Identifying the Functionalities of the Reporting Service

Objective

After completing this lesson, you will be able to analyse with the Reporting Service.

Reporting Service

The provisioning report screenshot shows open report, select entry, check status, trigger re-processing of failed items.

The Provisioning Report is designed to help facilitate the provisioning of line items that were not successful in the initial trial. Line items include attributes such as user, access, application, action and status. The report also gives an overview of all provisioning requests that have been triggered in the system along with their status.

Whenever the provisioning (actual assignment of access / application to a user) fails, this report can be used to trigger a retry process for that line item. The provisioning job will then pick up this item again the next time.

You can use the report in the SAP Cloud Identity Access Governance Fiori Launchpad ReportProvisioning.

In general, this report consists of two main views:

  1. Master view (overview list)
  2. Detail view

The Master view is the entry point after opening the app. It provides an overview of all provisioning requests, which are sorted based on the last updated timestamp. In case you want to narrow down the result list, you can use the various filter and search options.

The Process column in the result list represents the categories to which the request belongs. There are 5 different categories:

  • Role Designer
  • Access Request
  • Access Certification
  • Access Control (AC) Bridge
  • Access Analysis

The Status column in the result list represents the overall aggregated status of the request. There are 5 different statuses:

  • Not started = Means that the provisioning job has not been scheduled for any new items which are ready to be provisioned.
  • In Process = Means that at least one of the to be provisioned line items has either Not started, Retry or In Process status. That means not all of the provisioning actions are successfully completed and there are still some open activities.
  • Failed = Means that the provisioning of all of the items of the request has failed.
  • Completed with Errors = Means that at least one item has failed and the remaining items are either successfully provisioned or deprovisioned.
  • Completed = Means that all the intended actions of the line items of the request are executed successfully (like provisioned or deprovisioned).

The Details view can be opened by selecting a specific entry of the result list. You will be forwarded to the so called Provisioning Log Details.

The header section of the details view contains the key figures of the request (the same as the result list). In case you want to narrow down the included items list of the request, you can use the various filter and search options.

The Items section below the header displays the details of the provisioning status per line item in this request. Here you have also the possibility to re-trigger the processing of either all or only specific failed items. You can use the Retry All button to start a re-provisioning for all failed items, or you can use the Retry button dedicated to a specific line item to start the re-provisioning. If there are not any failed items, the buttons are disabled by default. As soon as any Retry button is chosen, the status of the same line item is shown as In Process. Similarly, the aggregated status of the request is also updated to In Process.

The Refresh button is disabled for the request that has the status, In Process or Completed.

Note

The following request categories do not have any Retry button: Access Control (AC) Bridge, which includes SAP Access Control Access Request and SAP Access Control User Access Review Request.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/83f383d3123c4f57b036d2707ec2e730/479b80c756924092b2f7a1513b8a5d29.html?locale=en-US

The Mitigation Control Monitoring Report to keep track of the testing status of each mitigation.

The Mitigation Control Monitoring Report is used to keep track of the testing status of each mitigation control. The report lists the latest test results for each mitigation control including the user ID of the monitor who performed the test and the date of the testing.

You can access the report by opening the Mitigation Control Monitoring app in the SAP Cloud Identity Access Governance Fiori Launchpad.

In general, this report consists of one main view. The view is the entry point after opening the app and provides an overview, which is sorted based on the last updated timestamp. In case you want to search for a specific entry, you can use the search field option.

The Status column in the overview list represents the testing status of the mitigation control. There are 2 different status:

  • Pass = Means that the executed tests of the mitigation control based on the test plans were successful.
  • Fail = Means that the executed tests of the mitigation control based on the test plans have failed.

If you are interested in the test results, you can download them by clicking on the respective attached document in column Control Test Result.

Note

You have the option of downloading a complete set of test results by using the proper button, Download All Test Results.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/e30d5ce6336d4818ba1dfa370204f29a.html?locale=en-US

The User Mitigation Control Assignment Report to keep track of each mitigation control.

The User Mitigation Control Assignment Report is used to keep track of each mitigation control assignment. Specifically you can see details, like user and risk assignment and its validity dates itself, validity dates of the control, who assigned it and when it was assigned.

You can access the report by opening the User Mitigation Control Assignment app in the SAP Cloud Identity Access Governance Fiori Launchpad.

When you open the app, you will get an overview of assignments, which are sorted in ascending order based on the last updated timestamp. In case you want to narrow down the overview list, you can use the various filter and search options.

