[Please include this documentation in any future board manager user manual.] Last updated: March 24, 2015 by Alan Meyer BOARD MEMBER LOGIN ATTEMPTS =========================== The "Board Member Login Attempts" report is available from the "Board Management" section of the "Reports" page in EBMS: Reports > Board Management Reports > Board Member Login Attempts It provides information about NCI EDIR logins for board members and can be used for tracking logins and for identifying users that are having problems logging in. To run the report, make any changes to the default input parameters and click "Submit". INPUTS ====== The input parameters are: LOGIN ATTEMPT DATES (INCLUSIVE) A user enters two dates. For example, to see just the month of February, 2015, enter: 2015-02-01 - 2015-02-28 The defaults are the first and last days for which data is available in the table containing login records. Data Availability Note: The system was originally configured to keep only the most recent 1,000 entries in the "watchdog" log table that includes login information. In production that amounted to about 2 weeks of data. We have changed it to keep 100,000 entries, which, at the current rate of usage, works out to about two years worth of data. If the report is useful, we might want to increase that. Login information is available from the following dates: DEV: 2014-12-17 PROD: 2015-02-12 The DEV database was created from PROD and some of the earlier data there actually provides accurate information for PROD logins. INCLUDE MEMBER DETAILS This controls whether a detailed report by board member name is included. A user selects one of three radio buttons to choose: No output details. Details for just those NCI EDIR authenticated board members who had at least one failed login attempt during the period. Details for all board members, whether or not they use NCI EDIR authentication and whether or not they had a login failure. See below for a fuller explanation of these different outputs. The default is "None", no output details. If a user clicks "Submit" the screen re-displays showing the selected input parameters at the top and the report output beneath that is generated from that input. If a user clicks "Reset", the default parameters are restored and any output present is deleted from the screen. OUTPUTS ======= The report output has two sections that always appear and one that optionally appears when requested. CURRENT BOARD MEMBER AND LOGIN INFO ----------------------------------- This is a one row table showing: The number of currently active board members. The total number of current NCI EDIR authentication users, including those who are not board members. The number of NCI EDIR authentication users who are board members. MONTHLY LOGIN ATTEMPT BREAKDOWN ------------------------------- This table contains one row for each month. Here is the interpretation of the columns: MONTH: The year and month for the table row. The starting and ending month in the report will be incomplete if the starting date is not the first day of a month or the ending date is not the last day of a month. For example, for a report with the following parameters: 2014-12-17 - 20-15-03-24 The actual rows of the report will show results for: 2014 Dec = 2014-12-17 through 2014-12-31 2015 Jan = 2015-01-01 through 2015-01-31 2015 Feb = 2015-02-01 through 2015-02-28 2015 Mar = 2015-03-01 through 2015-03-24 SUCCESSES: This is the total number of successful login attempts by board members using NCI EDIR for authorization control for the covered month. No other logins are counted. SSO and local user logins are not counted We do NOT check the user's active status. If a login is successful then, ipso facto, the user was active at the time of the login, even if he or she is currently inactive. FAILED MEMBERS: These are failed login attempts by board members who use NCI EDIR. Discovery of this number was complicated. If a login attempt fails, there is no unique user ID available to record in the log files because the user ID is only available if the login is successful. But we have recorded the name that a user entered and we compare this name, case insensitively, against the names of known users. If there is a match with the name of a user who is a known board member, we count this as a "failed member" login attempt. Again, we do not check the user's status. FAILED UNKNOWN: These are failed login attempts by someone whose name was not resolved by checking the names we have recorded for users. A human might easily figure out who these people were (see the "Detailed" report description below), but the program did not. A hypothetical example of such a failed board member login that a human could resolve could be: "jdoe", probably, but not necessarily entered by board member "John Doe". Some of these failed logins have names that probably don't belong to a board member. Examples are: "Alan Meyer" "alan@mail.nih.gov" "nih/alan" "nih\alan" There was no match on any of those in the users table. The real user name for that person is "alan", who is not a board member. The "failed unknown" category does not include users who failed a login but were recognized users - just not board members. As a hypothetical example: "Harry Smith" is a medical librarian user. He enters his user name but mistypes his password. In that case, the failed login attempt is ignored and does not appear anywhere in the report. DETAILED LOGIN ATTEMPT BREAKDOWN -------------------------------- This report only appears if the board manager checks something other than the default "None" in the "Include member details" radio buttons. The report has two flavors: "Only for login failures": This flavor has a row for every board member name in the "failed member" category of the report, and a row for every name in the "failed unknown" category of the monthly breakdown. If John Doe failed twice and succeeded once, his row shows one success and 2 failures. "Failed unknown" names will only show failure counts. We don't know their user IDs and so can't count their successes. However a human might figure out who they are and see if they were able to login successfully. "All login details": This flavor shows: All successful logins for all board members, whether they use NCI EDIR or not. Some may be using SSO or Drupal authentication. All failed logins for board members using NCI EDIR, as for the "Only for login failures" report. All failed logins by unknown names as for the "Only for login failures" report. One possible use of this report is just to see which board members are logging in to the system, and how often. Both flavors of the detailed breakdown have the following columns: MEMBER NAME* This is the name of the board member, or the unknown name if the name couldn't be resolved. An asterisk beside the name means that this user is a known board member. The only board member names included are names of known board members who are known to have tried to login. If a board member never logged in during the report period, he does not appear in this report. SUCCESSES: The number of successful logins during the period of the report. It will be 0 if the member did not login successfully but did fail at least once (otherwise he won't show on the report at all.) For the "All login details" flavor, the total count of successful logins (see the "TOTALS" row at the bottom of the table) may be higher than the total shown in the monthly report. That's because the detailed report is showing logins from all board members whereas the monthly report is only showing logins from NCI EDIR authentication users. LAST SUCCESS: The date of the last successful login during the report period. FAILURES: The number of failed login attempts. Remember that failed login attempts may appear in multiple rows if the user tried different user names ("Alan Meyer", "alan", "ameyer".) These are only NCI EDIR authentication users. LAST FAILURE: The date of the last failed login attempt. If this date is before the last successful login attempt, the user has probably solved his login problem. If it is after, or if there are no successful login attempts, he's probably still unable to login.