

Procedure

1. In the Security Console, click Setup > System Settings.

2. Under Basic Settings, click Report Notification.

3. For Send Notifications to, enter the email address for each recipient. Separate each email address with a semicolon.

4. Click Save.

List User Group Membership in ReportsList User Group Membership in Reports

By default, the report results for the Token Expiration Report and the All User report do no list group membership. However, the following procedure allows you to list all the user’s groups or only groups managed by RSA Authentication Manager.

Procedure

1. Log on to the appliance using an SSH client.

2. Change directories:

   cd /opt/rsa/am/utils

3. Run one of the following commands:

   • To list all the user’s groups or only groups managed by Authentication Manager, type the following, and then press ENTER:

     ./rsautil store -a update_config auth_manager.reports.principal.all_group true GLOBAL 500

   • To list the groups managed by Authentication Manager, type the following, and then press ENTER:

     ./rsautil store -a update_config auth_manager.reports.principal.registered_group_only true GLOBAL 500

   • To disable listing all the user’s groups, type the following, and then press ENTER:

     ./rsautil store -a update_config auth_manager.reports.principal.all_group false GLOBAL 500

   • To disable listing the groups managed by Authentication Manager, type the following, and then press ENTER:

     ./rsautil store -a update_config auth_manager.reports.principal.registered_group_only false GLOBAL 500

4. When prompted, enter your Operations Console administrator User ID, and press ENTER.

5. When prompted, enter your Operations Console administrator password, and press ENTER.

6. Restart all Authentication Manager services on the primary instance and each replica instance:

   cd /opt/rsa/am/server

   ./rsaserv restart all

Configure RSA Authentication Manager Monitoring Intervals for Installed AgentsConfigure RSA Authentication Manager Monitoring Intervals for Installed Agents

You can configure how often the RSA Authentication Manager primary instance checks log records for authentication records and information on the authentication agents that are installed in your deployment. By default, Authentication Manager collects this information every 12 hours. You change the interval as needed.

To see the information that Authentication Manager collects, you can run the List All Installed Agents report. This report provides details for each agent that has an Authentication Manager record, such as the hostname and IP address that each agent last used, and the time and date of the last authentication.

Before you begin

• You must be an Operations Console administrator.
• Obtain the rsaadmin operating system password for the primary instance.
• Secure shell (SSH) must be enabled on the primary instance. For instructions, see Enable Secure Shell on the Appliance.

Procedure

1. On the primary instance, log on to the appliance using an SSH client.

2. Change directories:

   cd /opt/rsa/am/utils

3. Type the following command, and press ENTER:

   ./rsautil store -o admin -p password -a update_config ims.agent.monitor.update_interval time GLOBAL 503

   Where:

   admin is the Operations Console administrator user name.

   password is the Operations Console administrator password. For security reasons, instead of entering your password on the command line, you can wait for the utility prompt you for it.

   time is an integer that determines the hourly interval at which Authentication Manager checks for agent records.

4. Restart the RSA Runtime Server (biztier) on the primary instance:

   cd /opt/rsa/am/server

   ./rsaserv restart biztier nodep

Collecting Replicated Agent Authentication Records on the Primary InstanceCollecting Replicated Agent Authentication Records on the Primary Instance

The RSA Authentication Manager primary instance checks log records at regular intervals for new authentication records and information on the authentication agents that are installed in your deployment. You can use these collected records to run the List All Installed Agents report. Authentication Manager looks for timestamps that are later than the last time that it checked the log files, unless you define an offset value to collect earlier records that were delayed by replication. By default, the offset value is 0 hours.

For example, suppose that a replica instance authenticates a user at 10:59 AM. The primary instance checks the log files for authentication records at 11:00 AM, and the replica instance sends data to the primary instance at 11:10 AM. When the primary instance checks the log files again, at 11:00 PM, it looks for authentication records with a timestamp that is 11:00 AM or later. If you set the offset value to 1 hour, then the primary instance looks for records with timestamps that are later than 10:00 AM, and it collects the replicated authentication record from 10:59 AM.

Before you begin

• You must be an Operations Console administrator.
• Obtain the rsaadmin operating system password for the primary instance.
• Secure shell (SSH) must be enabled on the primary instance. For instructions, see Enable Secure Shell on the Appliance.

Procedure

1. On the primary instance, log on to the appliance using an SSH client.

2. Change directories:

   cd /opt/rsa/am/utils

3. Type the following command, and press ENTER:

   ./rsautil store -o admin -p password$ -a update_config ims.agent.monitor.offset time GLOBAL 503

   Where:

   admin is the Operations Console administrator user name.

   password is the Operations Console administrator password. For security reasons, instead of entering your password on the command line, you can wait for the utility prompt you for it.

   time is the offset in hours to check for new agent authentication records that were synchronized after the last time that Authentication Manager checked log files. For example, 1 hour.

Generate a Report of the Current Configuration SettingsGenerate a Report of the Current Configuration Settings

You can generate a text-based report that lists all current RSA Authentication Manager configuration and policy settings. You can analyze the CSV or XML report with third-party tools to monitor your Authentication Manager configuration over time. To see archive table data, export the report and check the ims_schedule_job data.

Before you begin

• Obtain the rsaadmin operating system password for the primary instance.
• Secure shell (SSH) must be enabled on the primary instance. For instructions, see Enable Secure Shell on the Appliance.

Procedure

1. On the primary instance, log on to the appliance using an SSH client.

2. Change directories:

   cd /opt/rsa/am/utils

3. Type the following command, and then press ENTER:

   ./rsautil export-config -o OutputFile

   where OutputFile is a unique name for the report. This command cannot overwrite an existing output file.

   By default, the report uses CSV format. Add the -x option to generate an XML report.