Skip to content

Audit Reports and Monitoring

Audit data is how you track everything that happens in your organization - from whether an aggregation finished, to the cause of an error, to the status of your sources. Nearly everything that happens in IdentityNow is tracked in audit reports and surfaced in various places throughout the interface. They can be downloaded, sent to auditors, and searched for specific events or patterns. You can even configure IdentityNow to send you notifications when certain components of your site have problems.

All audit data in IdentityNow is stored for 1 year, plus the current month. If you need to access older data, up to 5 years old, fill out the Audit History Request Form and submit it with a support ticket.

This document covers the types of information IdentityNow tracks and how to find it. Use the navigation on the right side of this page to help you find the information most relevant to you.

All IdentityNow audit activity can be found in Search. You can download several readily available audit reports or download a custom report by modifying your search query.

You can download the following default audit reports from Search:

  • All Events - All activity that IdentityNow tracks in audit events.
  • Access Request Activity - All activity related to access requests.
  • Authentication Activity - Events related to any kind of authentication, including into IdentityNow and into apps.
  • Password Changes - All password updates, including for apps, sources, and IdentityNow.
  • Provisioning Activity - See a basic audit report of provisioning events.
  • All Source Activity (Non-Provisioning) - All activity on all sources, not including provisioning activity.

You can see more about these reports, the queries they use, and how to download them in Downloading Reports from the Search Interface.

Reporting in Suggested Searches

You can find several helpful search queries in IdentityNow's list of Suggested Searches. This list contains many searches, but some users might find the following searches helpful:

Suggested Search Description
All IdentityNow Admins All org administrators in your IdentityNow site.
Identities with Errors All identities in your system that have errors.
Identity Activity

All activity performed by or on any identity in your site.

To narrow this query to return activity from only one specific identity, change both instances of * with the name of the identity you want to search for.

Inactive Identities with Active Accounts All identities in your system that don't have access to IdentityNow, but can access to one or more source accounts.
Source Activity

All activity performed by or on any source in your site.

To narrow this query to return activity from only one source, change the * to the name of the source you want to search for.

Download the results of these queries using the same steps found in Downloading Reports from the Search Interface.

Activity on the Admin Dashboard

The admin dashboard contains at-a-glance information about recent activity in your site.

On the admin dashboard, you'll be able to see some of the following information, depending on what's included in your SailPoint SaaS platform:

Dashboard Widget Screenshot
System Components Status This panel displays the following:
  • Sources - The number of sources that have accounts associated with identities.
  • Clusters - The number of virtual appliance clusters connected to sources.
  • Identities - The number of identities in your system.
  • Applications - The number of enabled applications in your site.
You can also see whether any of these components are experiencing problems in this panel. To learn more about any errors highlighted here, or to learn how to configure email notifications for these errors, see Receiving System Error Notifications.

System Activity This panel displays a subset of important events that have happened in your system over the last 7 days. The 5 most recent events are displayed by default. Click View All to see a complete list of events that occurred.

These events may follow a different format than is displayed in Search. The times listed here reflect your browser's current settings.
Org Details See basic metadata about your site. You can find additional information about your site in Take a Tour of the IdentityNow System Features Page.
To Do Tasks - Review a list of the manual provisioning tasks that are assigned to users in your org. Click View All to see a complete list of incomplete manual provisioning tasks.

Password Resets - See a list of the password resets IdentityNow has performed in the last 7 days.

You can also see an estimate of the financial savings generated for your organization by IdentityNow password resets.

You can modify the amount saved per reset based on your company's internal metrics. The Savings value automatically recalculates based on the number of password resets displayed in the panel.

Certification Campaigns - Page through graphs representing the certification campaigns in progress in your site.

See How do I view reports and status information about certification campaigns and reviewers? for more information about certification reports.

Provisioning - See a summary of the provisioning activity done in IdentityNow over the last 7 days.

Reporting Overview

This table contains an overview of various data tracked in IdentityNow, and where you can find it.

Tracked Activity Description Location and Details
All Audit Data All activity that IdentityNow tracks in audit events.

This audit data is available in Search in a default report.

You can also use the search query:

type:*

to retrieve this data.

Access Requests All activity related to access requests.

This audit data is available in Search in a default report.

You can also use the search query:

type:"ACCESS_REQUEST"

to retrieve this data.

Applications Audit events related to app configuration.

This audit data is available in Search.

Use the search query:

technicalName:"APP_*"

to retrieve this data.

Authentication

Audit events related to any kind of authentication.

This audit data is available in Search in a default report.

You can also use the search query:

type:AUTH

to retrieve this data.

Certifications

Audit events related to any kind of certification activity.

This audit data is available in Search.

Use the search query:

type:CERTIFICATION

to retrieve this data.

Reports about a specific certification, or general information about the campaigns in your site.

Find out more about certification activity in View Certification Campaign Status Information and Reports.

Identities and Users Download a list of identities.

You can download a complete list of the identities in your system in two ways.

  • Use the search query:
    *
    to retrieve a list of all identities, and then download that list of identities.
  • See how to export a list of identities from the IdentityNow user interface.
Find activity for a single identity.

