1.2 Identity Manager Reporting Architecture

The following diagram shows the components of the Identity Manager reporting architecture:

Figure 1-1 Reporting Architecture

Each of the major components is described below:

Table 1-1 Major Components of the IDM Reporting Architecture

Component	Description
Identity Reporting Module	Browser-based application that generates reports by making calls to the Reporting Service.
Predefined Reports	Set of predefined report definitions you can use to generate reports. You can also import custom reports you define in a third-party tool. For details about the predefined reports, see Using Identity Manager Reports.
Report Packaging Tool	Facilitates the process of creating new reports. You can customize reports in iReport and use the Report Packaging Tool to package them for use within the Reporting Module.
Reporting Service	Service that retrieves the data needed to generate reports from the Identity Information Warehouse, which contains all report management information (such as report definitions and schedules), database views, and configuration information required for reporting To produce reports, the Reporting Service invokes the JasperReports engine, which compiles and executes report definitions according to schedules that the Report Administrator defines.
Identity Information Warehouse	Repository for the following kinds of information: Report management information (such as report definitions, report schedules, and completed reports), database views used for reporting, and configuration information. This information is stored in tables within the idm_rpt_cfg schema. Identity data collected by the Managed System Data Collector, IDM Event-Driven Data Collector, and Application Collector. This data is stored in tables within the idm_rpt_data schema. Auditing data, which includes events that the EAS collects. This data is stored in tables within the public schema. The Identity Information Warehouse stores its data in the Security Information and Event Management (SIEM) database.
Data Collection Service	Service that collects information from various sources within an organization. The Data Collection Service includes three subservices: The Managed System Data Collector uses a pull design model to retrieve data from one or more Identity Vault data sources. The collection runs on a periodic basis, as determined by a set of configuration parameters. To retrieve the data, the collector calls the Managed System Gateway Driver. The IDM Event-Driven Data Collector uses a push design model to gather event data that the Data Collection Service Driver captures. The Application Data Collector retrieves data from one or more non-managed applications by calling a REST endpoint written specifically for each application. Non-managed applications are applications within your enterprise that are not connected to the Identity Vault.
Data Collection Service Driver	Driver that captures changes to objects stored in an Identity Vault, such as accounts, roles, resources, groups, and team memberships. The Data Collection Service Driver registers itself with the Data Collection Service and pushes change events (such as data synchronization, add, modify, and delete events) to the Data Collection Service. The information that the driver captures records changes to these objects: User accounts and identities Roles and role levels (hierarchical relationships between roles) Groups NOTE:The Reporting Module does not support dynamic groups and only generates reports on static group data. Group memberships Provisioning Request Definitions (PRDs) Separation of Duties (SoDs) definitions and violations User entitlement associations Resource definitions and resource parameters Role and resource assignments Identity Vault entitlements, entitlement types, and drivers
Managed System Gateway Driver	Driver that collects information from managed systems. To retrieve the managed system data, the driver queries the Identity Vault. The driver retrieves the following information: List of all managed systems List of all accounts for the managed systems Entitlement types, values, and assignments (groupings), and user account profiles for the managed systems
Security Service	Service that controls access to all other services within the Reporting Module. The Security Service includes these key components: A stand-alone authentication service that provides several functions through REST, including programmable authentication, token validation, token expiration notification, and attribute retrieval for an identity. An authentication module within the core service that performs internal functions such as performing authentication within the scope of the core service and retrieving additional identity attributes. An authorization module within the core service that controls what an authenticated user can do with reporting resources. This module defines access control policies for resources and determines the permissions based on attributes of the authenticated user, access control policy, and the resource being accessed.
Event Auditing Service (EAS)	Captures log events associated with actions performed in several NetIQ products, including the Reporting Module, the Roles Based Provisioning Module (RBPM), Catalog Administrator, and eDirectory. These events are stored in the public schema within the warehouse. You have the option to forward these events to Sentinel. If you choose to forward events, you can then use Sentinel to create a more holistic view of all the activity within your enterprise. Sentinel lets you assimilate logs and other security information from various heterogeneous input sources, giving you visibility and accountability into the various activities within the enterprise.
Identity Vault Data Sources	Repositories for identity information. The Reporting Module allows you to report on state information in the Identity Vault, such as which users have been provisioned with particular resources, or which users have been assigned to particular roles. You can report on current and past data from the Identity Vault. The Identity Vault Data Sources page allows you to specify which Identity Vaults you want to report on, and provide information about where the Reporting Module can find these vaults. You can include data sources for one or more Identity Vaults on the Identity Vault Data Sources page.
Managed Systems	A system in an enterprise that is connected to the Identity Vault with an Identity Manager driver. The Reporting Module allows you to report on state information about the managed systems. For example, the reports allow you to determine that a particular user known to the Identity Vault exists in Active Directory. The Reporting Module allows you to report on current and past data from managed systems.
Applications	Any non-managed application running in an enterprise. A non-managed application is an application that is not connected to the Identity Vault. To include information from a non-managed application, implement a REST endpoint as outlined in the REST API documentation. Also configure a custom data source for the application on the Non-Managed Application Data Sources page within the Reporting Module, as described in the REST API documentation. The Reporting installation program deploys a special API WAR file, rptdoc.war, which contains the documentation of REST services needed for reporting. For more information accessing the REST API documentation, see Section 12.0, REST Services for Reporting.

The following diagram shows the components of the EAS architecture:

Figure 1-2 EAS Architecture

EAS provides these connectors for capturing events from various NetIQ data sources:

Syslog SSL Connector
Syslog UDP Connector
Audit Connector

Different NetIQ applications use different connectors:

You can configure the Catalog Administrator to use the Audit Connector or the Syslog SSL Connector.
You can configure Identity Manager and eDirectory to use the Audit Connector or the Syslog SSL Connector.
The RBPM uses the Audit Connector.

When you configure EAS to work with the Reporting Module, provide ports for these connectors on the Auditing page within the user interface for the Reporting Module.