Viewing Default Reports

This section covers how to open a report, and provides some basic information on each of the default reports.

Opening a Report

You open a report by going to the report folder URL in Internet Explorer. Click a report to open it.

In general, you and your users access the reports from a URL. The URL has a format like this:

"http://hostname/Reports_reportDBname"

Filtering Report Data by Zone

When you view a report, you can filter the report data by zone. In the zone drop-down filter, report services lists each zone by its full zone hierarchy, so that you can choose based on parent or child zones. For example, if you have a child zone named California as part of a parent zone West which is part of the parent zone United States, the zone appears in the list as "United States/West/California.

Zones are listed in the zone drop-down filter in alphabetical order, and the first zone in the list is the default zone. When you first open a report, report services initially generates the report data based on the default zone.

Default Access Manager Reports

Report Services Reports: Not Specific to Classic or Hierarchical Zones

Report Name Report description Filter the results with these fields
Authorization report This report lists each computer or user account, and which users are allowed to access each computer. Access Level Computer domain Computer Name User domain User name User Type Zone Zone domain
Computers Summary report Lists computer account information for each computer in each zone. Computer domain Computer name Platform Zone Zone domain Zone type
Delegation report Lists which users, groups, computers, group managed service accounts (gMSA), managed service accounts (MSA), and which well-known SIDs have which delegation tasks. Delegation Task Target Target Domain Target Name Trustee Trustee Domain Trustee Type Zone
Effective delegation report Lists which Active Directory users, Active Directory groups, group managed service accounts (gMSA), and managed service accounts (MSA) have which delegation tasks. Active Directory User Domain Active Directory User Name Delegation Task Target Target Domain Target Name Zone
Groups report Lists group information for each group in each zone, including the Active Directory group name, the UNIX group name, the UNIX group identifier (GID), and whether the group is an orphan. If the group is for local users, the local group status indicates whether the group is enabled or disabled for local access. Active Directory Group name Active Directory Group domain Group Type Is Orphan Local Group Status UNIX Group Name Zone Zone Domain Zone Type
Stale Computers report Lists the stale computers. Stale computers are those where the password hasn’t changed for 90 or more days. Computer Domain Computer Name Zone Zone domain
User Accounts Report Lists account details for Active Directory users who are related to each zone. The report includes the Active Directory display name, the Active Directory login name, the Active Directory domain for the account, and details about the account status, such as whether the account is configured to expire, locked out, or disabled and the date and time of the account’s last login. Active Directory user name Domain Enabled
Users Report Lists user information for each user in each zone. If the user is a local user, the local user status indicates whether the user is enabled or disabled for local access. Active Directory user Active Directory user domain UNIX name Enabled Is Orphan Local User Status User Type Zone Zone domain Zone type
Zone Role Privileges Report Lists the roles that are defined for each hierarchical zone and the rights granted by each of these roles. Right name Right type Role name Zone Zone domain Zone type
Zones Report Lists the administrative tasks and properties for each zone and the users or groups have been delegated to perform each task. This report indicates which users or groups have permission to perform specific tasks, such as add groups, join computers to a zone, or change zone properties. Zone Zone domain

Delinea Report Services Reports: Classic Zone Reports

New default report New report description Filter the results with these fields
Classic Zone - User Privileged Command Rights Report Lists the privileged commands that each user has permission to run and the scope to which the user’s rights apply. Classic zone Privileged command name User name Zone domain
Classic Zone - User Role Assignment Report Lists information from the UNIX profile for each user in each classic zone. Lists the role assignments for each user in each zone. The report includes the domain name, user profile name, the list of roles the user is assigned to in each zone, and the scope to which the user’s role assignment applies. Classic zone Role User domain User name Zone domain

