Skip to content

Using the Access History UI

To see the Access History UI, you need to have the spright AccessHistoryViewIdentityHistory. The AccessHistoryExportIdentityHistory right further allows export of the selected Access History data.

  1. Navigate to Identities > Identity Access History.

  2. Search for and / or select an identity from the Identity List.

    a. The Identity List shows all identities by default. Use filters or search to narrow down the options.

    b. Display name and email are both shown for each identity so that in cases where there are duplicate display names, you can more easily select the one you want.

  3. Select a capture date. By default, the most recent capture is shown for the selected identity.

  4. View details in the Access Items cards, by Accounts, Entitlements, or Roles, and on the event timeline, which lists individual events affecting the identity from the capture date backwards to the beginning of Access History data capture.

    a. Select View Profile to view the identity attributes at the time of the capture. See View Profile.

    b. Select Export to export access items and / or events. See Export Access History.

Using the Identity List Search and Filters

Search allows you to find identities in the Access History database. When the search field and filter are blank, all identities are included in the identity list in alphabetical order.

  1. Select the filter icon next to the search field to open the Identity Filters panel.

  2. Filter By Identity, By Role, and / or By Entitlement. (Entitlement filter will include only Managed Attributes.) Combine filters to more easily find what you need. For example, you might choose to search by both Identity and Role. Note that filtering on permissions is not supported.

    a. Select the dropdown arrows to select filter criteria options.

    b. For Identity, select from attributes that have been configured for your implementation such as Manager, Is Manager (set the value to true or false), Is Active, and Identity Type.

    Note

    An identity is included in the filter results if the filter value has been true for that identity either now or at any time in the past since the beginning of Access History.

    c. For Role and Entitlement, select from the three-way toggle to view All (all roles or entitlements the identity has ever had), Current (roles or entitlements that the identity currently has), or Previous (roles or entitlements that the identity previously had but does not have now).

    d. For Entitlements, first select the application, then the attribute, then the value.

  3. Select the Apply button to apply your selection(s) or the Clear button to clear values from the filter fields. You may also select Cancel to close the dialog without applying changes to the filters.

    Note

    If you have already applied filters, then reopen the filter dialog and make changes to those filters, Cancel will discard those changes but the existing filters will still apply.

—OR—

  1. In the search field, begin entering a name or email.

    a. The search and filter capabilities are a "starts with" incremental search in which suggested values are filtered in real time as letters are entered.

    b. Search by display name, first name, last name, or email. Select X to clear values from the search field.

    c. If nothing matches the value you enter, the identity list is empty.

    Note

    Because a person's name may change over time, you may search using any of their names and it will bring up all results associated with that historical identity. For example, a person's name of origin and their married or changed name may both appear in a list, but selecting either one displays information for the same identity.

  2. The Identity List displays all potential matches.

    a. At the bottom of the identity list, Of Total shows the total number of identities matching your entered criteria. Select Show Next 20 to display more matches.

  3. Select an identity to view its detailed information on the right side of the screen. Only one identity can be selected at a time.

Selecting a Capture Date

Choose a date on the calendar or timeline for the selected identity to view data about a specific identity capture.

Use the timeline carousel to select an access change event.

  1. Use the toggle above the timeline to scroll by month or day.

  2. Use the capture selector or arrows to the right and left of the timeline to scroll chronologically backwards and forwards.

    a. The capture selector above the Month / Day toggle navigates backwards and forwards one capture at a time.

    b. The arrows to the right and left of the timeline scroll backwards or forwards one week when in Day mode or one year when in Month mode.

  3. Select a date on the carousel to see information about a specific identity capture.

    a. The filled blue dot indicates the day or month of the currently selected capture.

    b. Empty circles indicate one or more captures on that day. Select the circle to see a list and select a specific capture.

    c. Gray dots indicate that there was no identity capture on that day and the date may not be selected.

Alternately, you can use the date field or date picker to see an identity's state on a given date.

  1. Enter a date in the date field or select the calendar icon on the upper right side of the timeline to open the date picker.

    a. Select a date from the calendar. A dot under a calendar date indicates that there are captures for that date.

    b. The selected date displays next to the calendar icon.

  2. If there was an access change on the selected date, the latest capture data is shown.

  3. If there was no access change on the selected date, a pop-up message states that no capture events occurred on this date and asks if you want to view the closest prior capture.

    a. Select Yes to view information for the closest prior capture.

    b. Select No to dismiss the pop-up message.

When a date is selected either on the date carousel or using the date picker, the Access Items tiles and Event Timeline below update to show data for the selected identity on the selected date. A timestamp above the date carousel displays the capture date for the information displayed below.

Access Items Tiles

The Access Items panel displays tiles with the identity's counts of Total Access Items, Accounts, Entitlements, and Roles. Selecting the Accounts, Entitlements, or Roles tile displays a table with more information about items of that type. To close the detail table, select Go back to event timeline.

Use the Search field above the Entitlements and Roles tables to search items in each table. Search results include matches in any column. To clear the search, select Clear Search next to the search field.

For Entitlements, you can select the Show only additional entitlements checkbox to filter out entitlements that were gained because of role assignments.

