Omada Risk Check
The Omada Risk Check report provides insight into system data quality and system compliance in form of an interactive document.
For the ongoing compliance process, the Risk Check report serves as a tool that enables recurrent reporting and auditing on the actual state of access rights across the enterprise. It shows who has access to the critical data that should be protected.
The Omada Risk Check report reveals vulnerabilities across considerable amount of data and provides a fast overview of how the company assets are protected. The report gives you a quick and easy access to more Omada standard reports, which can provide additional details. The report provides an overview on all your systems integrated to , as well as individual system views.
The report highlights risk numbers in identities, contexts and accounts as well as resources and resource assignments. It also provides details about orphan and stale objects, account usage and general data quality subjects and system activities.
Use the report to prepare for audits or to have an overview of your current compliance state in your organization. Specifically, the report enables prioritization of security efforts to show compliance to industry standards, local legislation, or other regulations in force. The report also enables you to monitor security improvements over time.
The Omada Risk Check report contains different sections that provide information about the following objects:
| Term | Description | Example |
|---|---|---|
| System | A unique IT system such as a (specific) corporate Active Directory. | An instance of Active Directory of the company. |
| Identity | An identity represents a uniquely definable object. | A person, or a piece of equipment, for example a computer or mobile phone. |
| Context | A context which an identity is in. A context represents the relationship an identity has with the organization. | A department, project, cost center or building. |
| Account | A specific user account in a specific system. | An Active directory user. |
| Resource | A representation of an asset. It is often a role or permission. | An Active Directory group, IT role, file share, SharePoint document, physical key or other objects that can be assigned to one or more identities. |
| Resource assignments | A resource assignment represents the relationship between an identity and a resource. | A person has an account (user) in Active Directory (AD). If the user is a member of an AD group, the person who is the owner of the AD user has a resource assignment to the group, via the account. |
| Orphan objects | The ownership has not been determined. | Identities, contexts, accounts, resource, or resource categories can be orphaned. |
Fields
The following tables show the fields available in this report, divided into report sections:
Systems
| Field | Description |
|---|---|
| Total number of systems | The total number of systems. |
| Systems in system categories | The listing of systems in division by categories. |
Identities, contexts, and accounts
| Field | Description |
|---|---|
| Identities | The total number of identities. |
| Identities per Category and their Status | The number of identities, divided into categories (for example: Employee, Contractor), and then statuses (for example: Active, Disabled). |
| Identities per Category and their Validity State | The number of identities, divided into categories (for example: Employee, Contractor), and then validity states for the valid period (for example: Not valid, Valid). |
| Identities per Status | The number of identities for each status. |
| Identities per Validity State | The number of identities for each validity state. |
| Contexts | The total number of contexts. |
| Identities per Context Type including Context Subtypes | The number identities within each context type (for example, Organization) and subtype (for example, Technical identities and Customer identities). |
| Accounts | The total number of accounts. |
| Accounts per Type and their Matching status | The number of accounts per type (for example, Personal), divided into matched and unmatched. |
| Accounts per Type and their Usage Pattern | The number of accounts per type (for example, Personal), divided according to the usage pattern (for example, Never logged in, Logged in for last 7 days). |
| Accounts per Matching status | The number of accounts divided into matched and unmatched. |
| Accounts per Usage Pattern | The number of accounts divided by usage pattern (for example: Never logged in, Logged in for last 7 days. Not logged in for last 7 days). |
| Summary | This section provides numerical data for the following categories: Identities with no accounts Identities with no contexts Average number of Accounts per Identity Identities with more than the average number of Accounts Identities with Identity Status in Context Type Identities with Identity Validity State in Context Type Identity Category with Account Type Identity Status with Account Status Identity Validity State with Account Status Identity Status with Account Usage Pattern Identity Validity State with Account Usage Pattern Identities with more (of the same) Account Types Managers with Identity Status Managers with Identity Validity State |
Resources and resource assignments
| Field | Description |
|---|---|
| Resources | The total number of resources. |
| Resources per Category and their Classification Type | The number of resources divided into categories (for example: Group) and the classification type (for example: business critical, privileged access, system administration, unknown). |
| Resources per Classification Type | The number of resources divided into the classification type (for example: business critical, privileged access, system administration, unknown). |
| Resource assignments | The total number of resource assignments. |
| Resource Assignments per Resource Category and their Resource Classification Type | The number of resource assignments divided into categories (for example: Group) and the resource classification type (for example: business critical, privileged access, system administration, unknown). |
