1. Introduction / Use cases

NetIQ Access Governance (SailPoint IIQ) provides several Out of the Box (OOTB) Report Templates which can generate a report on inactive users, but there is no report template available which can display Inactive Identities with Active Application Account (i.e. IIQDisabled is null or false).

This solution will explain the steps to build a custom report template and Java data source to generate a custom report which will show terminated identities whose application accounts are still enabled.

2. Understand the Access Governance Reports Model

If you would like to understand the Sailpoint reporting module, please follow the link below:


2.1 Task Definition
In SailPoint, a report is executed as a specialized task. The root element of a report is a <TaskDefinition> element and the report template is saved as TaskDefinition object / XML.

This XML contains Arguments, Reporting columns, Report data source, Rights etc.

2.2 Report Data Source
The data shown in the detail section of the report is retrieved through a query that is built based on a combination of the <DataSource> specification and the element. In general, a query is specified in three parts: Select, From, and Where. The Select portion (the columns list) is specified through the <Columns> element in the report definition – specifically, the <ReportColumnConfig>s listed within element. The From and Where clauses are specified through the <DataSource> element.

There are three available datasource types: Filter, Java, and HQL. In this example, I have used Java datasource.

3. Create Template and Data Source

3.1 Create and Import Report Template
I have given a sample Report Template (TaskDefinition XML) which will take the argument as Application list to exclude from the report and Identity Status (Active / Inactive).


Download the XML file and import it using checkin command from the console.

3.2 Create and Deploy Java Data Source
Report template is referring datasource class as “sailpoint.reporting.datasource.CustomUserDataSource”. The source code of the datasource can be downloaded from here.


You need ags.jar and jasperreports-javaflow-4.5.0.jar to compile the code and create a JAR file. You need to deploy the JAR file into ags/WEB-INF/lib directory and restart the web server.

Here is the compiled JAR file (remove .txt extension), you can just deploy the JAR file and test the given Report template.


4. Create and Execute Report

Go to Reports tab and click on “Terminated Identities With Application Access Enabled” template:

Name the Report and click on Next:

Check the “Only show terminated users?” box and click on Next:

Choose Sort By and Group By and click on Save and Execute:

The report will be executed and displayed as below:

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Koushik Halder
Feb 13, 2018
8:35 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow