Skip to content

Search Overview

IdentityNow's Search allows you to find information about almost anything in your site. For example, you can find users who have something in common, such as privileged access, or accounts on a particular source. Need to find everybody who has two specific entitlements? Run a search. Need to find out all of the access profiles owned by one of your users? We've got it covered.

IdentityNow's Search uses very specific syntax so that you can always be sure you're getting the results you need.

You can see an overview of our Search functionality in the Search video available here.

To start searching your data, click Search and strongly authenticate. If you run any search, you'll see the following screens.

The top of the Search page, with numbers beside various features defined below.

Enter your search query in A two icon.. When you click in the search bar, you can see Recent Searches and Suggested Searches in a drop-down menu under the field. As you type, you'll see a list of fields appear based on the characters you've typed.

If you want to choose a subset of result categories to display choose those in A one icon.. You can take several actions on the results of your search using the buttons under the search bar A three icon..


The menu to the left of the search bar displays options to view your saved searches, access certification campaigns, view SoD policies, and download audit reports. The icon at the top returns you to the main Search page.

When you've run a search, its results are displayed in a table.

The table of search results. Select any result for more details.

Your search results are displayed in a table. Choose a tab A four icon. at the top of the table to view the results for various search categories. Click the Column Chooser A five icon. icon to choose which columns the table should display, and the Get Report icon to download a report of the results. Click the arrow A six icon. next to the header of each column to sort the results based on the values in that column.

Click a single result A seven icon. to view details about that result. The number of results your query returned is displayed at the bottom of the page An eight icon..

Search Categories

Each search category represents a type of data you can search for in IdentityNow. We're always pushing to add more categories to bring your data to you.

  • Identities - Search on the identities you have in IdentityNow. This includes all correlated identities in your system.
  • Roles - Search the roles you've configured.
  • Access Profiles - Search all of the access profiles you've created.
  • Entitlements - Search all of the entitlements you've loaded into IdentityNow.
  • Events - Search for certain audit events in your system. These audit events use a normalized name and include additional information about each event.
  • Account Activity - Account activity covers most activity that IdentityNow completes on source accounts. Attribute sync events are treated as Events in search because of their lower impact and higher frequency. You'll see the following types of actions when you search for account activity:
    • Access Request - Search on access requests.
    • Account Attribute Update - Search for events that involved updating a single attribute on an account.
    • Account State Update - Search for events that involved locking or unlocking an account on a source.
    • Certification - Search for events involving removing an entitlement from a user as a result of the entitlement being revoked during a certification.
    • Cloud Automated <Lifecyclestate> - Search automated lifecycle state changes that resulted in an identity being assigned to a different lifecycle state. The <Lifecyclestate> variable will be replaced with the name of the lifecycle state that the identity moved to.
    • Identity Attribute Update - Search on the times when an identity's attribute was updated within IdentityNow as the result of a provisioning action. When updating an identity attribute also updates an identity's lifecycle state, you'll also see the event Cloud Automated <Lifecyclestate>. Updates to identity attributes that occur as a result of an aggregation are not included in Account Activity.
    • Identity Refresh - Search identity refreshes that happen whenever a user gets a new role, an identity profile is updated, or an app is assigned to users based on that app being assigned to All Users From Source or Specific Users From Source.
    • Lifecycle State Refresh - Search the actions that took place when a lifecycle state was changed. This event only occurs after Cloud Automated <Lifecyclestate> or Lifecycle State Change.
    • Lifecycle State Change - Search account activity that resulted in an identity being manually assigned to a null lifecycle state.
    • Password Change - Search password changes on sources.

Search Glossary

Our documentation uses specific terminology to refer to different parts of a search query. This terminology is defined below.


Everything you enter into the search bar is your query. By adjusting your query, you narrow down your results.

Query Examples
@access(displayName:administrator AND


The words you use in a query to specify the results you want. The results that are returned contain your terms.

The query examples have the term in bold.

Description Sample
"Active directory" is the search term. "active directory"
"Austin" is the term. The rest of the query consists of fields. attributes.location:austin


Specifying a field in your search query is similar to telling Search which folder you'd like to look in. It's a way of telling Search where it should look for the term. All searchable items have fields.