The following listing describes the several columns and its purpose:

  • Remediation Tag = When you are performing User Access Analysis, all remediation actions (refinement of access or assigning a mitigation control) are tagged. This column represents the specific remediation tag, which has already been entered.

    Note

    Only tagged Mitigation Controls appear in this report. When remediation actions - for example, assignment of Mitigation Controls, are performed in Access Request Approval, there is no need to provide a remediation tag. Therefore, those Mitigation Control assignments will not appear in this report.
  • User = This is the person who is being monitored by the mitigation control.
  • Mitigation Control = This is the name of the mitigation control.
  • Risk = Risk that has been mitigated using the mitigation control.
  • Valid From = This is the first effective date of the mitigation control.
  • Valid To = This is the last effective date of the mitigation control.
  • Updated By = This is the person who made the last change to the mitigation control.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/805261f35fd84c61943c025665707934.html?locale=en-US

The Access Refinement Report overview of all user access proposals.

The Access Refinement Report provides a holistic overview of all user access proposals (access removals), which have been accepted during user access analysis using the User Access Analysis page.

You can access the report by opening the Access Refinement app in the SAP Cloud Identity Access Governance Fiori Launchpad.

Make a note to find a short explanation about the access refinement actions on the User Access Analysis page to get a better understanding what information is shown.

On the User Access Analysis page, you performed access refinement to reduce the number of risks and eliminate unused access. You chose to either accept or reject these proposals and as a conclusion, all of those decisions are listed in this report.

The master view of the Access Refinement Report report is the entry point after opening the app and provides an overview, which is sorted based on the last updated timestamp. In case you want to search for a specific entry, you can use the search field options.

View the accepted proposals of the access refinement process and initiate further follow-up actions based on the information.

The Action column in the overview list represents the accepted actions of the access refinement process, such as removing access for a particular user.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/d02c3ed460674ad0ba883a8e0e012562.html?locale=en-US

Open Remediation Audit Log Report, view all remediation actions and details for audit compliance tracking.

The Remediation Audit Log Report is used to research actions taken during Access Analysis, which can be all refinements and remediations that have been taken on identified risks by yourself or others.

You can access the report by opening the Remediation Audit Log app in the SAP Cloud Identity Access Governance Fiori Launchpad.

The master view is the entry point after opening the app and provides an overview, which is sorted in descending order based on the last updated timestamp. In case you want to search for a specific entry, you can use the search field option.

The following listing describes the several columns and its purpose:

  • Remediation Tag ID = The tag assigned to a set of actions. When you are performing User Access Analysis, all remediation actions (refinement of access or assigning a mitigation control) are tagged. This column represents the specific remediation tag, which was entered.
  • User ID = The identifier of the person, which was affected by the actions.
  • Activity = Description of the actions taken during this session.
  • Updated By = This is the person who made the last change in this session.
  • Updated On = The date and time that this session was last worked on.

In the app, you can check the remediation actions that have been performed on the various users.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/11f922b28a8545d6bcfc1e91d8bb04a9.html?locale=en-US

Open Unused Access Report, filter for specific data, view and check the unused accesses listed.

The Unused Access Report report is used to list all unused accesses of various users.

You can access the report by opening the Unused Access app in the SAP Cloud Identity Access Governance Fiori Launchpad.

The master view is the entry point after opening the app and provides an holistic overview. In case you want to narrow down the result list, you can use the various filter and search options.

This report provides the following information:

  • (Unused) Access, which is assigned to the user
  • Description of the (unused) access
  • Application where the access is available (= access source)
  • User ID specifies the person, who has assigned this (unused) access
  • User name specifies the full name of the person, who has assigned this (unused) access
  • Valid to represents the assignment validity end date of the (unused) access
  • Risk count represents the amount of risks associated with this access

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/96f4b1ec2df9455492adaec07e6029f4/139860b4724c422898f564b0e915e195.html?locale=en-US

Open Unassociated Access Report, filter data, view and check unassociated accesses, select entry for access details.

The Unassociated Access Report is used to review all accesses (roles and groups), which are not part of any SAP Cloud Identity Access Governance business role. This report is primarily designated to support access administrators.

You can access the report by opening the Unassociated Access app in the SAP Cloud Identity Access Governance Fiori Launchpad.

The master view is the entry point after opening the app and provides an holistic overview. In case you want to narrow down the result list, you can use the various filter and search options.

If you want to get more details of a specific access, you can select the entry to navigate further to the Access Maintenance details page.

