Identity Governance reports

Advanced Identity Cloud provides new, pre-built reports for the Identity Governance service. You can’t directly edit these reports.

Advanced Identity Cloud add-on capability

Contact your Ping Identity representative to add PingOne® Identity Governance to your Advanced Identity Cloud subscription.

Available reports

If you use Identity Governance, you have access to the following reports. These reports help you understand and manage your identity governance data:

Account certification: Details account certification decisions during a campaign.
All campaign summary: Summarizes all certification campaigns, providing an overview of their status and results.
All requests: Lists all access requests, showing their current status and details.
Application accounts: Details accounts associated with each application, helping you track user access.
Application entitlements: Shows entitlements granted within a specific application.
Entitlement assignment certification: Provides certification data for assigned entitlements.
Entitlement grants: Displays all grants for specific entitlements.
Entitlements with inactive owners: Identifies entitlements where the assigned owner is inactive.
Entitlements with no owners: Highlights entitlements that currently lack an assigned owner.
Identity certification accounts: Presents certification details for user accounts.
Identity certification entitlements: Presents certification details for identity entitlements.
Identity certification role memberships: Shows certification information for user role memberships.
Orphan accounts: Lists accounts that don’t have an associated identity.
Request tasks: Details individual tasks related to access requests.
Role entitlement details: Provides comprehensive information about each role.
Role membership certification: Offers certification data for role memberships.
Role membership with decision details: Generates a report on all role memberships.
Roles with no or inactive managers: Identifies roles that currently lack an assigned owner.
Users with no or inactive managers: Lists users who don’t have an active manager.

Account certification

The "Account certification" report provides a detailed list of decisions made for user accounts during a specific certification campaign. This report helps administrators and compliance managers verify that account access is regularly reviewed and that all decisions are documented for compliance.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Account certification.
In the Run Report tab, enter the Campaign ID.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign ID`	Unique identifier for the certification campaign.
`Application Name`	Name of the application where the account exists.
`Account Display Name`	Display name of the account being reviewed.
`Account Type`	Type of account (for example, `user` or `service`).
`First Name`	First name of the user associated with the account.
`Last Name`	Last name of the user associated with the account.
`Email Address`	Email address of the user.
`Username`	Login name of the user associated with the account.
`Provisioning Method`	Method by which the account was granted.
`Last Certified By`	User who made the decision in the previous certification cycle.
`Last Certified Decision`	Decision from the previous certification cycle.
`Last Certified On`	Date and time of the last certification decision.
`Primary Reviewer`	User responsible for reviewing and making a decision on the account access.
`Decision`	Action taken during the review (for example, `Certify`, `Revoke`).
`Decision By`	User who made the final decision.
`Remediation Status`	Current status of the remediation action (for example, `complete`, `pending`).
`Remediation Date`	Date and time any remediation action was completed.

Campaign ID

Unique identifier for the certification campaign.

Application Name

Name of the application where the account exists.

Account Display Name

Display name of the account being reviewed.

Account Type

Type of account (for example, user or service).

First Name

First name of the user associated with the account.

Last Name

Last name of the user associated with the account.

Email Address

Email address of the user.

Username

Provisioning Method

Method by which the account was granted.

Last Certified By

User who made the decision in the previous certification cycle.

Last Certified Decision

Decision from the previous certification cycle.

Last Certified On

Date and time of the last certification decision.

Primary Reviewer

User responsible for reviewing and making a decision on the account access.

Decision

Action taken during the review (for example, Certify, Revoke).

Decision By

User who made the final decision.

Remediation Status

Current status of the remediation action (for example, complete, pending).

Remediation Date

Date and time any remediation action was completed.

All campaign summary

The "All campaign summary" report provides an overview of all certification campaigns. This report helps you assess the status, progress, and key details of each campaign to track compliance and governance efforts.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select All campaign summary.
In the Run Report tab, enter the campaign type. Options are:
- identity
- entitlement
- roleMembership
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign Type`	Type of certification campaign.
`Campaign Name`	Name of the certification campaign.
`Type`	Type of certification being performed (for example, `Identity`, `Role Membership`).
`Owner`	User responsible for overseeing the campaign.
`Launched On`	Date and time campaign was initiated.
`Start Date`	Date and time campaign officially began.
`Deadline`	Date and time by which campaign must be completed.
`Status`	Current state of the campaign (for example, `Staging`, `In Progress`, `Complete`).
`Completion Date`	Date and time campaign was officially closed.
`Remediation Enabled`	Indicates if remediation actions are enabled for campaign.
`Reviews`	Number of reviews completed or total reviews.
`In Progress`	Number of items currently under review.
`Signed Off`	Number of items that have been signed off.

