Skip to content

About Debug Pages

The Debug pages provide administrative functions, including advanced object editing capabilities for IdentityIQ system administrators, as well as a place to find detailed information about your IdentityIQ installation.

Debug pages include:

  • About – basic information about the IdentityIQ installation such as server host, the current IdentityIQ version and schema version, locale and time zone for the client, and an array of Java system properties.

  • Object – the most frequently used feature of the Debug pages, providing access to the XML representations of data and configuration objects in the IdentityIQ system

  • Memory – view the Free, Total, and Max JVM memory

  • Caches – five buttons for managing the Hibernate Caches

  • Count – count of objects by class

  • Beans – the Managed Beans page displays all JMX beans registered with the application server

  • Threads – view all Java threads and their current state; a good resource for diagnosing performance problems

  • Call Timings – statistics about the time taken to perform certain database activities

  • Logging – view or change the path to the Log4j properties file

  • Database – view basic database pooling information

  • Connections – see the connections from the database connection pool that the server is currently using

  • ActiveMQ Monitoring – view broker information, connectors, broker statistics, destinations, and subscriptions

See the Debug Pages Compass article for details about each page.

On Debug's Object Browser page, you can view and edit XML representations of data and configuration objects in the IdentityIQ system. The Debug pages also provide UI-based access to many of the actions you can run in the IdentityIQ console.

Debug pages are accessed via the wrench menu, if available, or a hidden URL: http://[hostname:port]/[contextroot]/debug (for example, http://localhost:8080/identityiq/debug) and can only be used by those with the SystemAdministration capability. As of IdentityIQ version 8.4, users may be granted read-only access rights to view the Debug pages without taking actions or making changes. See Read-Only Access to Debug Pages and Administrative Information.

For more details about Debug, see Read-Only Access to Debug Pages, and the Debug Pages article on Compass.

Caution

There is no rollback mechanism for edits that are saved in the Debug pages. For this reason it is strongly recommended that you export an object (the process is described in the Debug Pages article on Compass), copy it, make changes to the copy, and then import the updated version, rather than editing objects directly in the Debug page.

Read-Only Access to Debug Pages and Administrative Information

System administrators may grant the capability Debug Pages Read Only Access to non-admin users. Those who are granted standard read-only access to IdentityIQ Debug pages are able to view not just the Object Browser, but also the other pages that have traditionally been reserved for system administrators, including About, Memory, Caches, Count, Beans, Threads, Call Timings, Logging, Database, Connections, and ActiveMQ Monitoring.

Read-only access allows users to see the XML code for configured objects. They can copy or download the XML, but cannot save changes or upload.

Many of the Debug pages have actionable options that are only enabled for those with system administrator capabilities. For those with read-only access, options such as Run Rules and Run Garbage Collector are present but disabled.

Important

Read-only access allows users to view all objects in the Object Browser; this may include some sensitive data. Keep this in mind when determining who should have access.

Configuring Fine-Grained Read-Only Debug Access

There are multiple individual rights that control fine-grained access. Your installation of IdentityIQ is configurable and administrators can group a subset of read-only debug rights into capabilities appropriate for your organization's needs. For example, if you have a DBA who only needs to see a subset of Debug items related to databases, then use the more fine-grained rights to create a custom capability.

Important

Read-only access allows users to view all objects in the Object Browser; this may include some sensitive data. Keep this in mind and consider configuring custom capabilities as needed.

See Rights and Capabilities for Identities.

View-only access to the Debug pages controls whether or not you can see the page – if users try to reach a page without having either system administrator capabilities or read-only access rights, they see an Access Denied message.

Useful When

Read-only access is useful when developers need to see IdentityIQ objects' XML in order to write custom code, troubleshoot, or debug without a system administrator partnering with them. They can open any object on the Object Browser.

Auditing Changes Made in the Debug Pages

When enabled, changes made on Debug pages may be audited. To enable logging, navigate to gear > Global Settings > Audit Configuration > General Actions and select the Debug Object Browser Change checkbox.

Audit items log the following information:

  • Date/time

  • Source – identity that made the change

  • Target – object class that was edited such as identity, bundle, configuration, etc.

The audit log does not detail what the changes were. Use your organization's internal versioning or tracking if you need to track the specific changes made.

To view Debug changes:

  1. Navigate to Intelligence > Advanced Analytics.

  2. Select Audit from the Search Type dropdown.

  3. Under Search Criteria > Audit Attributes, select the Action dropdown, then select DebugObjectBrowserChange.

  4. Select the Run Search button.

  5. Audit results may be exported in pdf, csv, or cef formats by selecting the corresponding button at the upper right side of the search results.