Access control items (ACI) for reports

Access control item (ACI) definitions govern the availability of reports for all users. The report ACIs grant or deny a group of users the ability to run reports.

A IBM Verify Identity Governance administrator can access all reports. In addition, there are default ACIs for the Manager, Service Owner, and Auditor groups. For example, service owners and managers can search for all persons that they can access. Managers can see direct reports, and service owners can see people on services controlled by ACIs. Auditors can run all reports and see all data. No report access is available for users or members of the Help Desk group, unless an administrator creates an ACI definition that grants access to a group of which the user is a member. ACI definitions must be defined for both standard and custom reports.

An administrator can create an ACI definition at any time. After an ACI definition is added, the system immediately applies the ACI. The new ACI affect users who are logged in to the system and not currently viewing the list of available reports. Those users currently viewing the list of reports are not affected.

Users can view only activities that are specific to their group, either as submitters of the requests or as persons for whom the requests are submitted. For example, managers can view reports for requests that they initiated or for requests that are made for them. Employees that are not in supervisory or managerial roles can view only reports for requests that are made for them because they cannot initiate requests. Auditors can see requests generated by other users.

Report ACIs are applicable in only one organization. Therefore, for non-administrative users of secondary organizations to be able to run reports, report ACIs must also be created in those secondary organizations.