Campaign Type

Type of certification campaign.

Campaign Name

Name of the certification campaign.

Type

Type of certification being performed (for example, Identity, Role Membership).

Owner

User responsible for overseeing the campaign.

Launched On

Date and time campaign was initiated.

Start Date

Date and time campaign officially began.

Deadline

Date and time by which campaign must be completed.

Status

Current state of the campaign (for example, Staging, In Progress, Complete).

Completion Date

Date and time campaign was officially closed.

Remediation Enabled

Indicates if remediation actions are enabled for campaign.

Reviews

Number of reviews completed or total reviews.

In Progress

Number of items currently under review.

Signed Off

Number of items that have been signed off.

All requests

The "All requests" report provides a detailed log of every access request submitted across the organization. This report helps with auditing, troubleshooting, and understanding access patterns. It captures who requested what, for whom, and the final outcome of each request.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select All requests.
In the Run Report tab, enter the following:
- Request Status: Select a status. Options are:
  - In Progress: The request is currently active and awaiting action or approval.
  - Complete: The request has been fully processed, and a final outcome has been reached.
  - Canceled: The request was withdrawn or canceled before a final decision was made.
  - Suspended: The request is temporarily paused, often pending further information or action.
- Request Type: Select a request type. Options are:
  - GrantRoleMembership: Grants a user membership to a role.
  - ModifyEntitlement: Modifies an existing entitlement for a user.
  - GrantEntitlement: Grants a user a new entitlement.
  - RevokeAccount: Revokes a user’s account.
  - CreateAccount: Creates a new user account.
  - CreateEntitlement: Creates a new entitlement.
  - CreateUser: Creates a new user.
  - DeleteUser: Deletes an existing user.
  - RevokeRoleMembership: Revokes a user’s membership to a role.
  - RevokeEntitlement: Revokes an existing entitlement from a user.
- Timeframe: Select a time frame for the report. Options are:
  - Today
  - Yesterday
  - Last 7 days
  - Last 30 days
  - Custom: Enter the Start Date and End Date of the date range.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Request Status`	Current state of the request within its lifecycle (for example, `In Progress` or `Complete`).
`Request Type`	Type of access being requested (for example, `CreateEntitlement` or `GrantRoleMembership`).
`Start Date`	Requested date and time for the access to become active.
`End Date`	Requested date and time for the access to expire.
`Requester`	User who initiated the request.
`Requested For`	User for whom the access was requested.
`Requested Item`	Specific entitlement or role being requested.
`Submitted On`	Date and time when the access request was created.
`Completion Date`	Date and time when the request was fully approved, rejected, or cancelled.
`Start Date`	Date and time the request officially began.
`End Date`	Date and time the request officially ended.
`Status`	Current lifecycle state of the request, such as: `In Progress`, `Complete`, `Canceled`, or `Suspended`.
`Outcome`	Final result of the request, such as `Provisioned` or `Denied`.
`Decision`	Final decision made on the request: `approved` or `rejected`.
`External Request ID`	Unique identifier for the request from an external system, if applicable.

Request Status

Current state of the request within its lifecycle (for example, In Progress or Complete).

Request Type

Type of access being requested (for example, CreateEntitlement or GrantRoleMembership).

Start Date

Requested date and time for the access to become active.

End Date

Requested date and time for the access to expire.

Requester

User who initiated the request.

Requested For

User for whom the access was requested.

Requested Item

Specific entitlement or role being requested.

Submitted On

Date and time when the access request was created.

Completion Date

Date and time when the request was fully approved, rejected, or cancelled.

Start Date

Date and time the request officially began.

End Date

Date and time the request officially ended.

Status

Current lifecycle state of the request, such as: In Progress, Complete, Canceled, or Suspended.

Outcome

Final result of the request, such as Provisioned or Denied.

Decision

Final decision made on the request: approved or rejected.

External Request ID

Unique identifier for the request from an external system, if applicable.