Description Sample
"Name" is the field on the right, specifying that this query only searches in the name field for the term "donald.hernandez". name:donald.hernandez
This query specifies to search in the attributes field for a second field called location. attributes.location:austin
This query searches within the attributes field for the location field, and the manager field for the the name field. attributes.location:austin AND NOT"Amanda Ross"

First-Level Field

The deepest category you can search in is the first-level field. This is always the field physically closest to your terms in a search query. In our JSON data models, the first-level field is the key in a key/value pair. In other words, first-level fields contain actual data, as opposed to more fields.

Description Sample
Name is the first-level field on the right. In queries with only a single field, that's always a first-level field. name:donald.hernandez
Location is the first-level field because it's the field describing the actual data. attributes.location:austin
The query on the right contains the first level fields name, privileged, and entitlementCount. @access("Directory" AND privileged:TRUE) AND entitlementCount:<15


To combine different terms and attributes of a search category in your query, you can use operators. Operators determine how to run your query and how the results are calculated.

IdentityNow supports the operators AND, OR, and NOT.

Description Sample
This query uses the operator OR to return all identities that are in either Austin or Houston. attributes.location:austin OR attributes.location:houston
This query uses AND to return identities with access in a source containing the word "Directory" in its name, that has any privileged access, as well as having 15 or more total entitlements. @access("Directory" AND privileged:TRUE) AND entitlementCount:<15


In JSON, an object is any field that, instead of containing data, contains more fields. This means that second-level fields, third-level fields, and nested-level fields are all objects.

Description Sample
Attributes is an object because it contains the first-level field "firstName." attributes.firstName:kari
Both access and source are objects. "Source" is an object that contains the field "name." "Access" is an object that contains all the fields enclosed in parentheses after it. This means that "access" is an object that contains the object "source" and the fields "name" and "privileged." @access("Directory" AND privileged:TRUE) AND entitlementCount:>15

Second-Level Field

Second-level fields are a type of object. Each second-level field contains a specific set of first-level fields. They're always followed by a period, a first-level field, and the search term.

Description Sample
Attributes is the second-level field in this query because it contains the first-level field "location." attributes.location:london
Source is the second-level field on the right. It contains the first-level field "name." It's contained within the nested object "accounts." @accounts(

Third-level fields are similar, referring to objects that contain both second- and first-level fields. At this time, these are only found in the account activity data model.

Nested Object

Nested objects can contain any number of fields in them. They represent an object contained within the data about another object, such as an account object in the identity object.

Queries for nested objects are always preceded by an @ symbol and followed by a set of parentheses containing any additional fields and the search terms.

Nested objects are treated differently than regular fields because any item in a searchable category could potentially have more than one of anything in a nested object. For example, an identity only has one displayName, so that's treated as a first-level field. However, an identity could have any number of accounts, so accounts is a nested object.

Description Sample
In this query, accounts is the nested-level field. It contains the second-level field "source," which contains the first-level field "name." @accounts(
AccountRequests is the nested-level field. It contains the first-level field "op," which is short for operation. @accountRequests(op:enable)
Access is the nested-level field. It contains the second-level field "source" and the first-level field "name," as well as the first-level field "privileged." Everything within the parentheses is within the nested field. @access("Directory" AND privileged:TRUE) AND entitlementCount:>15

Within Search, there are some items you can only see on certain pages or for certain search categories. You can find more information about those items here.


You can see all of your site's audit events in Search. Click an event to view more details about it.



Selecting an audit event in Search displays name of the event and its technical ID. The technical ID is unique to that instance of the event, and can be used to find it again.

Each event's status is displayed, so you can see its progress. The user or system that initiated the event is displayed, as well as the system the action is being performed on.

If the event contains any special attributes, those can also be seen here.

Event Types

Each event is categorized into a type, so that you can search on related information easily. See below for the type as it appears on the event, its description, and a search query to return all results of that type.

Type Description Search Query
AUTH Events related to any kind of authentication. type:auth
SSO Any events involving signing into an app using SSO. type:sso
PROVISIONING Audit events related to provisioning. type:provisioning
PASSWORD_ACTIVITY Events related to password changes within IdentityNow. type:password_activity
SOURCE_MANAGEMENT Events related to managing a source. type:source_management
ACCESS_REQUEST Audit events related to access request activity. type:access_request
USER_MANAGEMENT Events generated by a user or admin performing actions that impact a user's IdentityNow experience. type:user_management
CERTIFICATION Audit events related to certifications. type:certification
ACCESS_ITEM Any events related to changes made to entitlements, access profiles, or roles. type:access_item
SYSTEM_CONFIG Changes made at the org-level, such as adding new strong-authentication questions or branding. type:system_config
IDENTITY_MANAGEMENT Events generated by an admin performing management on an identity in the system. type:identity_management
NON_EMPLOYEE All events related to the management of non-employees, as configured in non-employee sources. type:non_employee

Event Status

You can search on an event's status to see whether it represents a completed action or whether it represents a failure.

