Search Overview
IdentityNow's Search allows you to find information about almost anything in your site. For example, you can find users who have something in common, such as privileged access, or accounts on a particular source. Need to find everybody who has two specific entitlements? Run a search. Need to find out all of the access profiles owned by one of your users? We've got it covered.
IdentityNow's Search uses very specific syntax so that you can always be sure you're getting the results you need.
You can see an overview of our Search functionality in the Search video available here.
Take a Tour of Search
To start searching your data, click Search and strongly authenticate. If you run any search, you'll see the following screens.
Enter your search query in 
. When you click in the search bar, you can see Recent Searches and Suggested Searches in a drop-down menu under the field. As you type, you'll see a list of fields appear based on the characters you've typed.
If you want to choose a subset of result categories to display choose those in 
. You can take several actions on the results of your search using the buttons under the search bar 
.
|
The menu to the left of the search bar displays options to view your saved searches, access certification campaigns, view SoD policies, and download audit reports. The icon at the top returns you to the main Search page. |
When you've run a search, its results are displayed in a table.
Your search results are displayed in a table. Choose a tab 
at the top of the table to view the results for various search categories. Click the Column Chooser 
icon to choose which columns the table should display, and the Get Report icon to download a report of the results. Click the arrow 
next to the header of each column to sort the results based on the values in that column.
Click a single result 
to view details about that result. The number of results your query returned is displayed at the bottom of the page 
.
Search Categories
Each search category represents a type of data you can search for in IdentityNow. We're always pushing to add more categories to bring your data to you.
- Identities - Search on the identities you have in IdentityNow. This includes all correlated identities in your system.
- Roles - Search the roles you've configured.
- Access Profiles - Search all of the access profiles you've created.
- Entitlements - Search all of the entitlements you've loaded into IdentityNow.
- Events - Search for certain audit events in your system. These audit events use a normalized name and include additional information about each event.
- Account Activity - Account activity covers most activity that IdentityNow completes on source accounts. Attribute sync events are treated as Events in search because of their lower impact and higher frequency. You'll see the following types of actions when you search for account activity:
- Access Request - Search on access requests.
- Account Attribute Update - Search for events that involved updating a single attribute on an account.
- Account State Update - Search for events that involved locking or unlocking an account on a source.
- Certification - Search for events involving removing an entitlement from a user as a result of the entitlement being revoked during a certification.
- Cloud Automated
<Lifecyclestate>- Search automated lifecycle state changes that resulted in an identity being assigned to a different lifecycle state. The<Lifecyclestate>variable will be replaced with the name of the lifecycle state that the identity moved to. - Identity Attribute Update - Search on the times when an identity's attribute was updated within IdentityNow as the result of a provisioning action. When updating an identity attribute also updates an identity's lifecycle state, you'll also see the event Cloud Automated
<Lifecyclestate>. Updates to identity attributes that occur as a result of an aggregation are not included in Account Activity. - Identity Refresh - Search identity refreshes that happen whenever a user gets a new role, an identity profile is updated, or an app is assigned to users based on that app being assigned to All Users From Source or Specific Users From Source.
- Lifecycle State Refresh - Search the actions that took place when a lifecycle state was changed. This event only occurs after Cloud Automated
<Lifecyclestate>or Lifecycle State Change. - Lifecycle State Change - Search account activity that resulted in an identity being manually assigned to a null lifecycle state.
- Password Change - Search password changes on sources.
Search Glossary
Our documentation uses specific terminology to refer to different parts of a search query. This terminology is defined below.
Query
Everything you enter into the search bar is your query. By adjusting your query, you narrow down your results.
| Query Examples |
|---|
attributes.location:austin |
@access(displayName:administrator AND source.name:IdentityNow |
Term
The words you use in a query to specify the results you want. The results that are returned contain your terms.