Application accounts

The "Application accounts" report provides a comprehensive inventory of all accounts (correlated, orphan, or machine) within specific applications. This report helps with auditing access, identifying account statuses, and ensuring that account privileges align with security policies.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Application accounts.
In the Run Report tab, select the Application Name from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Application Name`	Name of the application where the account exists.
`Application Owner`	User responsible for managing the application.
`Requestable`	Indicates if access to the application can be requested. Values are: `true` or `false`.
`Display Name`	Full name of the account holder.
`Username`	Login name for the account within the application.
`Account Type`	Type of account (for example, `user` or `service`).
`Account Sub Type`	More specific classification of the account type.
`Creation Date`	Date and time the account was created.
`Update Date`	Date and time the account was last modified.
`Last Certification Decision`	Most recent decision made during an access certification campaign for this account. Values are: `certify` or `revoke`.
`Decision By`	User who made the last certification decision.
`Decision Date`	Date and time of the last certification decision.
`Active`	Indicates if the account is currently active or disabled.
`Is Privileged`	Indicates if the account has elevated or administrative privileges.
`Last Successful Login`	Date and time of the last successful login to the account.
`Last Password Change`	Date and time the account’s password was last changed.

Application Name

Name of the application where the account exists.

Application Owner

User responsible for managing the application.

Requestable

Indicates if access to the application can be requested. Values are: true or false.

Display Name

Full name of the account holder.

Username

Account Type

Type of account (for example, user or service).

Account Sub Type

More specific classification of the account type.

Creation Date

Date and time the account was created.

Update Date

Date and time the account was last modified.

Last Certification Decision

Most recent decision made during an access certification campaign for this account. Values are: certify or revoke.

Decision By

User who made the last certification decision.

Decision Date

Date and time of the last certification decision.

Active

Indicates if the account is currently active or disabled.

Is Privileged

Indicates if the account has elevated or administrative privileges.

Last Successful Login

Date and time of the last successful login to the account.

Last Password Change

Date and time the account’s password was last changed.

Application entitlements

The "Application entitlements" report provides a detailed list of all entitlements available within a specific application. This report helps administrators review and manage the permissions and access rights that can be granted to users, ensuring that access policies are correctly implemented.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Application entitlements.
In the Run Report tab, select the Application Name from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Application Name`	Name of the application where the entitlement is defined.
`Display Name`	User-friendly name of the entitlement.
`Entitlement Owner`	User or group responsible for managing the entitlement.
`Description`	Brief explanation of what access the entitlement provides.
`Entitlement Type`	Classification or category of the entitlement.
`Parent Entitlement`	Name of the parent entitlement if this is a nested entitlement.
`Requestable`	Indicates if users can request this entitlement. Values are: `true` or `false`.

Application Name

Name of the application where the entitlement is defined.

Display Name

User-friendly name of the entitlement.

Entitlement Owner

User or group responsible for managing the entitlement.

Description

Brief explanation of what access the entitlement provides.

Entitlement Type

Classification or category of the entitlement.

Parent Entitlement

Name of the parent entitlement if this is a nested entitlement.

Requestable

Indicates if users can request this entitlement. Values are: true or false.

Entitlement assignment certification

The "Entitlement assignment certification" report provides a detailed record of the access review decisions made during access certification campaigns for entitlements. This report helps auditors and administrators verify that user access rights are reviewed periodically and that all decisions are tracked for compliance with security policies.

Steps

To locate a campaign ID:
1. In the Advanced Identity Cloud admin console, go to Governance > Certification.
2. Click the Campaigns tab.
3. Select an entitlement certification from the list.
4. In the URL, copy the campaign ID.
In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Entitlement assignment certification.
In the Run Report tab, enter the Campaign ID.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign ID`	Unique identifier for the certification campaign.
`Application Name`	Name of the application associated with the entitlement.
`Account Display Name`	Display name of the account being reviewed.
`Entitlement Display Name`	User-friendly name of the entitlement under review.
`Description`	Brief explanation of the entitlement’s purpose.
`Username`	Login name of the user whose access is being certified.
`First Name`	First name of the user.
`Last Name`	Last name of the user.
`Confidence Score`	Score indicating the confidence level that the access is appropriate.
`Primary Reviewer`	User responsible for reviewing and making a decision on the access.
`Provisioning Method`	Method by which the entitlement was granted (for example, `recon` for reconciliation).
`Decision`	Action taken during the review (for example, `Certify`, `Revoke`).
`Decision By`	User who made the final decision.
`Decision Date`	Date and time the decision was recorded.
`Remediation Status`	Current status of any remediation actions taken (for example, `complete`, `pending`).
`Remediation Date`	Date and time the remediation was completed.

Campaign ID

Unique identifier for the certification campaign.

Application Name

Name of the application associated with the entitlement.

Account Display Name

Display name of the account being reviewed.

Entitlement Display Name

User-friendly name of the entitlement under review.

Description

Brief explanation of the entitlement’s purpose.

