What Report Services Provides

Report services provides reports on your Active Directory environment and the data is stored in a database that’s optimized for reporting. You can synchronize your Active Directory information to your reporting database, and then allow your users access to the reporting data.

You can choose to use SQL Server or PostgreSQL for your report database. If you use PostgreSQL, you must provide your own report software to create and view reports.

If you're using SQL Server, the following diagram illustrates the main report services architecture components:

alt

If you're using PostgreSQL, the following diagram illustrates the main report services architecture components:

alt

Report services takes data from Active Directory at a particular point in time. The data collected at that point is sometimes referred to as a snapshot. The Active Directory data synchronization service puts the Active Directory data into tables in the reporting database, and then runs some algorithms on those tables. Some data is pulled over directly from Active Directory as it is, and some data is calculated.

For example, the effective role assignment for each computer and user is calculated rather than stored. IBM Security does store the effective role assignment information at the levels of role, computer, and zone. This information is then stored in the database views, and those database views provide the information that you see in the reports.

The reporting service populates database views based on the data in those tables, and those views are what are used to populate reports.

Database views provide an easier and more secure way to share the reporting data without having to expose the database tables directly. Each view is essentially a database query. Some columns refer to columns in other views, and these relationships are noted.

Each default report is based on one or more of those database views, and you can build custom reports based on the information stored in one or more of those views.

For SQL Server databases, IBM Security report services uses Microsoft SQL Server Reporting Services as the reporting engine for deploying and customizing reports. You can use any reporting service to generate reports by connecting to the reporting database.

Reporting Data Based on Domains or Zones

Here are some key points to be aware of if you’re thinking of using report data based on zones:

  • For zone-based reporting, each synchronization includes all Active Directory data from the specified zones. In comparison, for domain-based reporting, synchronizations after the first one include just the changes to Active Directory data.
  • For zone-based reporting, the service account needs just read permission to Active Directory. In comparison, for domain-based reporting, the service account needs permission to replicate directory changes.
  • For zone-based reporting, report services does not synchronize license information nor auto-zone computer information.
  • For zone-based reporting, you can include zones from other trusted forests. For domain-based reporting, you can add trusted forest domains.

gMSA Accounts

Report services treats gMSA accounts (group Managed Service Accounts) as Active Directory users.

Information not included in the reporting database

There are few limitations on the kinds of data that can be stored in the reporting database. The following is not included:

  • NIS maps
  • UNIX import information

Report Services and Report Center

Report services provides more reports and features than the previous Report Center in Verify Privilege Server Suite. Report Center has been deprecated and removed.

Report Services Tools Overview

Here’s an overview of the tools specific to IBM Security report services. You’ll use some to all of these tools, depending on whether you’re completing your initial installation or changing some configuration settings later on.

Tool or component name What you use this tool for
Report Services shortcut Use this shortcut to open IBM Security report services in Internet Explorer.
Configuration wizard Use the configuration wizard to do the initial setup of your database and reports. Re-run the configuration wizard only if you need to change some report services configuration settings or change whether you gather report data from Active Directory based on zones or domains.
For instructions, see Configuring Report Services and Deploying Your Reports .
Upgrade & Deployment wizard Use the Upgrade & Deployment wizard to upgrade your report database and deploy updated reports.
For instructions, see Upgrading your report services.
Report Services Control Panel Use the control panel to view the synchronization status of domains or zones, refresh report data, configure the synchronization schedule, add or remove domains or zones, change the user account that runs the report service, and view error logs.
For more details, see Administering IBM Security Report Services with the Report Control Panel.
Verify Privilege Server Suite installer Use the installer to either install or upgrade the report services and other Verify Privilege Server Suite components.
For instructions, see Installing IBM Security Report Rervices .

Overview of How to Set Up Reporting

If you’re installing an evaluation version of IBM Security report services, you can take a few shortcuts, such as using virtual machines. This section includes recommendations for both evaluation and production deployments.

The diagram below outlines the overall process for installation or upgrade.

alt

Evaluation Deployment Overview

For evaluation purposes, you can just install the SQL Server Express version that’s packaged with the Verify Privilege Server Suite software.