You can view the activity for a single identity in two ways:

  • Click the suggested search called Identity Activity. You can also use the search query:
    (actor.name:<name> OR target.name:<name>) AND created:[now-7d/d TO now]
    where <name> is the name of the identity you're searching for. This query returns activity for the previous 7 days by default, but you can adjust that time period. 
  • Navigate to the Activity tab for that identity. This is the same information that is available in Search, but it can be viewed by users who don't have access to Search.
Find events that impact a user's IdentityNow experience, or configuration events for an identity.

This audit data is available in Search.

Use the search query:

type:"USER_MANAGEMENT" OR type:"IDENTITY_MANAGEMENT"

to retrieve this data.

Find identities without managers.

You can download a complete list of identities without managers in two ways:

  • Use the search query:
    NOT _exists_:manager
    to retrieve a list of identities without managers, and then download that list.
  • Go to Global > Reports to generate and download the Identities Without Managers report.

Find a list of uncorrelated accounts.

See Manage Uncorrelated Accounts for more information on downloading uncorrelated accounts from Global.

Notices about identities in error states.

If an identity refresh occurs that puts 5% or more of your identities into an error state, you'll see an error in your System Components Status.

You'll also see errors in the identity list and on the identity itself.

See Receiving System Error Notifications to learn how to receive notifications if your identities enter an error status.

Identity Refreshes

Track the progress of identity refreshes.

You can learn more about the identity refreshes taking place in your system in Working with Identities.

Non-Employee Activity

Download a report of all activity related to non-employee sources.

Use the search query:

type:NON_EMPLOYEE

to retrieve this data. This query returns results in the Events tab.

Provisioning

Download a basic audit report of provisioning events.

This audit data is available in Search in a default report.

You can also use the search query:

type:PROVISIONING

to retrieve this data. This query returns results in the Events tab.

See a detailed report of all provisioning activity.

This audit data is available in Search.

Use the search query:

*

to retrieve this data. This query returns results on the Account Activity tab.

View a basic summary of recent provisioning activity.

Go to the Admin Dashboard to see a summary of recent provisioning activity.

Password Changes

All password updates, including for apps, sources, and IdentityNow.

This audit data is available in Search in a default report.

You can also use the search query:

type:"PASSWORD_ACTIVITY"

to retrieve this data.

Search

You can download any set of search results for any search category.

You can learn more about downloading search results in Download Reports from the Search Interface.

Source Activity View a detailed report of all activity on all sources, not including provisioning activity.

This audit data is available in Search in a default report.

You can also use the search query:

type:"SOURCE_MANAGEMENT"

to retrieve this data.

View a detailed report of all activity related to a single source.

This audit data is available in Search.

Click the suggested search called Source Activity to find this data.

You can also use the search query:

actor.name:<source name> OR target.name:<source name> OR attributes.sourceName:<source name>

where <source name> is the name of the source you're monitoring.

View the status of a source or virtual appliance.

Learn more about virtual appliance and source statuses in Virtual Appliance and Source Configuration Status Definitions.

View information about aggregations.

You can find details about source aggregations in a number of places.

  • On the Admin dashboard, in the System Activity panel. You can also click View All to see the System Activity page.
  • In the table in Admin > System Activity, and in the dialog box that appears when you click the Info icon.
  • To see a specific source's detailed aggregation progress, go to Connections > Sources and click the source you want to view. In the Import Data tab, click Import Accounts. The last table on the page contains details about the most recent aggregations performed by that source, including any aggregations in progress.
    Click the Info icon beside an aggregation listed here to learn more about it. Click the X icon beside an in-progress aggregation to terminate it.

Notices about source errors.

A variety of problems can cause your source to enter an error state. You'll see this error in your System Components Status

You'll also see errors in your list of sources and on the source itself.

See Receiving System Error Notifications to learn how to receive notifications if a source enters an error status.

Task Manager

Find a list of all tasks assigned to users that aren't completed.

Go to the Admin Dashboard to see partial list of incomplete tasks. To see a full list, click View All. To download a report of these tasks, click CSV.

The Global > Reports page is displayed. Click the appropriate format under Generate and then Download to download a report.

This report displays a maximum of 5000 tasks. If there are fewer than 5000 tasks, the report might also show completed tasks that are less than 90 days old.

Notify users when they have a new task in their Task Manager.

You can configure IdentityNow to remind users daily when they have outstanding tasks in their Task Manager. See Email Template: Task Manager Subscription for more information on enabling this feature and the email template it uses.

Virtual Appliances

Find the status of a virtual appliance or source.

You can learn more about a virtual appliance's status in Virtual Appliance and Source Configuration Status Definitions.

Determine which sources are connected to a specific virtual appliance.

See which sources are connected to a virtual appliance using Reviewing Sources Connected to a VA.

Notices about virtual appliance errors.

If IdentityNow is unable to communicate with a VA for a period of time, you'll see an error in your System Components Status.

See Receiving System Error Notifications to learn how to receive notifications if your identities enter an error status.

Receiving System Error Notifications

You can configure your IdentityNow site to send users email notifications when any of your primary system components are experiencing errors. These errors also display in the System Components Panel on the admin dashboard. See the documents listed in the table below to learn more about the errors surfaced in the panel.

Component Link
Sources Source Status Messages
Virtual Appliance Clusters Virtual Appliance and Source Configuration Status Definitions
Identities Managing User Access
Applications What can I do if my automation script is causing an app to fail single sign-on attempts?

To configure your site to send you email notifications if these errors occur, see Getting Notified When Your Org Needs Attention.