1.2 Identity Manager Reporting Architecture

The following diagram shows the components of the Identity Manager reporting architecture:

Figure 1-1 Reporting Architecture

Each of the major components is described below:

Table 1-1 Major Components of the IDM Reporting Architecture

Component

Description

Identity Reporting Module

Browser-based application that generates reports by making calls to the Reporting Service.

Predefined Reports

The reporting module provides a set of predefined report definitions you can use to generate reports. In addition, it gives you the option to import custom reports defined in a third-party tool.

For details on the predefined reports, see Using Identity Manager Reports.

Report Packaging Tool

To facilitate the process of creating new reports, Novell provides the Novell Identity Manager Report Packaging Tool. You can customize reports in iReport and use the Reporting Packaging Tool to package them for use within the reporting module.

Reporting Service

Service that retrieves the data needed for report generation from the Identity Information Warehouse, which contains all report management information (such as report definitions and schedules), database views, and configuration information required for reporting.

To produce reports, the Reporting Service invokes the JasperReports engine, which compiles and executes report definitions according to schedules defined by the Report Administrator.

Identity Information Warehouse

Repository for the following kinds of information:

  • Report management information (such as report definitions, report schedules, and completed reports), database views used for reporting, and configuration information. This information is stored in tables within the idm_rpt_cfg schema.

  • Identity data collected by the Managed System Data Collector, IDM Event-Driven Data Collector, and Application Collector. This data is stored in tables within the idm_rpt_data schema.

  • Auditing data, which includes events collected by the Event Auditing Service (EAS). This data is stored in tables within the public schema.

The Identity Information Warehouse stores its data in the Security Information and Event Management (SIEM) database.

Data Collection Service

Service that collects information from various sources within an organization. The Data Collection Service includes three subservices:

  • The Managed System Data Collector uses a pull design model to retrieve data from one or more Identity Vault data sources. The collection runs on a periodic basis, as determined by a set of configuration parameters. To retrieve the data, the collector calls the Managed System Gateway Driver.

  • The IDM Event-Driven Data Collector uses a push design model to gather event data captured by the Data Collection Service Driver.

  • The Application Data Collector retrieves data from one or more non-managed applications by calling a REST endpoint written specifically for each application. Non-managed applications are applications within your enterprise that are not connected to the Identity Vault.

Data Collection Service Driver

Driver that captures changes to objects stored in an Identity Vault, such as accounts, roles, resources, groups, and team memberships. The Data Collection Service Driver registers itself with the Data Collection Service and pushes change events (such as data synchronization, add, modify, and delete events) to the Data Collection Service.

The information captured records changes to these objects:

  • User accounts and identities

  • Roles and role levels (hierarchical relationships between roles)

  • Groups

    NOTE:The reporting module does not support dynamic groups and only generates reports on static group data.

  • Group memberships

  • Provisioning Request Definitions (PRDs)

  • Separation of Duties (SoDs) definitions and violations

  • User entitlement associations

  • Resource definitions and resource parameters

  • Role and resource assignments

  • Identity Vault entitlements, entitlement types, and drivers

Managed System Gateway Driver

Driver that collects information from managed systems. To retrieve the managed system data, the driver queries the Identity Vault. The data retrieved includes the following:

  • List of all managed systems

  • List of all accounts for the managed systems

  • Entitlement types, values, and assignments (groupings), and user account profiles for the managed systems

Security Service

Service that controls access to all other services within the reporting module. The Security Service includes these key components:

  • A stand-alone authentication service that provides several functions through REST, including programmable authentication, token validation, token expiration notification, and attribute retrieval for an identity.

  • An authentication module within the core service that performs internal functions such as performing authentication within the scope of the core service and retrieving additional identity attributes.

  • An authorization module within the core service that controls what an authenticated user can do with reporting resources. This module defines access control policies for resources and determines the permissions based on attributes of the authenticated user, access control policy, and the resource being accessed.

Event Auditing Service (EAS)

Captures log events associated with actions performed in several Novell products, including the reporting module, the Roles Based Provisioning Module (RBPM), the Role Mapping Administrator (RMA), and eDirectory. These events are stored in the public schema within the warehouse.

You have the option to forward these events to Sentinel. If you choose to forward events, you can then use Sentinel to create a more holistic view of all of the activity within your enterprise. Sentinel lets you assimilate logs and other security information from various heterogeneous input sources, giving you visibility and accountability into the various activities within the enterprise.

Identity Vault Data Sources

Repositories for identity information. The Identity Reporting Module allows you to report on state information in the Identity Vault, such as which users have been provisioned with particular resources, or which users have been assigned to particular roles. You can report on current and past data from the Identity Vault.

The Identity Vault Data Sources page allows you to specify which Identity Vaults you want to report on, and provide information about where the reporting module can find these vaults. You can include data sources for one or more Identity Vaults on the Identity Vault Data Sources page.

Managed Systems

A system in an enterprise that is connected to the Identity Vault with an Identity Manager driver. The Identity Reporting Module allows you to report on state information about the managed systems. For example, the reports allow you to determine that a particular user known to the Identity Vault exists in Active Directory. The Identity Reporting Module allows you to report on current and past data from managed systems.

Applications

Any non-managed application running in an enterprise. A non-managed application is an application that is not connected to the Identity Vault.

To include information from a non-managed application, you need to implement a REST endpoint, as outlined in Section 13.2, Non-Managed Application REST API. You also need to configure a custom data source for the application on the Non-Managed Application Data Sources page within the reporting module, as described in Section 9.3, Defining the Settings for Non-Managed Applications.

The following diagram shows the components of the EAS architecture:

Figure 1-2 EAS Architecture

EAS provides these connectors for capturing events from various Novell data sources:

Different Novell applications use different connectors:

When you configure EAS to work with the reporting module, you need to provide ports for these connectors on the Auditing page within the user interface for the reporting module.