| Resource Assignments per Resource Classification Type | The number of resource assignments divided into the resource classification type (for example: business critical, privileged access, system administration, unknown). |
| Summary | This section provides the following numerical data: Identity Category that have access to resources with Resource Classification Type Account Type that have access to resources with Resource Classification Type |
Orphan objects
| Field | Description |
|---|---|
| Identities without Managers | The number of Identities without Managers. |
| Identities with terminated Managers | The number of Identities with terminated Managers. |
| Terminated Identity Categories with Active Accounts | The number of terminated Identity Categories with Active Accounts. |
| Contexts without owners | The number of Contexts without owners. |
| Accounts without owners | The number of Accounts without owners. |
| Groups without owners | The number of Groups without owners. |
| Account Types without owners | The number of Account Types without owners. |
| Resources without owners | The number of Resources without owners. |
| Resource Categories without owners | The number of Resource Categories without owners. |
| Resource Classification Types without owners | The number of Resource Classification Types without owners. |
Account usage
| Field | Description |
|---|---|
| Accounts not recently used (for the last 7 days) | The number of Accounts that have not been recently used (for the last 7 days). |
| Identities not recently used (that have not logged on any of their accounts the last 7 days) | The number of Identities that have not been recently used (that have not logged on any of their accounts the last 7 days). |
| Accounts never used (no last log-on date) | The number of Accounts that have never been used (no last log-on date) |
| Accounts that expire soon (within 30 days) | The number of Accounts that will expire soon (within 30 days) |
| Accounts that never expire (0 or ~ expiration days) | The number of Accounts that will never expire (0 or ~ expiration days) |
| Accounts that have not changed their password (within the last 7 days) | The number of Accounts that have not changed their password within the last 7 days. |
| Account Types that have not be changed their password the last 7 days | The number of Account types that have not changed their password within the last 7 days, divided into individual Account types. |
Data quality
| Field | Description |
|---|---|
| Identities with empty attributes (email, country, company, EmployeeID) | The number of Identities with empty attributes. |
| Groups without members | The number of Groups without members |
| Dual Resource Assignments | The number of Dual Resource Assignments. A dual assignment is when an account is assigned to a resource both explicitly and implicitly. |
| Systems without Resource Assignments | The number of Systems without Resource Assignments. |
| Identities without Context Assignments | The number of Identities without Context Assignments. |
| Identities without Resource Assignments | The number of Identities without Resource Assignments. |
| Accounts without Resource Assignments | The number of Accounts without Resource Assignments. |
| Resources without Resource Assignments | The number of Resources without Resource Assignments. |
System activities within selected period
| Field | Description |
|---|---|
| Identities | The number of created, expired and modified Identities within the selected period. |
| Contexts | The number of created, expired and modified Contexts within the selected period. |
| Accounts | The number of created, expired and modified Accounts within the selected period. |
| Resources | The number of created, expired and modified Resources within the selected period. |
| Resource assignments | The number of created, expired and modified Resource assignments within the selected period. |
System summary - identity source system
| Field | Description |
|---|---|
| SYSTEM SUMMARY | |
| Name | The name of the system. |
| System category | The category of the system. |
| IDENTITIES AND CONTEXTS | |
| Identities | The total number of identities in the system. |
| Identities per Category and their Status | The number of identities, divided into categories (for example: Employee, Contractor), and then statuses (for example: Active, Disabled). |
| Identities per Category and their Validity State | The number of identities, divided into categories (for example: Employee, Contractor), and then validity states for the valid period (for example: Not valid, Valid). |
| Identities per Status | The number of identities for each status. |
| Identities per Validity State | The number of identities for each validity state. |
| Contexts | The total number of contexts. |
| Identities per Context Type including Context Subtypes | The number identities within each context type (for example, Organization) and subtype (for example, Technical identities and Customer identities). |
| Disabled Users | The number of disabled users. |
| Summary | This section provides numerical data for the following categories : Identities with Identity Status in Context Type Identities with Identity Validity State in Context Type Managers with Identity Status Managers with Identity Validity State Identities with no contexts |
| ORPHAN OBJECTS | |
| Identities without Managers | The number of Identities without Managers. |
| Identities with terminated Managers | The number of Identities with terminated Managers. |
| Contexts without owners | The number of Contexts without owners. |
| DATA QUALITY | |
| Identities with empty attributes (email, country, company, EmployeeID) | The number of Identities with empty attributes. |
| Identities without Context Assignments | The number of Identities without Context Assignments. |
| SYSTEM ACTIVITIES WITHIN SELECTED PERIOD | |
| Identities | The number of created, expired and modified Identities within the selected period. |
| Contexts | The number of created, expired and modified Contexts within the selected period. |
System summary – source system
| Field | Description |
|---|---|
| SYSTEM SUMMARY | |
| Name | The name of the system. |
