How Access History Works
History events related to Access History objects are constructed and published to the history writer API through a scheduled event or ad hoc service. You can configure how frequently Access History runs, but the default is once per day.
The Dispatch Access History task determines the set of IdentityIQ objects to extract from IdentityIQ, which are those that haven't been captured previously or have changed significantly since the last time Access History was executed.
NOTE: The initial run of Dispatch Access History extracts all identity and related objects, and it can take a long time to execute. The following runs of Dispatch Access History are faster because only changed or new objects will be extracted and processed.
Each extracted object describes all of the information about a single IdentityIQ access history object (e.g., identity, role, account, etc.). An extracted object can also reference other objects. The extracted objects are formatted into JSON and enqueued to the Access History writer service.
The writer service processes the JSON objects, persisting the information into the tables in the access history database used specifically by the Access History user interface (UI).
The Access History UI lets you search the access history database. There are also APIs that the UI can use to query against the database, processing Identity, Role, Identity Entitlements, Certifications, Identity Requests, Managed Attributes, Capabilities, Accounts, Workgroups, and Policy Violations.
The system identifies duplicates so they are not processed twice and can distinguish between initial events and change events. Unchanged objects are not processed.
Access History is disabled by default to allow you to configure it. To use this functionality, you need to complete the following:
1. Setting Up Access History Database and Tables
2. Setting Up Access History Task