This report provides the following information:

  • Access, which is not associated to any business role
  • Description of the access
  • Application where the access is available (= access source)
  • Business Process which is associated with access
  • Subprocess as part of the business process
  • User Count represents the number of users who have this access assigned
  • Risk Count represents the amount of risks associated with this access

To check all unassociated accesses, you have to perform the following steps:

  1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
  2. Navigate to ReportsUnassociated Access Report.
  3. Filter for specific data (optional).
  4. View and check the unassociated accesses.
  5. You can open the Access Maintenance details page by choosing the entry.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/96f4b1ec2df9455492adaec07e6029f4/540abcfcb8e44a5ca5251832a72f6f27.html?locale=en-US

Open Business Role Coverage, filter data, view and check coverage, optionally download result list for analysis.

The Business Role Coverage Report is used to show the total access per user and the percentage of that access granted through business roles.

You can access the report by opening the Business Role Coverage app in the SAP Cloud Identity Access Governance Fiori Launchpad.

The master view is the entry point after opening the app and provides an holistic overview. In case you want to narrow down the result list, you can use the various filter and search options.

This report provides the following information:

  • User specifies the person
  • Business role represents the business role, which is assigned to the user
  • Coverage represents the percentage of total accesses, which are granted through business roles
  • Total Access represents the amount of accesses (excluding business roles), which are assigned to the user

If you are interested in downloading your result list, you can do it using the correct button on the upper right corner.

To check all unassociated accesses, you have to perform the following steps:

  1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
  2. Navigate to ReportsBusiness Role Coverage Report.
  3. Filter for specific data (optional).
  4. View and check the business role coverage.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/96f4b1ec2df9455492adaec07e6029f4/0690d9da060b452f92f6628376e7f56d.html?locale=en-US

Open Actively-Used Access Report, filter or search for specific data, view all actively-used accesses listed.

The Actively-Used Access Report is used to list all actively used access.

You can access the report by opening the Actively-Used Access app in the SAP Cloud Identity Access Governance Fiori Launchpad.

The master view is the entry point after opening the app and provides an holistic overview of all used accesses. In case you want to narrow down the result list, you can use the various filter and search options.

Furthermore, you have the possibility to sent an email link to this page to any interested stakeholder.

This report provides the following information:

  • Access, which is used
  • Description of the access
  • Application where the access is available (= access source)
  • Business Process which is associated with access
  • Subprocess as part of the business process
  • Risk count represents the amount of risks associated with this access
  • User Count represents the number of users who have this access assigned
  • Number of times used represents the number of how many times this access has been used by the total user count

To check all actively-used accesses, you have to perform the following steps:

  1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
  2. Navigate to ReportsActively-Used Access Report.
  3. Filter for specific data (optional).
  4. View and check actively-used accesses.
  5. If you want to, you can sent an email link to this page.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/96f4b1ec2df9455492adaec07e6029f4/a295c54ac3f54e8e982018c1cff48fca.html?locale=en-US

Open Access Request Audit Log Report, filter or search, select entry, view complete audit log details displayed.

The Access Request Audit Log Report is used to view the access requests that have been submitted from the Create Access Request or Create Access Request for Others apps.

Note

You are only able to see the access requests that you are authorized to see. For more information, refer to Authorization Policy in SAP Cloud Identity Access Governance.

You can access the report by opening the Access Request Audit Log app in the SAP Cloud Identity Access Governance Fiori Launchpad.

In general, this report consists of two views:

  1. Master view (overview list)
  2. Details view

The Master view is the entry point after opening the app and provides an overview, which is sorted based on the creation timestamp. In case you want to narrow down the result list, you can use the various filter and search options.

The Status column in the result list represents the overall aggregated status of the request. There exists 6 different status:

  • In Process = Means that at least one of the to be provisioned line items has either Not started, Retry or In Process status. That means not all of the provisioning actions are successfully completed and there are still some open activities.
  • Rejected = Means that all line items (accesses) in the access request are rejected by the approver.
  • Canceled = Means that the requestor has canceled the access request.
  • Failed = Means that the provisioning of all of the items of the request has failed.
  • Completed with Errors = Means that at least one item has failed and the remaining items are either successfully provisioned or deprovisioned.
  • Completed = Means that all the intended actions of the line items of the request are executed successfully (like provisioned or deprovisioned).

The Details view can be opened by selecting a specific entry of the result list. You will be forwarded to the details view of the selected access request. On this page, you can see a complete end-to-end chronological list of all the actions that have been performed during the processing of this access request. Here you can see information about the action, dates and times, by whom was the action performed and it also lists details about requestor and approvers.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/83f383d3123c4f57b036d2707ec2e730/abb91c7ba36f49c38ce27f30f1309321.html?locale=en-US

Open Role Design Audit Log Report, filter data, select an entry, view complete audit log details displayed.

