Versions Compared

Old Version 6

changes.mady.by.user Ethan Kromhout (unc.edu)

Saved on

compared with

New Version 7

changes.mady.by.user Ethan Kromhout (unc.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. What current and historical data is maintained for reporting? A detailed description of the historical auditing data https://wiki.evolveum.com/display/midPoint/Auditing Also, for a example log see midPoint Logging

  2. Is the reason (automatic and manually approved) for all provisioning decisions and actions stored? If the reason is internal to midPoint, then yes, but there is not a way to record a reason for a manual action in the audit log. Can it be sent to an external system (Splunk, logstash, etc) data warehouse? Yes, the logger can be configured to write the audit to a file where an external system could pick it up, database queries are also possible

  3. How is the data stored? The data is stored in database tables, and the schema is published. Can it be read by external systems? Yes, either directly from from the database or by configuring a logger.

  4. Can we export the data in its entirety? Yes, via database export, or by building a report.

  5. Can we control how long the data is maintained? I do not see a way to limit data retention, though direct database actions could be taken.

  6. Does this product provide what our auditors and compliance officers need? Much of what I've heard requested, though not the ability to add notes manual actions (actions themselves are recorded)

  7. Does this product provide what our application (target system) owners need? (Not sure how to answer this one)

  8. Reporting (should we just combine audit and report?)

    1. What pre-built reports are available? Can they be customized? There  are a few canned reports, including general audit report, and you can customize reports. https://wiki.evolveum.com/display/midPoint/Report+Configuration

    2. Can we build our own reports? Using a GUI? Non-GUI? There is a GUI for building reports, and you could of course use SQL. You can also import jasper reports.

    3. Does the product support reports on

      1. Access for an application (target system). Granting access would be recorded, but not user access of a target system

      2. All access for a user, all users in a unit, all users for a supervisor. Session creation (login) as well as actions taken are recorded.

      3. Elevated or high-risk access. All actions are recorded, but there is not a provided canned report to identify these.

      4. Separation of Duties. All actions are recorded, but there is not a provided canned report to identify these.

    4. What output formats are available for reports (eg, PDF, CSV, HTML) All of these plus additional XML and jasper options.

    5. Is the data used for reports available for use by third-party reporting tools? Yes.

    6. Can reports be run on a schedule and sent by email or to a (possibly external) report repository, and/or made available via GUI? I do not see a way to schedule reports, but they are available in the GUI, and post report actions can be scripted, including shell actions. If available via GUI, what are the access controls? Reporting appears to be available to administrators, but I don't see a built in role to delegate.

  9. Auditing

    1. Can we compare intended provisioning to the actual state of an application on demand? This is connector specific, but reconciliation is usually supported.

    2. Does the product audit changes made within it (eg, who made a change to group membership logic when, and what the change was). Yes

    3. Does the product support Separation of Duties audits? This would require a custom report.

    4. (If you do access reviews / attestations) does the product provide adequate support?

      1. review by person, unit, application Attestation is done via "campaigns" https://evolveum.com/blog/access-certification-in-midpoint/

      2. review of only manually-decided access, exceptions only, etc It should be possible to build a custom campaigns that excludes role initiated auto approved actions, but nothing built in.

      3. Can audit results include “comments” (eg, “access being removed because …”) that become part of the record No

      4. Can the auditing work with an external ticketing system (eg, ServiceNow, Remedy)   Not that I have found, possibly via custom reportDocumentation notes support for ITSM integration via plugins, but requires custom development.

      5. How does the product define and schedule reviews, notify and remind reviewers, etc? See the link in "i" Can the product send emails and/or use an external ticketing system? Nothing built in. Are reviews done within the product, or in a document sent to the reviewer? Within the product.

      6. How does the reviewer to report results? Results are recorded within the product, and custom reports can be created. Is the effort required proportional to the number of changes? Yes, attestation is per approval.

      7. Does the product support workflows, logic, etc. needed to implement access changes determined by a review? There is some workflow capability such as delegating a attestation approval.

...