Delinea Report Services Reports: Hierarchical Zone Reports

New default report New report description Filter the results with these fields
Hierarchical zone - Computer Role Assignments Report Lists the computer roles that are defined for each zone. The report includes the users and groups and their associated roles. Role name Computer Role name Zone Zone domain
Hierarchical zone - Computer Role Effective Assignments Report Lists the roles assigned on each computer. There are separate reports for UNIX and Windows computers. Computer role Right Right type Role User Domain User Name Zone Zone Domain
Hierarchical Zone - Computer Role Membership Report Lists the computer roles that are defined for each computer and the zone to which they belong. Computer Domain Computer Name Computer Role in Zone Computer Role Name Join To Zone Domain
Hierarchical Zone - Effective Audit Level Report Lists the audit level in effect for computers in each zone. computer domain computer name User domain user name zone zone domain
Hierarchical Zone - Effective Rights Report Lists the privileges granted on each computer and the effective rights for each Windows and UNIX user on each computer. computer domain computer name Right Right type Role User domain user name zone zone domain
Hierarchical Zone - Effective Role Report Lists the role assignment on each computer in the zone. computer domain computer name Role User domain user name zone zone domain
Hierarchical Zone - Users Report Lists the users and the computers to which they have access in the zone. If the user is a local user, the local user status indicates whether the user is enabled or disabled for local access. Active Directory user Active Directory user domain Computer Computer domain Is orphan Is secondary Local User Status UNIX name User type Zone Zone domain
Hierarchical Zone - Zone Effective Assignments Report Lists the roles that are defined for each hierarchical zone and the rights granted by each of these roles, including where each right is defined. There are separate reports for UNIX and Windows users. Right Right type Role User domain user name zone zone domain

Default SOX Attestation Reports

To help your department comply with Sarbanes-Oxley audit requirements, Delinea provides some default SOX reports. These reports show you who has access to computers, what roles and rights users have, and similar data that’s needed to show SOX compliance.

SOX reports provide the following kinds of information:

  • Computers: Who has access to these computers, what are the roles, rights, and groups that they belong to
  • Groups: Which users are in which groups, what are the roles, rights, and what computers can these users access
  • Users: What their role assignments are, what rights the users have, which groups they belong to, and which computers they have access to
  • Roles: Which computers the rules have access to, what rights are assigned to the group, and which groups are assigned to which roles

You can find the SOX reports in SSRS by going to the Centrify Report Services > Attestation > SOX reports folder.

In larger environments, you can save processing time when running an attestation report (PCI or SOX report) by choosing to exclude the chart from the report. When you open the report, select True for the Exclude chart for faster report generation option.

For a description of how report services calculates the data for the charts in the SOX reports, see How objects are counted for the PCI and SOX report charts.

Here is a list of the SOX reports, along with a brief description and how you can filter the results.

Report name Report description Filter the results with these fields
SOX - Login Report - By Computer For each computer, this report displays the users who can log in. For each user who can log in, the report shows the role, assignment location, and assignee. Computer Computer group Computer role Zone Zone Domain Zone Type
SOX - Login Report - By Group For each Active Directory group, this report lists the computers and role assignment information. Active Directory group Zone Zone Domain Zone Type
SOX - Login Report - By Role For each role, this report lists the computers assigned to that role. Role Zone Zone Domain Zone Type
SOX - Login Report - By User For each user, this report lists the computers that the user can access as well as the role assignment information. User Zone Zone Domain Zone Type
SOX - Login Summary Report This report provides a summary of who can log in to which computer. Computer Computer group Computer role Local User Status User User group User type Zone domain Zone type Zone
SOX - Rights Report - By Computer For each computer, this report lists the users who have which login and other privileges and what the role assignments are. Computer Computer Group Computer role Right type Zone Zone Domain Zone Type
SOX - Rights Report - By Group For each Active Directory group, this report lists the computers have which login and other privileges and what the role assignments are. Active Directory group Right type Zone Zone Domain Zone Type
SOX - Rights Report - By Role For each role, this report lists the computer and rights available on that computer. Role Zone Zone Domain Zone Type
SOX - Rights Report - By User For each user, this report lists the Active Directory group, computers, and role assignment. Right type User Zone Zone Domain Zone Type
SOX - Rights Summary Report This report provides a summary of which rights are granted to which users on which computers. Computer Computer group Computer role Local User Status Right type User group User User type Zone Zone Domain Zone type
When you view the collection of reports in Internet Explorer, you may also see some sub-reports listed. These are not actual reports but views that support the actual reports; due to a limitation with Microsoft SSRS, these sub-reports may display even though they’re not meant to be used. Please do not click any reports that have names that begin with SubReport.
In these reports, Computer Role and Computer Group filters return records assigned to those roles or groups but not where the role assignment is defined. For example, if you filter records for Zone1_CompRoleA, the report lists all computers that are in the computer role named Zone1_CompRoleA.
The charts in the PCI & SOX reports do not consider role assignments that are granted to “All Active Directory Users,” and the reports only consider role assignments that are granted to specific users and groups when counting computer access and privileges. On the other hand, the detailed report shows all the login and privilege information from all role assignments (including those that are granted to “All Active Directory Users”).