Table columns may be configured from the options below. Those marked with an asterisk are sortable.

Accounts:

  • Application *

  • Account ID *

  • Status (Active/Locked/Disabled)

Roles:

  • Name *

  • Description

  • Classifications (multivalued – select the icon to see the classifications list)

  • Elevated access (Boolean)

  • Assigned by (identity)

  • Allowed by (role)

  • Acquired (assigned / detected)

  • Role type (business, IT, etc.)

  • Application (multivalued)

  • Account name (multivalued)

    Note

    Blue icons indicate elevated access. If a Role has a start and / or end date, it displays here.

Entitlements:

  • Attribute *

  • Entitlement (value)

  • Classifications (multivalued)

  • Elevated access (Boolean)

  • Application *

  • Account name

Note

Red triangle icons indicate that an entitlement has been disconnected. If an Entitlement has a start and / or end date, it displays here.

Event Timeline

The event timeline lets you scroll through a reverse chronological list of all changes to access that occurred up to and including the selected capture date and time. There are also governance event cards for added or removed entitlements, roles, or identity attributes with additional information about what caused the access or identity attribute change.

The most recent 20 events are displayed. Select the Show Next 20 button to see more.

List elements include:

  • Event icon - green + indicates add, red - indicates remove, blue gavel indicates governance events, and left / right arrows indicate an identity status change, identity attribute change, or account attribute change

  • Event type - types of events include:

    • Changed account

    • Added account

    • Removed account

    • Removed entitlement

    • Added entitlement

    • Removed detected role

    • Added detected role

    • Removed assigned role

    • Added assigned role

    • Changed identity

    • Changed identity status

    • Deleted identity

    • Discovered identity

    • Governance event - Access Request, Certification, or Policy Violation

    • Mitigated policy violation

  • Event timestamp - date and time the event was recorded in the Access History database

  • Type-specific fields or details - configure columns to select which type-specific fields you want to display

Event Timeline Timestamp

The timestamp on an event in the Events Timeline is the date that the Access History task was launched, which fetched the objects that led to event detection. It is not the date and time that the event occurred. Therefore, events in the Access History database may have a later event date and time than the time at which the access change occurred in IdentityIQ. See Setting Up Access History Task(LINK IN DOC).

Note

Not every object captured in the Access History database results in a new identity capture being created. Changes to objects in the IdentityIQ database other than identity objects - such as, for example, changes to existing Accounts, Roles, or Entitlements that affect the identity - do NOT trigger a new capture. However, when a new capture is triggered by a change to the Identity, such as an added or removed Entitlement or Role, or a change to an identity attribute, the events for changes to the non-identity objects will be included in that capture.

Therefore, it is possible to retrieve the latest capture for an identity in Access History, and for there to be some related events (the ones that in and of themselves don't trigger a capture) that are not yet included because those events were recorded after the latest identity capture was created.

This is a transitory situation, and no events will be lost. They will show up when the next identity capture is generated. It's also possible that even recent identity-related changes may not be included in the latest capture, if the Dispatch Access History task has not been run since they occurred.

Filtering Events

Select the filter icon at the upper right side of the event timeline to filter events by:

  • Access Items – Accounts, Entitlements, Roles

    • Use the three-way toggle to indicate whether you want to view All, Added, or Removed access items

  • Governance Events – Access Requests, Certifications, Policy Violations

  • Other Events – Identity Attribute Changes, Identity Status Changes, Account Attribute Changes

Select the Apply button to apply your selection(s) or the Clear button to clear values from the search fields. You may also select Cancel to close the dialog without applying changes to the filters.

Note

If you have already applied filters, then reopen the filter dialog and make changes to those filters, Cancel will discard those changes but the existing filters will still apply.

View Profile

Select the View Profile button at the upper right side of the screen to see identity attributes for a selected identity as of the selected capture date, such as email, type, cost center, employee ID, department, job title, location, region, region owner, and location owner.

If you want View Profile to include extended attributes that your organization has configured, be sure to specify these in the Object configuration. See Configuring Data Extraction(LINK IN DOC).

Export Access History

Export Access History results to a CSV file for each type of item exported. The files are zipped together in a file whose name includes the identity name and date of the capture.

  1. In Access History, select the identity for which you want to export information.

  2. Select the Export button.

  3. In the Create Export File window, select the Access Item types you would like to export – for example, Accounts, Entitlements, or Roles.

Note

The Search features in the Entitlement and Roles tables do not operate as filters for the Export feature. The entire table will be exported if the user requests an export, regardless of whether search has been used and the Entitlements or Roles table filtered.

  1. Decide whether you want to also export the contents of the Event Timeline and select Yes or No.

Note

If you have filtered the Event Timeline, only the filtered events will be exported. A warning is provided, telling you how many events will be exported.

  1. Select Generate.

  2. A zip file with all of the exported CSV files can be found in your downloads.

Running Access History from the IdentityIQ Console

If you want to run the IdentityIQ console in standalone mode (without starting the application server) then use execute access history commands.

Console Commands that do not Support Access History

The following console commands do not support Access History objects:

  • checkin

  • delete

  • rollback

  • rename

  • import

  • lock

  • unlock