The Role Design Audit Log Report is used to research actions taken during the candidate business role design process.

Note

You are only able to see the role requests you are authorized to see. For more information, refer to Authorization Policy in SAP Cloud Identity Access Governance.

You can access the report by opening the Role Design Audit Log app in the SAP Cloud Identity Access Governance Fiori Launchpad.

In general, this report consists of two views:

  1. Master view (overview list)
  2. Details view

The Master view is the entry point after opening the app and provides an overview, which is sorted based on updated timestamp. In case you want to narrow down the result list, you can use the various filter and search options.

The Status column in the result list represents the overall aggregated status of the business role design process. There exists 4 different status:

  • Pending = Will be used for any process, which are not started yet.
  • In Process = Will be used when the process either in refine, activate, or reconcile stage.
  • Canceled = Will be used if the roles design process has been canceled.
  • Closed = Will be used if the role design process is fully completed.

The Details view can be opened by selecting a specific entry of the result list. You will be forwarded to the details view. On this page, you can see a complete end-to-end chronological list of all the actions that have been performed, starting from creation to reconciliation.

To check the access request and its details, you have to perform the following steps:

  1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
  2. Navigate to ReportsRole Design Audit Log Report.
  3. Filter for specific data (optional).
  4. View the result list and select a specific role design process for further details.
  5. Check the detailed audit log.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/96f4b1ec2df9455492adaec07e6029f4/8b163875e6d04e1988a40090d071bcf0.html?locale=en-US

Open Unassigned Access Report, filter or search for specific data, view all unassigned access entries listed.

The Unassigned Access Report is used to list all unassigned accesses.

You can access the report by opening the Unassigned Access app in the SAP Cloud Identity Access Governance Fiori Launchpad.

The master view is the entry point after opening the app and provides an holistic overview of all unassigned accesses. In case you want to narrow down the result list, you can use the various filter and search options. You can also get more details of a specific access by selecting the entry.

This report provides the following information:

  • Access, which is not assigned to any user
  • Description of the access
  • Application where the access is available (= access source)
  • Business Process which is associated with access
  • Subprocess as part of the business process
  • Last modified on represents the timestamp of last action / update
  • Risk Count represents the amount of risks associated with this access

To check the access request and its details, you have to perform the following steps:

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/96f4b1ec2df9455492adaec07e6029f4/bba9cec82a694551a4c5e85b86c0c68b.html?locale=en-US

Open Privileged Access Monitoring Report, select an entry to view details of the privileged access session.

The Privileged Access Monitoring report is used to view and check all collected log data during a privileged access session. Every reviewer or any other responsible person has the possibility to check the synchronized log data in this report.

Keeping track of these log data are important for auditing and approval processes and thus all critical actions, which have been executed by the users, can be reviewed using this report.

You can access the report by opening the Privileged Access Monitoring app in the SAP Cloud Identity Access Governance Fiori Launchpad.

In general, this report consists of two views:

  1. Master view (overview list)
  2. Details view

The Master view is the entry point after opening the app and provides an overview of all executed privileged access sessions.

If you want to know the details about a privileged access session (for example, what actions have been performed), you can select the entry to navigate further to the details page.

This report provides the following information:

  • Application where the privileged access session has been started
  • Privileged Access represents the PAM ID (the user ID with elevated privileges)
  • User represents the PAM user (the user who requires emergency access and has started the session)
  • Reason Code, which has been selected on the PAM launchpad
  • Logged On represents the logon time of the PAM ID (start date and time of the session)
  • Logged Off represents the logoff time of the PAM ID (end date and time of the session)
  • Duration represents the time period from start to end of the session

To get the list of all executed privileged access sessions and its details, you have to perform the following steps:

Review all collected log data of the privileged access session, including actions, descriptions, and timestamps.

The details view of the Privileged Access Monitoring can be opened by selecting a specific entry of the result list. You will be forwarded to the details page to get the relevant information of the privileged access session, particularly all collected log data.

The page contains 3 sections:

  • Activity Reviews = Holds information about executed transactions that haven't been part of the allowed activity list, which were defined by the associated business role of the PAM ID. The business role will be assigned during the PAM ID creation step and there you are going to define what activities (transactions and permissions) are allowed to execute. If the PAM ID will use any transaction code, which is part of the authorization set of the business role, but was not declared as an allowed activity, then it will be listed in this section with the proper message (refer to PAM ID and its creation for further information).
  • Logs = Holds information about all collected log data. Here you can see, for example, all critical actions, which have been executed by the PAM ID. You see details which table and field were involved as well as any value changes and its type. The Logs section contains information about collected data from the "OS Command Log", "Transaction Log", "Change Log", "System Log" and "Security Audit Log".
  • Comments = Holds information about any additional comments.
Open Reprocess Missed HR Events, filter data, select user, decide and trigger action for missing events.

