RSA IGL Version: V 7.1.0 P04 +, V 7.1.1 +, V 7.2.0 +

Modules: Governance

Product Area: Dashboards, JSP, Reports

Video: RSA IGL Risk Analytics Dashboard - Video Demo 

Time to apply: ~1 hour

Summary:

The Risk Analytics dashboard was created to provide a swift & high level view of risk related data points. These are shown as statistics/alarms/indicators, divided into dashboard items and displayed in a simple and compact view that is easy to understand using a traffic light system. 

The goal of this dashboard is to help you focus attention on where you have risks that should be addressed. 

Key Notes:

• This dashboard is supplied "as is" - any modification of this dashboard is done at your own risk. 
• If you would like to enhance this dashboard to add more metrics, then RSA PS is available to help. Please contact your local sales rep or reply below and we can discuss this with you. 

Details:

The dashboard consists of a JSP which contains 6 dashboard items.

1. Orphan Account %
2. Violations Open > 7 Days
3. Exceptional Access
4. Dormant Accounts
5. Users with No Manager
6. Terminated Users with Active Accounts

Almost each of the dashboard items contain traffic lights  where each of the traffic lights acts as an indicator.
Green = Good, Orange = Action Required (Intermediate Severity), Red = Action Required (High Severity)

Taking a deeper dive into the dashboard item conditions and traffic light colors:

Each dashboard item is also hyperlinked to lead to a relevant report. Taking the Orphan Account dashboard item, when clicked upon (if you have orphan account counts showing up), redirects you to the OOTB Orphan Accounts report. The rest of the items have reports created for them which will be discussed more in the deployment/implementation phase.

Prior to V 7.2 :

V 7.2.X & V 7.5+ :

Implementation:

Important Pre-Requisites&Notes to follow:

1. You MUST follow standard change request process and apply this solution in your lower environments first, before moving this to Production.
2. While the Risk Analytics dashboard object itself can have a constraint not to get viewed except for a specific subset of people, the JSP is also designed to get viewed only by the users within the user constraint of the Risk Analytics dashboard; meaning that people who aren't within the constraint cannot even view the JSP standalone using the IG&L fixed JSP URL. The JSP treats AveksaAdmin as a super user thus AveksaAdmin is able the view the JSP from the URL accordingly.
3. The dashboard name has to be fixed as "Risk Analytics".
4. All the report names created have to be named according to what this post states. The reason for that is the constraint capability in point no.2 and the report mapping to the dashboard item via a click.
5. There are two dashboard items revolving around violations which automatically don't show up if there are no SoD or User Access rules in an 'Active' state.
6. The "Users without a Supervisor" dashboard item shows a message if the supervisor user attribute is not collected, and therefore gives a green light.
7. Alert pop-ups appear if users click on dashboard items that either give 0 results or do not have the correspondent report created for it.
8. The JSP comes with some System.Out lines to print out debug info within the aveksaServer.log to make sure everything is working. Kindly test this dashboard on a test environment first to make sure everything is going well.If you aren't able to remove it yourself if you don't need it or require further assistance on any of the dashboard aspect, please reply below

Intro:

While the implementation of the dashboard is valid starting V 7.1.0 P04, the UI general style changed starting V 7.2. The bellow steps are the same of all of the RSA IG&L versions that the dashboard supports, however the dashboard files will be different with V 7.2 + :

Risk Analytics Dashboard - Before V 7.2.zip -- valid starting V 7.1.0 P04 to V 7.1.1 latest patch

Risk Analytics Dashboard - V 7.2.X.zip -- valid with V 7.2.0 & V 7.2.1

Risk Analytics Dashboard - V 7.5+.zip -- valid with V 7.5+

The zip file contains a JSP file and an images folder.

Steps:

1. Log in as a user with admin privileges and upload the required files:

• Head to admin > User Interface > Files > select "Images" from the drop-down and upload the following 9 images present in the images folder inside the zip file:
  

  Exceptional_Access.png
  information.png
  orphan_accounts.png
  Terminated_User_Active_Account.png
  User_No_Manager.png
  violations.png
  Green_Traffic_Light.png
  Orange_Traffic_Light.png
  Red_Traffic_Light.png

  

• Head to admin > User Interface > Files > select "JSP Pages" from the drop-down and upload the "RiskAnalytics.jsp" file present in the zip file:

2. Create & Configure the Risk Analytics Dashboard:

• Head to Admin > Dashboards > Welcome Dashboards > Create Dashboard
• Name the dashboard Risk Analytics > Choose Layout Option as "Proportional Layout" with the first option that has only '1' in its screen > Check the Enabled Checkbox
  

• Head to the Dashboard Components tab > Add Component > choose custom user link > select "-- select URL --" from the drop-down > put the full URL string value as "custom.jsp?page=RiskAnalytics.jsp" > Style = Inline display and un-check the border checkbox

• Add a user constraint according to whom you wish to see the dashboard (default will be all users seeing it).