Default PCI Attestation Reports

To help your department comply with PCI audit requirements, Delinea provides some default PCI attestation reports. These reports show you who has access to computers, what roles and rights users have, and similar data that’s needed to show PCI compliance.

PCI reports provide the following kinds of information:

  • Computers: Which users have access to these computers, what are their roles and rights
  • Groups: Which users are in which groups, what are their roles and rights, and which computers do they have access to
  • Users: What role is the user assigned to, what rights does the user have, and which computers does the user have access to
  • Roles: What computers do these roles have access to and what rights do they have

You can find the PCI reports in SSRS by going to the Centrify Report Services > Attestation > PCI reports folder.

In larger environments, you can save processing time when running an attestation report (PCI or SOX report) by choosing to exclude the chart from the report. When you open the report, select True for the Exclude chart for faster report generation option.

For a description of how report services calculates the data for the charts in the PCI reports, see How objects are counted for the PCI and SOX report charts.

Here is a list of the PCI reports, along with a brief description and how you can filter the results.

Report name Report description Filter the results with these fields
PCI - Login Report - By Computer For each computer, this report displays the users who can log in. For each user who can log in, the report shows the role, assignment location, and assignee. Computer Computer group Computer role Zone Zone Domain Zone Type
PCI - Login Report - By Group For each Active Directory group, this report lists the computers and role assignment information. Active Directory group Zone Zone Domain Zone Type
PCI - Login Report - By Role For each role, this report lists the computers assigned to that role. Role Zone Zone Domain Zone Type
PCI - Login Report - By User For each user, this report lists the computers that the user can access as well as the role assignment information. User Zone Zone Domain Zone Type
PCI - Login Summary Report This report provides a summary of who can log in to which computer. Computer Computer group Computer role Local User Status User User group User type Zone domain Zone type Zone
PCI- Rights Report - By Computer For each computer, this report lists the users who have which login and other privileges and what the role assignments are. Computer Computer Group Computer role Right type Zone Zone Domain Zone Type
PCI- Rights Report - By Group For each Active Directory group, this report lists the computers have which login and other privileges and what the role assignments are. Active Directory group Right type Zone Zone Domain Zone Type
PCI- Rights Report - By Role For each role, this report lists the computer and rights available on that computer. Role Zone Zone Domain Zone Type
PCI- Rights Report - By User For each user, this report lists the Active Directory group, computers, and role assignment. Right type User Zone Zone Domain Zone Type
PCI - Rights Summary Report This report provides a summary of which rights are granted to which users on which computers. Computer Computer group Computer role Local User Status Right type User group User User type Zone Zone Domain Zone type
When you view the collection of reports in Internet Explorer, you may also see some sub-reports listed. These are not actual reports but views that support the actual reports; due to a limitation with Microsoft SSRS, these sub-reports may display even though they’re not meant to be used. Please do not click any reports that have names that begin with SubReport.
In these reports, Computer Role and Computer Group filters return records assigned to those roles or groups but not where the role assignment is defined. For example, if you filter records for Zone1_CompRoleA, the report lists all computers that are in the computer role named Zone1_CompRoleA.
The charts in the PCI & SOX reports do not consider role assignments that are granted to “All Active Directory Users,” and the reports only consider role assignments that are granted to specific users and groups when counting computer access and privileges. On the other hand, the detailed report shows all the login and privilege information from all role assignments (including those that are granted to “All Active Directory Users”).

How Objects are Counted for the PCI and SOX Report Charts

This section describes how objects are counted for the charts that you see in the PCI & SOX reports.

Login Report Charts

In login reports, we count how many computers each user can log in to, how many users can log in to each computer, and how many roles are granted with login rights.

In hierarchical zones, a role is considered to be granted with a login right if one or more of the following rights are granted to the role:

  • Console login is allowed
  • Remote login is allowed
  • Password login and non-password login are allowed
  • Non password login is allowed

In classic zones, a role is considered to be granted with a login right if at least one PAM right is granted to the role.

In the graphs that report the number of users who can log in to a computer, or the number of computers that a user is logged in to; the graphs only consider effective users. An effective user is one who has a complete user profile in a classic zone. In hierarchical zones, an effective user must also have been granted the login right through any role that is assigned to users/groups. Note that a “login right” obtained from a role that is assigned to “All AD users” is not considered in the graphs.