Username

First Name

First name of the user.

Last Name

Last name of the user.

Confidence Score

Score indicating the confidence level that the access is appropriate.

Primary Reviewer

User responsible for reviewing and making a decision on the access.

Provisioning Method

Method by which the entitlement was granted (for example, recon for reconciliation).

Decision

Action taken during the review (for example, Certify, Revoke).

Decision By

User who made the final decision.

Decision Date

Date and time the decision was recorded.

Remediation Status

Current status of any remediation actions taken (for example, complete, pending).

Remediation Date

Date and time the remediation was completed.

Entitlement grants

The "Entitlement grants" report provides a detailed list of all users who’ve been granted a specific entitlement. This report helps administrators and auditors verify who has access to what, track provisioning methods, and review any decisions made about that access.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Entitlement grants.
In the Run Report tab, enter:
- Application Name: Select the application from the list.
- Entitlement Display Name: Enter the entitlement.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Application Name`	Name of the application where the entitlement exists.
`Entitlement Name`	Name of the entitlement.
`Display Name`	User-friendly name of the entitlement.
`Entitlement Description`	Brief explanation of the entitlement’s purpose.
`First Name`	First name of the user who was granted the entitlement.
`Last Name`	Last name of the user who was granted the entitlement.
`Confidence Score`	Score indicating the confidence level that the access is appropriate.
`Provisioning Method`	Method by which the entitlement was granted (for example, `role`).
`Username`	Username of the user who was granted the entitlement.

Application Name

Name of the application where the entitlement exists.

Entitlement Name

Name of the entitlement.

Display Name

User-friendly name of the entitlement.

Entitlement Description

Brief explanation of the entitlement’s purpose.

First Name

First name of the user who was granted the entitlement.

Last Name

Last name of the user who was granted the entitlement.

Confidence Score

Score indicating the confidence level that the access is appropriate.

Provisioning Method

Method by which the entitlement was granted (for example, role).

Username

Username of the user who was granted the entitlement.

Entitlements with inactive owners

The "Entitlements with inactive owners" report identifies a key governance risk: entitlements managed by users whose accounts are inactive. This report helps ensure that all access rights have active oversight and helps reassign ownership to maintain security and accountability.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Entitlements with inactive owners.
In the Run Report tab, select the Application Name from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Application Name`	Name of the application where the entitlement is defined.
`Display Name`	User-friendly name of the entitlement.
`Entitlement Owner`	Inactive user or group assigned as the owner.
`Description`	Brief explanation of what access the entitlement provides.
`Entitlement Type`	Classification or category of the entitlement.
`Parent Entitlement`	Name of the parent entitlement if this is a nested entitlement.
`Requestable`	Indicates if users can request this entitlement.

Application Name

Name of the application where the entitlement is defined.

Display Name

User-friendly name of the entitlement.

Entitlement Owner

Inactive user or group assigned as the owner.

Description

Brief explanation of what access the entitlement provides.

Entitlement Type

Classification or category of the entitlement.

Parent Entitlement

Name of the parent entitlement if this is a nested entitlement.

Requestable

Indicates if users can request this entitlement.

Entitlements with no owners

The "Entitlements with no owners" report identifies a governance gap where entitlements lack an assigned owner. This report helps ensure that all access rights are properly managed and that there is clear accountability for each entitlement.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Entitlements with no owners.
In the Run Report tab, select the Application Name from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Application Name`	Name of the application where the entitlement is defined.
`Display Name`	User-friendly name of the entitlement.
`Entitlement Owner`	User or group responsible for managing the entitlement. This is blank for items in this report.
`Description`	Brief explanation of what access the entitlement provides.
`Entitlement Type`	Classification or category of the entitlement.
`Parent Entitlement`	Name of the parent entitlement if this is a nested entitlement.
`Requestable`	Indicates if users can request this entitlement.

Application Name

Name of the application where the entitlement is defined.

Display Name

User-friendly name of the entitlement.

Entitlement Owner

User or group responsible for managing the entitlement. This is blank for items in this report.

Description

Brief explanation of what access the entitlement provides.

Entitlement Type

Classification or category of the entitlement.

Parent Entitlement

Name of the parent entitlement if this is a nested entitlement.

Requestable

Indicates if users can request this entitlement.

Identity certification accounts

The "Identity certification accounts" report provides a detailed audit trail of certification decisions made for user accounts during a campaign. This report helps administrators and compliance managers verify that account access is regularly reviewed and that all decisions are documented.

Steps

To locate a campaign ID:
1. In the Advanced Identity Cloud admin console, go to Governance > Certification.
2. Click the Campaigns tab.
3. Select an entitlement certification from the list.
4. In the URL, copy the campaign ID.
In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Identity certification accounts.
In the Run Report tab, enter the Campaign ID.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign ID`	Unique identifier for the certification campaign.
`Account Name`	Name of the account being reviewed.
`Type`	Type of certification being performed.
`Application Name`	Name of the application where the account exists.
`Username`	Login name of the user associated with the account.
`Completed By`	User who completed the review item.
`Completion Date`	Date and time the review item was completed.
`Decision`	Action taken during the review (for example, `Certify`, `Revoke`).
`Decision By`	User who made the final decision.
`Last Certified By`	User who made the decision in the previous certification cycle.
`Last Certified Decision`	Decision from the previous certification cycle.
`Last Certified On`	Date and time of the last certification decision.
`Primary Reviewer`	User responsible for reviewing and making a decision on the account access.
`Reviewer Type`	Type of reviewer assigned (for example, `User`, `Manager`, `Owner`).
`Remediation Date`	Date and time any remediation action was completed.
`Remediation Status`	Current status of the remediation action (for example, `complete`, `pending`).

Campaign ID

Unique identifier for the certification campaign.

Account Name

Name of the account being reviewed.

Type

Type of certification being performed.

Application Name

Name of the application where the account exists.

Username

Completed By

User who completed the review item.

Completion Date

Date and time the review item was completed.

Decision

Action taken during the review (for example, Certify, Revoke).

Decision By

User who made the final decision.

Last Certified By

User who made the decision in the previous certification cycle.

Last Certified Decision

Decision from the previous certification cycle.

Last Certified On

Date and time of the last certification decision.

Primary Reviewer

User responsible for reviewing and making a decision on the account access.

Reviewer Type

Type of reviewer assigned (for example, User, Manager, Owner).

Remediation Date

Date and time any remediation action was completed.

Remediation Status

Current status of the remediation action (for example, complete, pending).

Identity certification entitlements

The "Identity certification entitlements" report provides a detailed list of decisions made for user entitlements during a specific certification campaign. This report helps administrators and compliance managers verify that entitlement assignments are regularly reviewed and that all decisions are documented for compliance.

Steps

To locate a campaign ID:
1. In the Advanced Identity Cloud admin console, go to Governance > Certification.
2. Click the Campaigns tab.
3. Select an entitlement certification from the list.
4. In the URL, copy the campaign ID.
In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Identity certification entitlements.
In the Run Report tab, enter the Campaign ID.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign ID`	Unique identifier for the certification campaign.
`Campaign Name`	Name of the certification campaign.
`Application Name`	Name of the application associated with the entitlement.
`Account Display Name`	Display name of the account being reviewed.
`Entitlement Display Name`	User-friendly name of the entitlement under review.
`Entitlement Description`	Brief explanation of the entitlement’s purpose.
`Username`	Login name of the user whose access is being certified.
`First Name`	First name of the user.
`Last Name`	Last name of the user.
`Primary Reviewer`	User responsible for reviewing and making a decision on the access.
`Confidence Score`	Score indicating the confidence level that the access is appropriate.
`Provisioning Method`	Method by which the entitlement was granted (for example, `recon`).
`Remediation Status`	Current status of any remediation actions taken (for example, `complete`, `pending`).
`Decision`	Action taken during the review (for example, `certify`, `revoke`).
`Decision By`	User who made the final decision.
`Comments`	Any comments or justifications provided during the review.
`Decision Date`	Date and time the decision was recorded.

Campaign ID

Unique identifier for the certification campaign.

Campaign Name

Name of the certification campaign.

Application Name

Name of the application associated with the entitlement.

Account Display Name

Display name of the account being reviewed.

Entitlement Display Name

User-friendly name of the entitlement under review.

Entitlement Description

Brief explanation of the entitlement’s purpose.

Username

First Name

First name of the user.

Last Name

Last name of the user.

Primary Reviewer

User responsible for reviewing and making a decision on the access.

Confidence Score

Score indicating the confidence level that the access is appropriate.

Provisioning Method

Method by which the entitlement was granted (for example, recon).

Remediation Status

Current status of any remediation actions taken (for example, complete, pending).

Decision

Action taken during the review (for example, certify, revoke).

Decision By

User who made the final decision.

Comments

Any comments or justifications provided during the review.

Decision Date

Date and time the decision was recorded.

Identity certification role memberships

The "Identity certification role memberships" report provides a detailed audit log of decisions made for user role memberships during a specific certification campaign. This report helps administrators and compliance managers verify that role assignments are regularly reviewed and that all decisions are documented for compliance.

Steps

To locate a campaign ID:
1. In the Advanced Identity Cloud admin console, go to Governance > Certification.
2. Click the Campaigns tab.
3. Select an entitlement certification from the list.
4. In the URL, copy the campaign ID.
In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Identity certification role memberships.
In the Run Report tab, enter the Campaign ID.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign ID`	Unique identifier for the certification campaign.
`Campaign Name`	Name of the certification campaign.
`Role Name`	Name of the role being reviewed.
`Description`	Brief explanation of the role’s purpose.
`Username`	Login name of the user whose role membership is being certified.
`First Name`	First name of the user.
`Last Name`	Last name of the user.
`Membership type`	How the user was assigned to the role (for example, `direct` or `indirect`).
`Primary Reviewer Name`	User responsible for reviewing and making a decision on the role membership.
`Decision`	Action taken during the review (for example, `Certify`, `Revoke`).
`Decision By`	User who made the final decision.
`Decision Comments`	Any comments or justifications provided during the review.
`Decision Date`	Date and time the decision was recorded.
`Last Certified By`	User who made the decision in the previous certification cycle.
`Last Certified Decision`	Decision from the previous certification cycle.
`Last Certified On`	Date and time of the last certification decision.

Campaign ID

Unique identifier for the certification campaign.

Campaign Name

Name of the certification campaign.

Role Name

Name of the role being reviewed.

Description

Brief explanation of the role’s purpose.

Username

First Name

First name of the user.

Last Name

Last name of the user.

Membership type

How the user was assigned to the role (for example, direct or indirect).

Primary Reviewer Name

User responsible for reviewing and making a decision on the role membership.

Decision

Action taken during the review (for example, Certify, Revoke).

Decision By

User who made the final decision.

Decision Comments

Any comments or justifications provided during the review.

Decision Date

Date and time the decision was recorded.

Last Certified By

User who made the decision in the previous certification cycle.

Last Certified Decision

Decision from the previous certification cycle.

Last Certified On

Date and time of the last certification decision.

Orphan accounts

The "Orphan accounts" report identifies user accounts within applications that are no longer linked to a known identity in the system. This report helps administrators find and remediate these unmanaged accounts, which can pose a security risk.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Orphan accounts.
In the Run Report tab, select the Application Name from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Application Name`	Name of the application where the orphan account exists.
`Application Owner`	User responsible for managing the application.
`Requestable`	Indicates if access to the application can be requested.
`Display Name`	Full name associated with the orphan account.
`Username`	Login name for the orphan account within the application.
`Account Type`	Type of account (for example, `user` or `service`).
`Account Sub Type`	More specific classification of the account type.
`Creation Date`	Date and time the account was created.
`Update Date`	Date and time the account was last modified.
`Last Certification Decision`	Most recent decision made during an access certification campaign for this account.
`Decision By`	User who made the last certification decision.
`Decision Date`	Date and time of the last certification decision.
`Active`	Indicates if the account is currently active or disabled.
`Is Privileged`	Indicates if the account has elevated or administrative privileges.
`Last Successful Login`	Date and time of the last successful login to the account.
`Last Password Change`	Date and time the account’s password was last changed.

Application Name

Name of the application where the orphan account exists.

Application Owner

User responsible for managing the application.

Requestable

Indicates if access to the application can be requested.

Display Name

Full name associated with the orphan account.

Username

Account Type

Type of account (for example, user or service).

Account Sub Type

More specific classification of the account type.

Creation Date

Date and time the account was created.

Update Date

Date and time the account was last modified.

Last Certification Decision

Most recent decision made during an access certification campaign for this account.

Decision By

User who made the last certification decision.

Decision Date

Date and time of the last certification decision.

Active

Indicates if the account is currently active or disabled.

Is Privileged

Indicates if the account has elevated or administrative privileges.

Last Successful Login

Date and time of the last successful login to the account.

Last Password Change

Date and time the account’s password was last changed.

Request tasks

The "Request tasks" report provides a detailed breakdown of individual tasks associated with access requests, such as approvals. This report helps administrators track the progress of a request, identify bottlenecks, and audit the decision-making process for each step.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Request tasks.
In the Run Report tab, select a request type from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Request ID`	Unique identifier for the parent access request.
`Requester`	User who initiated the original request.
`Request Type`	Type of access being requested.
`Requested For`	User for whom the access was requested.
`Requested Item`	Specific entitlement or role being requested.
`Approver`	User assigned to approve or deny this specific task.
`Decision`	Action taken on the task (for example, `Approved`, `Denied`).
`Decision Date`	Date and time the decision was made for this task.
`Completed By`	User who completed this task.
`Request Outcome`	Final result of the overall access request (for example, `Provisioned`, `Denied`).
`Request Decision`	Overall decision made on the entire access request.
`Task Type`	Type of task being performed (for example, `Approval`).
`Task Status`	Current state of the individual task (for example, `In Progress`, `Complete`).
`Comments`	Any comments or justifications provided for the task.
`Comment By`	User who added the comment.
`Commented On`	Date and time the comment was added.

Request ID

Unique identifier for the parent access request.

Requester

User who initiated the original request.

Request Type

Type of access being requested.

Requested For

User for whom the access was requested.

Requested Item

Specific entitlement or role being requested.

Approver

User assigned to approve or deny this specific task.

Decision

Action taken on the task (for example, Approved, Denied).

Decision Date

Date and time the decision was made for this task.

Completed By

User who completed this task.

Request Outcome

Final result of the overall access request (for example, Provisioned, Denied).

Request Decision

Overall decision made on the entire access request.

Task Type

Type of task being performed (for example, Approval).

Task Status

Current state of the individual task (for example, In Progress, Complete).

Comments

Any comments or justifications provided for the task.

Comment By

User who added the comment.

Commented On

Date and time the comment was added.

Role entitlement details

The "Role entitlement details" report provides a granular breakdown of the entitlements that constitute a specific role. This report helps administrators and role owners understand the exact permissions granted by a role, verify its composition, and ensure it aligns with the principle of least privilege.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Role entitlement details.
In the Run Report tab, enter a Role Name.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Role Name`	Name of the role being examined.
`Description`	Brief explanation of the role’s purpose.
`Temporal Constraints`	Any time-based restrictions applied to the role’s activation.
`Condition`	Specific conditions or rules that must be met for the role to be active.
`Requestable`	Indicates if users can request this role.
`Role Owner`	User or group responsible for managing the role.
`Entitlement Display Name`	User-friendly name of an entitlement included in the role.
`Entitlement Description`	Brief explanation of what access the entitlement provides.
`Application Name`	Name of the application where the entitlement is defined.

Role Name

Name of the role being examined.

Description

Brief explanation of the role’s purpose.

Temporal Constraints

Any time-based restrictions applied to the role’s activation.

Condition

Specific conditions or rules that must be met for the role to be active.

Requestable

Indicates if users can request this role.

Role Owner

User or group responsible for managing the role.

Entitlement Display Name

User-friendly name of an entitlement included in the role.

Entitlement Description

Brief explanation of what access the entitlement provides.

Application Name

Name of the application where the entitlement is defined.

Role membership certification

The "Role membership certification" report provides a detailed list of decisions made for user role memberships during a specific certification campaign. This report helps administrators and compliance managers verify that role assignments are regularly reviewed and that all decisions are documented for compliance.

Steps

To locate a campaign ID:
1. In the Advanced Identity Cloud admin console, go to Governance > Certification.
2. Click the Campaigns tab.
3. Select an entitlement certification from the list.
4. In the URL, copy the campaign ID.
In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Role membership certification.
In the Run Report tab, enter the Campaign ID.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Campaign ID`	Unique identifier for the certification campaign.
`Role Name`	Name of the role being reviewed.
`Role Owner`	User or group responsible for managing the role.
`Requestable`	Indicates if users can request this role.
`Description`	Brief explanation of the role’s purpose.
`Username`	Login name of the user whose role membership is being certified.
`Membership Type`	How the user was assigned to the role (for example, `direct` or `indirect`).
`Confidence Score`	Score indicating the confidence level that the access is appropriate.
`Primary Reviewer`	User responsible for reviewing and making a decision on the role membership.
`Decision`	Action taken during the review (for example, `Certify`, `Revoke`).
`Decision By`	User who made the final decision.
`Decision Date`	Date and time the decision was recorded.
`Last Certified By`	User who made the decision in the previous certification cycle.
`Last Certified Decision`	Decision from the previous certification cycle.
`Last Certified On`	Date and time of the last certification decision.
`Provisioning Method`	Method by which the role membership was granted.
`Remediation Date`	Date and time any remediation action was completed.
`Remediation Status`	Current status of the remediation action (for example, `complete`, `pending`).

Campaign ID

Unique identifier for the certification campaign.