| System owner | The owner of the system. |
| System category | The category of the system. |
| ACCOUNTS | |
| Accounts | The total number of accounts. |
| Accounts per Type and their Matching status | The number of accounts per type (for example, Personal), divided into matched and unmatched. |
| Accounts per Type and their Usage Pattern | The number of accounts per type (for example, Personal), divided according to the usage pattern (for example, Never logged in, Logged in for last 7 days). |
| Accounts per Matching status | The number of accounts divided into matched and unmatched. |
| Accounts per Usage Pattern | The number of accounts divided by usage pattern (for example: Never logged in, Logged in for last 7 days. Not logged in for last 7 days). |
| RESOURCES AND RESOURCE ASSIGNMENTS | |
| Resources | The total number of resources. |
| Resources per Category and their Classification Type | The number of resources divided into categories (for example: Group) and the classification type (for example: business critical, privileged access, system administration, unknown). |
| Resources per Classification Type | The number of resources divided into the classification type (for example: business critical, privileged access, system administration, unknown). |
| Resource Assignments | The total number of resource assignments. |
| Resource Assignments per Resource Category and their Resource Classification Type | The number of resource assignments divided into categories (for example: Group) and the resource classification type (for example: business critical, privileged access, system administration, unknown). |
| Resource Assignments per Resource Classification Type | The number of resource assignments divided into the resource classification type (for example: business critical, privileged access, system administration, unknown). |
| Account Type that have access to Resource Classification Type | The number of Account Types divided into the ones having access to individual Resource Classification Types. |
| ORPHAN OBJECTS | |
| Accounts without owners | The number of Accounts without owners. |
| Groups without owners | The number of Groups without owners. |
| Account Types without owners | The number of Account Types without owners. |
| Resource Categories without owners | The number of Resource Categories without owners. |
| Resource Classification Type without owners | The number of Resource Classification Types without owners. |
| ACCOUNT USAGE | |
| Accounts not recently used (for the last 7 days) | The number of Accounts that have not been recently used (for the last 7 days). |
| Accounts never used (no last log-on date) | The number of Accounts that have never been used (no last log-on date) |
| Accounts that expire soon (within 30 days) | The number of Accounts that will expire soon (within 30 days) |
| Accounts that never expire (0 or ~ expiration days) | The number of Accounts that will never expire (0 or ~ expiration days) |
| Accounts that have not changed their password (within the last 7 days) | The number of Accounts that have not changed their password within the last 7 days. |
| Account Types that have not be changed their password the last 7 days | The number of Account types that have not changed their password within the last 7 days, divided into individual Account types. |
| DATA QUALITY | |
| Groups without members | The number of Groups without members |
| Dual Resource Assignments | The number of Dual Resource Assignments. A dual assignment is when an account is assigned to a resource both explicitly and implicitly. |
| Systems without Resource Assignments | The number of Systems without Resource Assignments. |
| Accounts without Resource Assignments | The number of Accounts without Resource Assignments. |
| Resources without Resource Assignments | The number of Resources without Resource Assignments. |
| SYSTEM ACTIVITIES WITHIN SELECTED PERIOD | |
| Accounts | The number of created, expired and modified Accounts within the selected period. |
| Resources | The number of created, expired and modified Resources within the selected period. |
| Resource Assignments | The number of created, expired and modified Resource assignments within the selected period. |
Parameters
You can customize filtering options (see the column on the right for examples):
Parameters
| Filtering options | Description |
|---|---|
| Accounts soon-to-expire (days) | To see a report of accounts that will soon expire. Enter number of days for time span. |
| Account status | The account statuses that exist in the systems, for example: Unknown Active |
| Account type | The account types that exist in the systems, for example: Personal Unknown |
| Account usage | The account usage pattern, for example: Logged in for last 7 days (The number of days is dependent on the Usage pattern parameter.) Never logged in Not logged in for last 7 days (The number of days is dependent on the Usage pattern parameter.) |
| Context type | The type of the context, for example: OrgUnit |
| First effective time | The state (i.e., risk/compliance) in the first, discrete point in time. The time of the first upload of data. |
| Identity category (Example: from an HR system) | The identity categories that exist in the systems, for example: Employee Contractor Other |
| Identity status | The identity statuses that exist in the systems, for example: Active |
| Identity validity state | An identity’s state what is valid from and valid to, for example: Not valid Unknown Valid (within period) |
| Include cover page | Display or hide the cover page of the report. Possible values: False True |
| Resource category | The resource categories that exist in the systems, for example: Permission Group Resource Folder |
| Resource classification status | Status of the resources according to their classification, for example: Business critical Privileged access System administration Unknown (The resource doesn’t have classification) |
| Second effective time (optional) | The state in the second, discrete point in time. The time of the reloading of the data. |
| Usage pattern (days) | The number of days or time span of the report. |