Audit Reports and Monitoring
Audit data is how you track everything that happens in your organization - from whether an aggregation finished, to the cause of an error, to the status of your sources. Nearly everything that happens in IdentityNow is tracked in audit reports and surfaced in various places throughout the interface. They can be downloaded, sent to auditors, and searched for specific events or patterns. You can even configure IdentityNow to send you notifications when certain components of your site have problems.
All audit data in IdentityNow is stored for 1 year, plus the current month. If you need to access older data, up to 5 years old, fill out the Audit History Request Form and submit it with a support ticket.
This document covers the types of information IdentityNow tracks and how to find it. Use the navigation on the right side of this page to help you find the information most relevant to you.
Audit Reports in Search
All IdentityNow audit activity can be found in Search. You can download several readily available audit reports or download a custom report by modifying your search query.
You can download the following default audit reports from Search:
- All Events - All activity that IdentityNow tracks in audit events.
- Access Request Activity - All activity related to access requests.
- Authentication Activity - Events related to any kind of authentication, including into IdentityNow and into apps.
- Password Changes - All password updates, including for apps, sources, and IdentityNow.
- Provisioning Activity - View a basic audit report of provisioning events.
- All Source Activity (Non-Provisioning) - All activity on all sources, not including provisioning activity.
You can learn more about these reports, the queries they use, and how to download them in Downloading Reports from the Search Interface.
Reporting in Suggested Searches
You can find several helpful search queries in IdentityNow's list of Suggested Searches. This list contains many searches, but some users might find the following searches helpful:
Suggested Search | Description |
All IdentityNow Admins | All org administrators in your IdentityNow site. |
Identities with Errors | All identities in your system that have errors. |
Identity Activity |
All activity performed by or on any identity in your site. To narrow this query to return activity from only one specific identity, change both instances of * with the name of the identity you want to search for. |
Inactive Identities with Active Accounts | All identities in your system that don't have access to IdentityNow, but can access to one or more source accounts. |
Source Activity |
All activity performed by or on any source in your site. To narrow this query to return activity from only one source, change the * to the name of the source you want to search for. |
Download the results of these queries using the same steps found in Downloading Reports from the Search Interface.
Activity on the Admin Dashboard
The admin dashboard contains at-a-glance information about recent activity in your site.
On the admin dashboard, you can view some of the following information, depending on what's included in your SailPoint SaaS platform:
Dashboard Widget | Screenshot |
System Components Status
| ![]() |
System Activity - This panel displays a subset of important events that have happened in your system over the last 7 days. The 5 most recent events are displayed by default. Select View All to view a complete list of events. These events may follow a different format than is displayed in Search. The times listed here reflect your browser's current settings. |
![]() |
Org Details - View basic metadata about your site. You can find out which features are active and the number of identities permitted for your organization in Global > System Settings > System Features. | ![]() |
To Do Tasks - Review a list of the manual provisioning tasks that are assigned to users in your org. Select View All for a complete list of incomplete manual provisioning tasks. | ![]() |
Password Resets - View a list of the password resets IdentityNow has performed in the last 7 days. You can also view an estimate of the financial savings generated for your organization by IdentityNow password resets. You can modify the amount saved per reset based on your company's internal metrics. The Savings value automatically recalculates based on the number of password resets displayed in the panel. |
![]() |
Certification Campaigns - Page through graphs representing the progress of certification campaigns in your site. Refer to Certification Campaign Status Information and Reports for more information. |
![]() |
Provisioning - View a summary of the provisioning activity in IdentityNow over the last 7 days. | ![]() |
Reporting Overview
This table contains an overview of various data tracked in IdentityNow, and where you can find it.
For more information about the status of IdentityNow and its services, visit status.sailpoint.com.