How to set up an evaluation version of IBM Security report services:

  1. Prepare your environment:

    • Users and groups with required permissions
      1. service account - the user account that runs the reporting service (in the background)
      2. installer/administrator - the user account that installs and configures the IBM Security reporting service.
      3. Report administrator - user(s) who can run reports, edit reports, build new reports
      4. Report reader - user(s) who can view reports but not edit them nor create new ones.
    • An existing database instance, if you’re planning to use an existing instance.
    • The correct operating system that supports what you need. For evaluation purposes only, you can install all the software on one computer. Be sure to check that your operating system is supported for IBM Security software, SQL Server, and Microsoft SQL Server Reporting Services (SSRS).
    • You’ve configured Internet Explorer to allow access to the reporting web site. For details, see Adding Your Report Services Web Site to your Internet Explorer Trusted Sites.

  2. Run the IBM Security installer. Install the report services on ONE computer in your domain.

    • Do not install IBM Security report services on a domain controller.
    • If you’re upgrading from a prior version of Verify Privilege Server Suite or Verify Privilege Server Suite, the Access Manager reports are still there and they are installed anywhere you install Access Manager. In contrast, the new reporting service installs into one place in your forest. Plus, the database is optimized for reporting and retrieval.

  3. Do the reporting configurations:

    • Run the Report Services Configuration wizard to configure the reporting service as needed, including starting the service.
    • Set up the report security for report administrators by assigning users and groups to SSRS roles. By default, all authenticated users have access to view reports.
    • Configure Internet Explorer.
  4. View and share the reports.
  5. For custom report building, make sure that you’ve installed Report Builder for your version of SQL Server, if you don’t have it installed already. You may need to download this separately.

Production Deployment Overview

For production deployments:

  • IBM Security recommends that you use a production-capable version of SQL Server and not SQL Server Express.

    SQL Server Express has a limit of 10Gb of data, does not provide the ability to schedule tasks

  • IBM Security recommends that you do not use virtual machines.

  • Use at least 4 GB memory and 2 cores. leave enough memory for the operating system and allocate the rest to SQL server. For more details, see Memory Requirements.

  • IBM Security recommends that you use a new database instance; do not use an existing instance of SQL server. The reason for this is because uninstalling SSRS leaves some files behind and can cause problems with re-installation, if you’re reusing the database instance. For more information, see Impact of Using a New or Existing SQL Server instance.

  • If you're using a PostgreSQL database, IBM Security recommends using a new PostgreSQL installation.

  • Do not install IBM Security report services on a domain controller.

How to Set up a Production Version of IBM Security Report Services

  1. Prepare your environment:

    • Users and groups with required permissions. For details, see Before Installing - Prerequisites.

      1. service account - the user account that runs the reporting service (in the background)
      2. installer/administrator - the user account that installs and configures the IBM Security reporting service.
      3. Report administrator - user(s) who can run reports, edit reports, build new reports
      4. Report reader - user(s) who can view reports but not edit them nor create new ones.

    • The correct operating system that supports what you need. The operating system needs to be supported for IBM Security software, SQL Server, and SQL Server Reporting Services (SSRS).

      Don’t install SSRS on the domain controller.

      Use an existing database instance with a real version of SQL Server, not the Express version. Express isn’t designed to handle the performance needs of a production environment.

  2. Run the Verify Privilege Server Suite installer. Install the report services in ONE place in your forest.

    • If you’re upgrading from a prior version of Verify Privilege Server Suite, the Access Manager reports are still there and they are installed anywhere you install Access Manager. In contrast, the new reporting service installs into one place in your forest. Plus, the database is optimized for reporting and retrieval.

  3. Do the reporting configurations:

    • Configure the reporting service as needed, including starting the service.
    • Set up the report security: assign users and groups to SSRS roles and configure Internet Explorer.

  4. View and share the reports.

  5. For custom report building, make sure that you’ve installed Report Builder for your version of SQL Server, if you don’t have it installed already. You may need to download this separately.

Upgrade Overview

How to upgrade IBM Security Report Services:

  1. If you’re upgrading from a version of Verify Privilege Server Suite before version 2016, you need to install the report services components after you upgrade the other components.

    For details, see Upgrading from a Prior Version.

  2. Run the installer program to upgrade your report services components.

    For details, see Upgrading from a Prior Version and the Upgrade and Compatibility Guide.

  3. Upgrade the report database and, if you’re ready to do so, redeploy your reports.

    For details, see Upgrading your Report Services Database.

  4. (Optional) If you want to switch from domain-based reporting to zone-based reporting, or the other way around, run the Configuration wizard to switch modes.

    This step is optional and you can do switch modes at any time, not just during upgrade.

    For details, see Configuring Report Services and Deploying Your Reports.

Using this Guide

The guide provides the following information: