Many organizations use Oracle Access Governance to strengthen access controls and streamline identity governance processes. As these programs mature, teams often need custom reporting—to support audits, create executive dashboards, retain historical records for longer periods, and analyze identity and account trends over time.

To address these needs, this blog introduces a reference architecture for Oracle Access Governance custom reporting using AG’s Event Data Publisher to export data and feed a downstream reporting pipeline.

Architecture:  Oracle Access Governance Custom Reports

In AG, there are a variety of data components, including Identity, Identity Collection, Policies, and Resources, among others.  The Data Feed Event Publishing functionality of AG receives inputs from these data components and publishes them to OCI Buckets and OCI Streams.

Day 0 (initial export): Day 0 is the initial event export. On Day 0, theData Feed event publisher exports a complete snapshot of the data components available for publishing in Oracle Access Governance to the OCI Bucket as JSONL files.

After Day 0 (incremental updates): Subsequent updates are published in real time either to OCI Streams or to OCI Buckets, depending on the file size (OCI Streams for < 1 MB, OCI Buckets for > 1 MB).

The architecture described below supports two delivery paths:

  • Object Storage–based delivery: In Oracle Cloud Infrastructure, configure an Object Created event filter for the Object Storage Service so that whenever a new file is created, the event is published to an OCI Stream. A consumer application reads an event from the stream and triggers a parser. The parser then reads and parses JSONL files from the OCI Bucket and sends the updates to the database.
  • Streaming-based delivery: Build a consumer using Kafka APIs to read and parse Base64-encoded JSON data from OCI Streaming and write the corresponding updates to the database.

Kafka Consumers can be deployed as a service on pods running on OCI Kubernetes Engine (OKE).  An analytics platform such as Oracle Analytics Cloud (OAC) can then be used to create reports and dashboards using data from the database.

A reference architecture for AG custom reporting is shown in the diagram below:

Event Data Publisher configuration in Oracle Access Governance

The steps to configure the event data publisher in AG can be referred from here:  Configure Event Data Publisher in Oracle Access Governance

Key benefits of the proposed approach

  • Data filtering: The parser triggered by the consumer application can also invoke a stored procedure to filter the data published on OCI Bucket.  For instance, if we use AG’s Data feed functionality to republish a complete snapshot of the data components, the stored procedure can be designed to identify and ignore any duplicate data before sending any updates to the database.
  • Scalability and Performance:  OKE’s autoscaling features enable seamless adjustment of pod capacity hosting consumer applications, dynamically scaling them up or down in response to varying demand.
  • Efficiency and Data Resilience: Kafka consumers can commit offsets only after successful database writes to support reliable processing. Stream retention enables replay for fast recovery.
  • Audit Reports:  To meet audit requirements, audit reports can be generated using data published on a database that includes a variety of AG data components.

Oracle Access Governance Reports

The following reports can be created using the Identity-related tables populated in the database:

  • Identity Creation: The report to display the identities created within a specific date range along with their complete details.
  • Identity Profile History: The audit tables can be utilized to generate this report, which displays the history of the identity profile.
  • Identity Summary: The report to display all the identities and their details.
  • Identity based on Status: The report to display all the identities based on their AG status.
  • Identity Account Summary: The report to display the orchestrated identity objects associated with the identities.

The same approach can be applied to other AG data components (for example, policies and resources) to build additional reports.

Summary

Oracle Access Governance’s Event Data Publisher can be used as a building block for custom reporting by exporting governance data to OCI Object Storage and OCI Streaming. Using the reference architecture described in this blog—Day 0 snapshot export followed by incremental updates—teams can populate a downstream database and create dashboards and reports.