A local user is counted as an effective user in hierarchical zones if the user is granted the “User is visible” right from any effective role assignment.

Login Report – By Computer charts

Computers with Most Access chart

This chart ranks the computers by the number of effective users and shows the top 10 computers.

User Roles Count for Computers with Most Access chart

This chart ranks the computers by the number of roles that assign login rights to users or groups on the computer.

Users with Most Access chart

This chart ranks the users by the number of computers that each one can log in to, and shows the top 10 users.

Login Report – By Group charts

Roles with Most Access chart (by Group)

This chart ranks all the roles that are assigned to any group by the number of computers that the role grants login access to (regardless of how many groups are assigned to each role), and shows the top 10 roles.

Groups with Most Members chart

This chart shows the top 10 groups that have most members, including those from nested groups.

Login Report – By Role charts

Roles with Most Access chart (by Role)

This chart ranks all the roles that are assigned by the number of computers that the role grants login access to, and shows the top 10 roles.

Roles with Most Users chart

This chart ranks the number of users for which each role is effective (regardless of the role assignment scope), and shows the top 10 roles.

Roles with Most Rights chart

This chart ranks the assigned roles (regardless of the role assignment scope) with login rights by the number of granted privilege access rights.

Login Report – By User charts

Users with Most Access On Computers chart

This chart ranks the users by the number of computers that each one can log into, and shows the top 10 users.

Login Roles Count for Users with Most Access On Computers chart

This chart ranks the users by the number of effective roles that grant login access to any computer, and shows the top 10 users.

Login Summary Report charts

Computers With Most Access chart

This chart ranks the computers by the number of effective users and shows the top 10 computers. Both Active Directory and local effective users are considered.

Users With Most Access chart

This chart ranks all effective users by the number of computers that each user can log into, and shows the top 10 users.

Rights Report Charts

In each rights report, the privileged access right enables the user to create additional working environments or to run specified applications with different privileges. The following five privileged access rights are included in rights reports.

  • Network Access right
  • Desktop right
  • Application right
  • Commands
  • Use restricted environment

Each privileged access right is counted in the reports only when the role with one of these rights is assigned to users and/or groups. However, the privileged right granted using ‘All AD user’ is not counted.

Rights Report – By Computer Charts

Computers with Most Privileged Access chart

This chart ranks the computer by the number of distinct privileged access rights that are effective on each computer, and shows the top 10 computers. A privileged access right is counted as one regardless of the number of users or roles that is granted or assigned the right in the computer.

Computer Roles with Most Privileged Access Chart

This chart ranks all the computer roles by the number of distinct privileged access rights assigned to each computer role, and shows the top 10 computer roles.

Privileged Access with Most Computers Chart

This chart ranks all privileged access rights by the number of computers that each right is effective on, and shows the top 10 rights.

Rights Report – By Group Charts

Groups with Most Privileged Access Chart

This chart ranks the group by the number of distinct privilege access rights granted to each group, and shows the top 10 groups. The privilege access rights are evaluated based on all roles that are assigned to groups, regardless of the scope of the assignments.

Rights Report – By Role Charts

Computer Roles with Most Privileged Access Chart

This chart ranks all the computer roles by the number of distinct privileged access rights assigned to each computer role, and shows the top 10 computer roles.

User Roles with Most Privileged Access Chart

This chart ranks the assigned roles (regardless of the role assignment scope) with login rights by the number of granted privileged access rights.

Rights Report – By User Charts

Users with Most Privileged Access Chart

This chart ranks all users by the number of distinct privileged access rights granted (regardless of the number of computers) and shows the top 10 users.

Computer Role Count for Users with Most Privileged Access Chart

This chart ranks all users by the number of distinct privilege access rights granted. For the top 10 users, it shows the number of computer roles where the user is assigned to any role in that computer role.

Rights Summary Report Charts

Computers with Most Privileged Access Chart

This chart ranks the computer by the number of distinct privileged access rights that are effective on each computer, and shows the top 10 computers. A privileged access right is counted as one regardless of the number of users or roles that is granted or assigned the right in the computer.

Users with Most Privileged Access Chart

This chart ranks all effective users by the number of distinct privileged access rights granted (regardless of the number of computers) and shows the top 10 users.

Most Dominant Privileges on Computers chart

This chart ranks all privileged access rights by the number of computers that each right is effective on and shows the top 10 rights. The number of users where the right is effective in each computer is not considered in the ranking.