3. Create the reports that will be linked to the dashboard items upon clicking:

The following reports need to be created for the dashboard items to redirect upon click to the corresponding report based on the results. Head to Reports > Tabular > Create Report > Input Name as stated with each report bellow > Head to the "Query" tab > Paste the specified query with each report as stated bellow > Press Ok
**Note: Make sure that the names of the reports are exactly as specified bellow. You can modify the queries based on your requirements if needed.

7 reports are to be created:

 1. Report Name: Violations Open > 7 Days
     Report Query:

( SELECT
 v.user_display_name,
 v.entitlement_name,
 v.application_name,
 v.detection_date,
 v.rule_name
FROM
 avuser.v_av_violations v
WHERE
 v.state = 'OP'
 AND v.id IS NOT NULL
 AND trunc(sysdate) - trunc(v.detection_date) >= 7
)

2. Report Name: Violations Open < 7 Days
Report Query:

( SELECT
 v.user_display_name,
 v.entitlement_name,
 v.application_name,
 v.detection_date,
 v.rule_name
FROM
 avuser.v_av_violations v
WHERE
 v.state = 'OP'
 AND v.id IS NOT NULL
 AND trunc(sysdate) - trunc(v.detection_date) < 7
)

3. Report Name: Exceptional Access
Report Query:

( SELECT
 entitlement_name AS "ENTITLEMENT NAME",
 app_name AS "Application",
 user_disp_name AS "User",
 granted_by_disp_name AS "Granted By",
 expires_on AS "Expiry Date",
 notes
FROM
 avuser.v_exceptional_access
WHERE
 trunc(expires_on - sysdate) >= 0
)

 4. Report Name: Terminated Users with Active Accounts
Report Query:

( SELECT DISTINCT
 ( ux.user_id ) AS "User Id",
 vu.last_name
 || ', '
 || vu.first_name AS "Name",
 vu.department,
 vu.email_address AS "Email Address",
 vu.is_terminated AS "Is Terminated?",
 (
 CASE vu.deletion_date
 WHEN NULL THEN
 'False'
 ELSE
 'TRUE'
 END
 ) AS "Is Deleted?",
 vu.violation_count AS "Violation Count"
FROM
 avuser.pv_user_account_mapping ux
 LEFT JOIN avuser.pv_users vu ON vu.id = ux.user_id
WHERE
 ux.user_id IN (
 SELECT
 id
 FROM
 avuser.pv_users
 WHERE
 trunc(sysdate) - trunc(termination_date) >= 1
 )
 AND ux.account_id IN (
 SELECT
 id
 FROM
 avuser.pv_account
 WHERE
 deletion_date IS NULL
 AND ( is_locked = 0
 OR is_disabled = 0 )
 )
 AND ux.deletion_date IS NULL
)

 5. Report Name: Users without a Supervisor
Report Query:

( SELECT
 user_id AS "User Id",
 last_name
 || ', '
 || first_name AS "Name",
 department,
 email_address AS "Email Address",
 (
 CASE is_terminated
 WHEN 1 THEN
 'Yes'
 WHEN 0 THEN
 'No'
 ELSE
 'UNDEFINED_VALUE'
 END
 ) AS "Is Terminated?",
 (
 CASE is_deleted
 WHEN 1 THEN
 'Yes'
 WHEN 0 THEN
 'No'
 ELSE
 'UNDEFINED_VALUE'
 END
 ) AS "Is Deleted?",
 violation_count AS "Violation Count",
 data_collector_name AS "IDC Name"
FROM
 avuser.v_users
WHERE
 supervisor_id IS NULL
)

6. Report Name: Dormant Accounts > 30 Days & < 90 Days
Report Query:

( SELECT
 acc.name,
 acc.id,
 acc.last_login_date AS "Last Login Date",
 app.name AS "Application/Directory Name"
FROM
 avuser.pv_account acc
 JOIN (
 SELECT
 id,
 name
 FROM
 avuser.pv_application
 UNION
 SELECT
 id,
 name
 FROM
 avuser.pv_directory
 ) app ON app.id = acc.application_id
WHERE
 acc.orphaned_date IS NULL
 AND trunc(sysdate) - trunc(last_login_date) BETWEEN 30 AND 89
 AND acc.is_shared = 'n'
 AND acc.is_disabled = 0
 AND acc.is_locked = 0
)

7. Report Name: Dormant Accounts > 90 Days
Report Query:

( SELECT
 acc.name,
 acc.id AS "Account ID",
 acc.last_login_date AS "Last Login Date",
 app.name AS "Application/Directory Name"
FROM
 avuser.pv_account acc
 JOIN (
 SELECT
 id,
 name
 FROM
 avuser.pv_application
 UNION
 SELECT
 id,
 name
 FROM
 avuser.pv_directory
 ) app ON app.id = acc.application_id
WHERE
 acc.orphaned_date IS NULL
 AND trunc(sysdate) - trunc(acc.last_login_date) >= 90
 AND acc.is_shared = 'n'
 AND acc.is_disabled = 0
 AND acc.is_locked = 0
)

After configuring the reports, the implementation steps for the dashboard are now complete.

Thank you!

Please "hit reply" and share your feedback - we would love to see an image of this working in your environments.

We also want to know your ideas around similar kinds of dashboards/dashboard items that you want to see created