Status Description Search Query
approved An access request was approved. status:approved
detected A system involved captured this event when a state changed. status:detected
escalated An access request was escalated by the system to a new reviewer. status:escalated
failed The event was captured when an action failed. status:failed
forwarded An access request was manually forwarded to another user. status:forwarded
ignored A request sent from the Password Interceptor was ignored. status:ignored
passed The event was completed successfully. status:passed
processed A request sent from the Password Interceptor was processed. status:processed
rejected An access request was rejected. status:rejected
started A job was started and hasn't been completed yet. status:started
terminated A system involved cancelled the request. status:terminated

Account Activity

Searching in account activity can give you extensive insight into the actions IdentityNow performs on a third-party system. You can see a complete list of these actions here.

Account Activity Search Results

When you search for account activity, you'll see a page that looks like this.

Select the Account Activity tab A one icon. in your search results. Select the arrow icon A two icon. beside each column header to sort your search results by that column.

Account Action Overview

When you click any row in the account activity search results, you can see an overview of information about the action and its progress.

The account activity overlay displays a list of the involved sources A one icon. in the column on the left. Select a source to view details about the account action performed on that source. In the column on the right, you can see the status and the stage A two icon. of the overall work on that source. The action's most basic metadata, such as the entity that requested it and the recipient of the action, are also displayed A three icon..

Source Details

While viewing the details about an account action, click any source to see additional details about the specific actions that were requested on that source.

After clicking an individual account action, you can see a list of the sources involved A one icon. and the status of IdentityNow's work on that source. Click a source to see details about the provisioning being performed on that source.

An explanation of that status is included in the details about a source A two icon.. You can also see the specific account requests A three icon. and attribute requests A four icon. among this information.

If there are any errors or warnings related to your account action, you can see those in the second column of the source details.

Search on those items using fields in the @accountRequests object.

Click the Copy icon beside the error or warning to copy it.

Account Activity Status Definitions

There are several different types of statuses available in account activity. Each is searchable using a different query and refers to a different part of the action being performed.


The status of an account action is its overall status. For example, if the status of an account attribute update action is complete, all modifications to the account have been finished, and all of the applicable account attributes were updated. Status can also be found in the list of account activity search results, using the column header Status.

Status Description Search Query

All actions that were approved have been completed successfully.

If an access request was rejected, the Completed badge will still display even though no account actions took place.

Failure All actions related to this account activity failed. status:failure
Incomplete Some of the actions requested were completed successfully, but some failed. status:incomplete
Pending The account activity hasn't been attempted yet, but it's scheduled to be attempted. status:pending


The stage of an account action is its progress. This reflects whether IdentityNow still has actions ongoing related to the account activity or whether it's finished. Stage can also be found in the list of account activity search results, using the column header Stage.

Stage Description Search Query
Completed The action was confirmed on the source. stage:completed
Executing The action is in progress. stage:executing
Terminated The action was cancelled and won't be retried. stage:terminated

Account Request Status

The account request status is the status of each individual part of the larger action that was triggered in IdentityNow. For example, if you're looking at an account attribute update, IdentityNow might have attempted to update four different accounts related to a single user. Each source account being edited might have a different account request status. This data can be found by clicking an account action and navigating to one of the sources being updated.

Account Request Status Description Search Query
Pending The actions on the account are in progress. @accountRequests(result.status:pending)
Committed IdentityNow has sent the requests to the connector in question. @accountRequests(result.status:committed)
Finished IdentityNow has confirmed the results, whether successful or failed, on the source. @accountRequests(result.status:finished)
Unverifiable IdentityNow sent the request to the source, but the source's account schema doesn't have the attribute being provisioned. @accountRequests(result.status:unverifiable)
Failed The action failed and won't be retried. @accountRequests(result.status:failed)
Retry The action failed, but IdentityNow is going to try again. @accountRequests(result.status:retry)
Manual Task Created The action was requested on a source that isn't a direct connect source. We've created a manual task for the source owner. @accountRequests(result.status:"Manual Task Created")
IdentityNow Task The action was performed on IdentityNow successfully. @accountRequests(result.status:"IdentityNow Task")

Take a look at our additional Search documentation to learn more about what you can search on and how to build a query.