Role Name

Name of the role being reviewed.

Role Owner

User or group responsible for managing the role.

Requestable

Indicates if users can request this role.

Description

Brief explanation of the role’s purpose.

Username

Membership Type

How the user was assigned to the role (for example, direct or indirect).

Confidence Score

Score indicating the confidence level that the access is appropriate.

Primary Reviewer

User responsible for reviewing and making a decision on the role membership.

Decision

Action taken during the review (for example, Certify, Revoke).

Decision By

User who made the final decision.

Decision Date

Date and time the decision was recorded.

Last Certified By

User who made the decision in the previous certification cycle.

Last Certified Decision

Decision from the previous certification cycle.

Last Certified On

Date and time of the last certification decision.

Provisioning Method

Method by which the role membership was granted.

Remediation Date

Date and time any remediation action was completed.

Remediation Status

Current status of the remediation action (for example, complete, pending).

Role membership with decision details

The "Role membership with decision details" provides a comprehensive view of who is a member of a specific role. The report includes the latest certification decision for that membership and helps administrators and auditors verify role compositions and review historical access decisions.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Role membership with decision details.
In the Run Report tab, select the Role Name from the list.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Role Name`	Name of the role being examined.
`Name`	Display name of the role.
`Description`	Brief explanation of the role’s purpose.
`Requestable`	Indicates if users can request this role.
`Role Owner`	User or group responsible for managing the role.
`Member Username`	Login name of the user who is a member of the role.
`Member Email`	Email address of the role member.
`Member First Name`	First name of the role member.
`Member Last Name`	Last name of the role member.
`Provisioning Method`	Method by which the role membership was granted.
`Decision`	Last action taken during a review (for example, `Certify`, `Revoke`).
`Decision By`	User who made the last decision.
`Last Certified`	Date and time of the last certification decision.
`Decision Date`	Date and time the last decision was recorded.

Role Name

Name of the role being examined.

Name

Display name of the role.

Description

Brief explanation of the role’s purpose.

Requestable

Indicates if users can request this role.

Role Owner

User or group responsible for managing the role.

Member Username

Member Email

Email address of the role member.

Member First Name

First name of the role member.

Member Last Name

Last name of the role member.

Provisioning Method

Method by which the role membership was granted.

Decision

Last action taken during a review (for example, Certify, Revoke).

Decision By

User who made the last decision.

Last Certified

Date and time of the last certification decision.

Decision Date

Date and time the last decision was recorded.

Roles with no owners

The "Roles with no owners" report identifies a governance gap where roles lack an assigned owner. This report helps ensure that all roles are properly managed and that there is clear accountability for each one.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Roles with no owners.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Name`	Name of the role that does not have an owner.
`Description`	Brief explanation of the role’s purpose.
`Requestable`	Indicates if users can request this role.

Name

Name of the role that does not have an owner.

Description

Brief explanation of the role’s purpose.

Requestable

Indicates if users can request this role.

Users with no or inactive managers

The "Users with no or inactive managers" report identifies users whose managers are either not assigned or are marked as inactive in the system. This report helps maintain data integrity and ensures that approval workflows and certification campaigns can be correctly routed.

Steps

In the Advanced Identity Cloud admin console, go to Reports.
In the list of reports, find and select Users with no or inactive managers.
Click Run Report to generate the report.
Click View Report to open it.

Report reference

Details

Field Description

Field	Description
`Username`	Login name of the user with no manager or an inactive manager.
`First Name`	First name of the user.
`Last Name`	Last name of the user.
`Email Address`	Email address of the user.

Username

First Name

First name of the user.

Last Name

Last name of the user.

Email Address

Email address of the user.

PingOne Advanced Identity Cloud

Identity Governance reports

Available reports

Account certification

Steps

Report reference

All campaign summary

Steps

Report reference

All requests

Steps

Report reference

Application accounts

Steps

Report reference

Application entitlements

Steps

Report reference

Entitlement assignment certification

Steps

Report reference

Entitlement grants

Steps

Report reference

Entitlements with inactive owners

Steps

Report reference

Entitlements with no owners

Steps

Report reference

Identity certification accounts

Steps

Report reference

Identity certification entitlements

Steps

Report reference

Identity certification role memberships

Steps

Report reference

Orphan accounts

Steps

Report reference

Request tasks

Steps

Report reference

Role entitlement details

Steps

Report reference

Role membership certification

Steps

Report reference

Role membership with decision details

Steps

Report reference

Roles with no owners

Steps

Report reference

Users with no or inactive managers

Steps

Report reference