Tracked Activity | Description | Location and Details |
All Audit Data | All activity that IdentityNow tracks in audit events. |
This audit data is available in Search in a default report. You can also use the search query: type:* to retrieve this data. |
Access Requests | All activity related to access requests. |
This audit data is available in Search in a default report. You can also use the search query: type:"ACCESS_REQUEST" to retrieve this data. |
Applications | Audit events related to app configuration. |
This audit data is available in Search. Use the search query: technicalName:"APP_*" to retrieve this data. |
Authentication |
Audit events related to any kind of authentication. |
This audit data is available in Search in a default report. You can also use the search query: type:AUTH to retrieve this data. |
Certifications |
Audit events related to any kind of certification activity. |
This audit data is available in Search. Use the search query: type:CERTIFICATION to retrieve this data. |
Reports about a specific certification, or general information about the campaigns in your site. |
Refer to Certification Campaign Status Information and Reports for more information. |
|
Identities and Users | Download a list of identities. |
You can download a complete list of the identities in your system in two ways.
|
Find activity for a single identity. |
You can view the activity for a single identity in two ways:
|
|
Find events that impact a user's IdentityNow experience, or configuration events for an identity. |
This audit data is available in Search. Use the search query: type:"USER_MANAGEMENT" OR type:"IDENTITY_MANAGEMENT" to retrieve this data. |
|
Find identities without managers. |
You can download a complete list of identities without managers in two ways:
|
|
view Manage Uncorrelated Accounts for more information on downloading uncorrelated accounts from Global. |
||
Notices about identities in error states. |
If identity processing occurs and puts 5% or more of your identities into an error state, your System Components Status. will display an error.Errors also display in the identity list and on the identity itself. View Receiving System Error Notifications to learn how to receive notifications if your identities enter an error status. |
|
Identity Processing |
Track the progress of identity processing. |
You can learn more about the identity processing taking place in your system in Processing Identity Data. |
Non-Employee Activity |
Download a report of all activity related to non-employee sources. |
Use the search query: type:NON_EMPLOYEE to retrieve this data. This query returns results in the Events tab. |
Provisioning |
Download a basic audit report of provisioning events. |
This audit data is available in Search in a default report. You can also use the search query: type:PROVISIONING to retrieve this data. This query returns results in the Events tab. |
View a detailed report of all provisioning activity. |
This audit data is available in Search. Use the search query: * to retrieve this data. This query returns results on the Account Activity tab. |
|
View a basic summary of recent provisioning activity. |
Go to the Admin Dashboard to view a summary of recent provisioning activity. |
|
Password Changes |
All password updates, including for apps, sources, and IdentityNow. |
This audit data is available in Search in a default report. You can also use the search query: type:"PASSWORD_ACTIVITY" to retrieve this data. |
Search |
You can download any set of search results for any search category. |
You can learn more about downloading search results in Download Reports from the Search Interface. |
Source Activity | View a detailed report of all activity on all sources, not including provisioning activity. |
This audit data is available in Search in a default report. You can also use the search query: type:"SOURCE_MANAGEMENT" to retrieve this data. |
View a detailed report of all activity related to a single source. |
This audit data is available in Search. Select the suggested search called Source Activity to find this data. You can also use the search query: actor.name:<source name> OR target.name:<source name> OR attributes.sourceName:<source name> where <source name> is the name of the source you're monitoring. |
|
View the status of a source or virtual appliance. |
Learn more about virtual appliance and source statuses in Virtual Appliance and Source Configuration Status Definitions. |
|
View information about aggregations. |
You can find details about source aggregations in a number of places.
|
|
Notices about source errors. |
A variety of problems can cause your source to enter an error state. This error displays in your System Components Status. Errors will display in your list of sources and on the source itself. View Receiving System Error Notifications to learn how to receive notifications if a source enters an error status. |
|
Task Manager |
Find a list of all tasks assigned to users that aren't completed. |
Go to the Admin Dashboard to view a partial list of incomplete tasks. To view a full list, select View All. To download a report of these tasks, select CSV. The Global > Reports page is displayed. Select the appropriate format under Generate and then Download to download a report. This report displays a maximum of 5,000 tasks. If there are fewer than 5,000 tasks, the report might also show completed tasks that are less than 90 days old. |
Notify users when they have a new task in their Task Manager. |
You can configure IdentityNow to remind users daily when they have outstanding tasks in their Task Manager. View Email Template: Task Manager Subscription for more information on enabling this feature and the email template it uses. |
|
Virtual Appliances |
Find the status of a virtual appliance or source. |
You can learn more about a virtual appliance's status in Virtual Appliance and Source Configuration Status Definitions. |
Determine which sources are connected to a specific virtual appliance. |
View which sources are connected to a virtual appliance using Reviewing Sources Connected to a VA. |
|
Notices about virtual appliance errors. |
If IdentityNow is unable to communicate with a VA for a period of time, an error will display in your System Components Status. |