cancel
Showing results for 
Search instead for 
Did you mean: 

Generate structured user/role/permission reports

Walter.Koller
Level 11
Hi,

I need to generate reports to easily provide the information what user have what roles and which permissions.

The easiest to read would be probably a table with rows as roles and users as columns and a X to mark the spot who has what.
Then a similar report with rows showing permissions and columns show the roles.
Or rows as columns and columns as rows, this will not make a big difference.

I generated one of the built in reports (v6.4) but this is just (at best semi-structured) list and has to prepared first to do anything with the data. (btw is there a way to defined my own reports to be generated?).

I tried to query the DB but for some reasons the joins between BPAUsers, BPAUserRoles, ... don't return any results.

Any hints are much apprecieated,
Thanks

------------------------------
Walter Koller
Solution Manager
Erste Group IT International GmbH
Europe/Vienna
------------------------------
20 REPLIES 20

EmersonF
MVP
@ewilson, Can you help us in question?!

------------------------------
Emerson Ferreira
Sr Business Analyst
Avanade Brasil
+55 (081) 98886-9544
If my answer helped you? Mark as useful!
------------------------------
Sr Cons at Avanade Brazil

It sounds like this is a Blue Prism environment integrated with Active Directory for authentication. If so, the majority of the users are probably mapped to AD security groups.

The easiest way to see what's available directly in the Blue Prism database is to just open to DB in SQL Management Studio and look at the contents of the following tables:
  • dbo.BPAUser
  • dbo.BPAUserRoleAssignment
  • dbo.BPAMappedActiveDirectoryUser 
Cheers,

------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

Thanks for you awnser, @Walter Koller, unfortunately I don't use AD so I can't test for you, could you check if this helps you?​

------------------------------
Emerson Ferreira
Sr Business Analyst
Avanade Brasil
+55 (081) 98886-9544
If my answer helped you? Mark as useful!
------------------------------
Sr Cons at Avanade Brazil

Yes, we use SSO with Active Directory authentication. User roles are mapped to AD groups.

In our 6.4 environment:
BPAUser: 137
BPAUserRoleAssignment: 5
BPAMappedActiveDirectoryUser: n/a this table does not exist in 6.4

In our 6.9 environment:
BPAUser: 42
BPAUserRoleAssignment: 1
BPAMappedActiveDirectoryUser: 0

The result was the same after: 
- Pressing 'apply' in User Roles screen to verify the AD mappings
In User screen, in the Hamburger menu right upper corner:
- Refreshing User List in User screen
- Refreshing Users in User screen
The results were always 42, 1, 0

Cheers

------------------------------
Walter Koller
Solution Manager
Erste Group IT International GmbH
Europe/Vienna
------------------------------

"BPAUserRoleAssignment: 1" explains why you're only seeing one record returned. There's only one assignment in your 6.9 database.

All other user assignments are handled via your AD, so if you want to see all users you'd need to query AD in addition to the database.

Cheers,



------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

Somehow I already expected this answer 🙂

What is the purpose of the table BPAMappedActiveDirectoryUser ?

Thanks

------------------------------
Walter Koller
Solution Manager
Erste Group IT International GmbH
Europe/Vienna
------------------------------

I could be wrong, but I believe that table is used in BP environments with AD integration and multi-authentication.

https://bpdocs.blueprism.com/bp-6-9/en-us/frmUserCreate.htm

Cheers,

------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

FWIW - I think you can see a users AD groups from within the BP User management screen. Just double-click on a specific user, and the info should be in the display.

The reason I mention this is that you could create a report from this by automating the actual Blue Prism UI. It would be a bit slow as you'd have to pull information one user at a time, but I think it would work. 🤷‍♂️

------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------

Thanks for the tipp and your support.

I tried double click in 6.4 and 6.9 but it did nothing. I tried in Security/User screen.
I already tried to automate BP UI but reading all permissions for all user roles already took some hours and turned out to be not the optimal way for regular user audits. That is when I added the idea (submitted in Community/Innnovation portal) of having an API to easily retrieve this and a lot of other information directly from BP.

------------------------------
Walter Koller
Solution Manager
Erste Group IT International GmbH
Europe/Vienna
------------------------------

Check this link in the BP Help. You're not able to perform this step? (This is from the v6.9 help)

https://bpdocs.blueprism.com/bp-6-9/en-us/helpSingleSignonGroupsList.htm?tocpath=Interface%7CSystem%7CSecurity%7CManage%20users%7C_____6 

Cheers,

------------------------------
Eric Wilson
Director, Partner Integrations for Digital Exchange
Blue Prism
------------------------------