The Reprocess Missed HR Events Report is only relevant in a Hire-to-Retire context and is used to reprocess HR trigger events without creating an access request manually. There can be several reasons to trigger a reprocessing such as business rule or mandatory information have missed or any occurred application error.

You can access the report by opening the Reprocess Missed HR Events Report app in the SAP Cloud Identity Access Governance Fiori Launchpad.

In general, this report consists of two views:

  1. Master view (overview list)
  2. Details view

The Master view is the entry point after opening the app and provides a list of all failed HR events. In case you want to narrow down the result list, you can use the various filter and search options.

The result list shows all users for whom the missing events can be reprocessed.

This report provides the following information:

  • User Name = User's full name and the user ID in brackets
  • Last Triggered Date = Date when the event was last triggered.
  • Reason = Reason why the event was missed - for example, no proper business rule or application-related issue.
  • Status = Represents the overall status. Entries initially have the status New.

    Here you also have the possibility to select a user and trigger further actions like the reprocessing of the missed HR events. The following options (buttons) are available:

  • Retry = The record status changes from New to In Process. When the next HR triggers job is performed, a request is created.
  • Remove = The record is removed from the consideration pool and does not show up as an option to generate the request.
  • Refresh = Update the record status.

The Details view can be opened by choosing a specific entry of the result list. You will be forwarded to the details page to get relevant details relating to the missed HR event.

On this page, you have another main section, which includes all the fields that not only define the business rule configuration but are also user attributes that trigger events.

  • Field Name = The actual field name as displayed in the landscape where the user is maintained.
  • Field Description = The clear and useful description of the field.
  • Old Value = The value for this record before any changes are made.
  • New Value = The value for this record after any changes are made to one of the user attributes.

To check the access request and its details, you have to perform the following steps:

  1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
  2. Navigate to ReportsReprocess Missed HR Events Report.
  3. Filter for specific data (optional).
  4. View the result list.
  5. Navigate further to the details page by choosing a specific entry.
  6. Select any user for whom you want to start the reprocess or removal.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/83f383d3123c4f57b036d2707ec2e730/7d7db8ae861341c68a8043cdd17fae96.html?locale=en-US

Open Risk Report, filter or search for specific data, select risk to view detailed information.

The Risk Report is used to list and view all available risks whether if the risk is active or inactive.

You can access the report by opening the Risk Report app in the SAP Cloud Identity Access Governance Fiori Launchpad.

In general, this report consists of two views:

  1. Master view (overview list)
  2. Details view

The Master view is the entry point after opening the app and provides a list of all available risks. In case you want to narrow down the result list, you can use the various filter and search options.

You can search for the risks itself, the functions assigned to them and their status. It also shows risk type (SOD, Critical Access or Critical Permission), business process and the defined risk level.

If you want to get more details of a specific risk, or if you want to know its content, you can choose a specific risk entry to navigate further to the details page. Here you get relevant details relating to Functions and Business Function Groups.

To check the access request and its details, you have to perform the following steps:

  1. Open SAP Cloud Identity Access Governance Fiori Launchpad (FLP).
  2. Navigate to ReportsRisk Report.
  3. Filter for specific data (optional).
  4. View the result list and navigate further to the details page by clicking on a specific risk entry.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/ad3ce41ad66d411f817a0af48e9927cd.html?locale=en-US

View risk report details: associated functions, business function group, actions, permissions, and related systems information.

The Details view can be opened by choosing a specific entry of the result list. You will be forwarded to the details page to get relevant details relating to Functions and Business Function Groups of the risk.

If you choose a specific function then its description and status is displayed. When you expand the header, you can also see the relevant Actions and the list of Permissions.

Similarly, if you choose a specific business function group then its description and type are displayed as well as the associated systems.

  1. View details of the selected risk.
  2. Select a function (select the function entry) and see the details like included actions and permissions.
  3. Select a business function group (choose the business function group entry) see the details like associated systems.

For more information, see SAP Help: https://help.sap.com/docs/SAP_CLOUD_IDENTITY_ACCESS_GOVERNANCE/9621f10c676c497a8355b7e36053e837/ad3ce41ad66d411f817a0af48e9927cd.html?locale=en-US

Learning

SAP FacebookSAP YoutubeSAP LinkedIn