Skip to content

Viewing Access History

You can view an identity's historical access data to determine whether an identity's interactions and access are consistent. If access appears abnormal, review and remove access from the identity.

Note

The list of identities includes active and deleted identities in your organization. Identities are marked with the Deleted icon if not found. Having access to historical data for deleted identities can assist with auditing.

To launch Access History, select Admin > Identity Management > Access History. The Access History page is composed of the three tabs that display the following information about an identity:

  • Access History - A timeline of access events, including detailed information about change events for an identity.
  • Compare Access - A calendar to compare the difference in access between two dates, including details about what was added and removed during that time.
  • View Profile - A view of identity attributes.

Best Practice

To follow the principle of least privilege, grant report admin user level permissions to employees that you want to have view access to the Access History.

Viewing Access Changes

You can view an identity's access changes in the Access History tab.

Note

Because the generic approval policy is task-based and not access-related, generic approval events are not displayed in Access History.

To view access changes:

  1. Select an identity from the list to display the identity's access history.
  2. Select Month or Day to change the scope of the timeline.
  3. Use the arrows to scroll through the timeline. A node outlined in blue indicates a change occurred during that month or day. A gray node indicates no change occurred.
  4. Select a blue node to view the timestamp for each change.
  5. Select a timestamp in the dropdown list to view details about that specific change in the Access Items and Event Timeline panels.

Reviewing Access Items

After selecting a timestamp, the Access Items panel displays tiles with counts for accounts, entitlements, and roles. If you have Identity Security Cloud as a data source, tiles for access profiles and access applications are also displayed.

  1. Select the tile for an access item type to display the list of relevant access items. For example, select the Accounts tile to display a list of accounts that an identity had access to on the day of the selected timestamp.

  2. Select the tile again to collapse the view.

Reviewing the Event Timeline

In the Event Timeline panel, you can scroll through a chronological list of access changes that were made to the identity on the day of the selected timestamp, as well as any other changes leading up to that time.

The following changes are displayed in the event timeline:

  • Governance events such as certifications and access requests

    Note

    If your tenant was created recently, you will not be able to view governance timeline events.

  • Access items added or removed, along with information about the related governance event.

    Access change events must occur within 30 days of the governance event for a link to be established between the events. If multiple access change events target the same governance event, the governance event is linked to the access event closest in date.

  • Attribute changes for accounts and identities.

There are a couple ways to change what is displayed in the Event Timeline:

  • Select Filter to filter the timeline by specific access items (added, removed, or all), access requests, certifications, or attribute changes.

  • Select Requested Items to view an expanded list of access requests, along with general information such as description, approver, and decision.

Note

If your organization has set up an Activity Insights source, select View Activity to view activity data for the identity on a specific source. You can use this information to compare a user's logins to the company's average.

Comparing Access Over Time

You can compare access for an identity between two dates in the Compare Access tab.

  1. Select an identity from the list to display its access history.

  2. Select the Compare Access tab.

  3. In the Date Compare Access section, select two dates.

    Access History takes a snapshot of the access items on each entered date at the time of the last access change of the day. If there were no access changes on the entered date, Access History goes back in time and compares a snapshot of access from last access change before the entered date.

  4. Select Compare.

    The Compare Access Details panel displays tiles with counts for accounts, entitlements, and roles that were added or removed. If you have Identity Security Cloud as a data source, tiles for access profiles and access applications are also displayed.

    Compare Access only shows details if access changes occurred, so if you compare two dates and only zero counts are displayed in the tiles, then no change occurred between those dates.

  5. Select a tile to display a detailed side-by-side comparison about what access was added or removed in the area below the tiles.

    For example, the expanded Access Profiles list below shows that between April 1 and April 30 this employee's Netherlands access profiles were removed and US access profiles were added. This likely indicates that the employee transferred from the Netherlands location to the US location during this time.

    To find out when such a change occurred, you could navigate to Access History and select the timestamp associated with April change events.

Viewing Identity Profile Attributes

You can view the attributes associated with an identity in the View Profile tab.

  1. Select an identity from the list to display its access history.

  2. Select the View Profile tab to display a list of identity profile attributes that are associated with the identity.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.