The query examples have the term in bold.
| Description | Sample |
|---|---|
| "Active directory" is the search term. | "active directory" |
| "Austin" is the term. The rest of the query consists of fields. | attributes.location:austin |
Field
Specifying a field in your search query is similar to telling Search which folder you'd like to look in. It's a way of telling Search where it should look for the term. All searchable items have fields.
| Description | Sample |
|---|---|
| "Name" is the field on the right, specifying that this query only searches in the name field for the term "donald.hernandez". | name:donald.hernandez |
| This query specifies to search in the attributes field for a second field called location. | attributes.location:austin |
| This query searches within the attributes field for the location field, and the manager field for the the name field. | attributes.location:austin AND NOT manager.name:"Amanda Ross" |
First-Level Field
The deepest category you can search in is the first-level field. This is always the field physically closest to your terms in a search query. In our JSON data models, the first-level field is the key in a key/value pair. In other words, first-level fields contain actual data, as opposed to more fields.
| Description | Sample |
|---|---|
| Name is the first-level field on the right. In queries with only a single field, that's always a first-level field. | name:donald.hernandez |
| Location is the first-level field because it's the field describing the actual data. | attributes.location:austin |
| The query on the right contains the first level fields name, privileged, and entitlementCount. | @access(source.name:"Directory" AND privileged:TRUE) AND entitlementCount:<15 |
Operator
To combine different terms and attributes of a search category in your query, you can use operators. Operators determine how to run your query and how the results are calculated.
IdentityNow supports the operators AND, OR, and NOT.
| Description | Sample |
|---|---|
| This query uses the operator OR to return all identities that are in either Austin or Houston. | attributes.location:austin OR attributes.location:houston |
| This query uses AND to return identities with access in a source containing the word "Directory" in its name, that has any privileged access, as well as having 15 or more total entitlements. | @access(source.name:"Directory" AND privileged:TRUE) AND entitlementCount:<15 |
Object
In JSON, an object is any field that, instead of containing data, contains more fields. This means that second-level fields, third-level fields, and nested-level fields are all objects.
| Description | Sample |
|---|---|
| Attributes is an object because it contains the first-level field "firstName." | attributes.firstName:kari |
| Both access and source are objects. "Source" is an object that contains the field "name." "Access" is an object that contains all the fields enclosed in parentheses after it. This means that "access" is an object that contains the object "source" and the fields "name" and "privileged." | @access(source.name:"Directory" AND privileged:TRUE) AND entitlementCount:>15 |
Second-Level Field
Second-level fields are a type of object. Each second-level field contains a specific set of first-level fields. They're always followed by a period, a first-level field, and the search term.
| Description | Sample |
|---|---|
| Attributes is the second-level field in this query because it contains the first-level field "location." | attributes.location:london |
| Source is the second-level field on the right. It contains the first-level field "name." It's contained within the nested object "accounts." | @accounts(source.name:AD) |
Third-level fields are similar, referring to objects that contain both second- and first-level fields. At this time, these are only found in the account activity data model.
Nested Object
Nested objects can contain any number of fields in them. They represent an object contained within the data about another object, such as an account object in the identity object.
Queries for nested objects are always preceded by an @ symbol and followed by a set of parentheses containing any additional fields and the search terms.
Nested objects are treated differently than regular fields because any item in a searchable category could potentially have more than one of anything in a nested object. For example, an identity only has one displayName, so that's treated as a first-level field. However, an identity could have any number of accounts, so accounts is a nested object.
| Description | Sample |
|---|---|
| In this query, accounts is the nested-level field. It contains the second-level field "source," which contains the first-level field "name." | @accounts(source.name:AD) |
| AccountRequests is the nested-level field. It contains the first-level field "op," which is short for operation. | @accountRequests(op:enable) |
| Access is the nested-level field. It contains the second-level field "source" and the first-level field "name," as well as the first-level field "privileged." Everything within the parentheses is within the nested field. | @access(source.name:"Directory" AND privileged:TRUE) AND entitlementCount:>15 |
Discover More of Search
Within Search, there are some items you can only see on certain pages or for certain search categories. You can find more information about those items here.
Events
You can see all of your site's audit events in Search. Click an event to view more details about it.
|
Selecting an audit event in Search displays name of the event and its technical ID. The technical ID is unique to that instance of the event, and can be used to find it again. Each event's status is displayed, so you can see its progress. The user or system that initiated the event is displayed, as well as the system the action is being performed on. If the event contains any special attributes, those can also be seen here. |
|
Event Types
Each event is categorized into a type, so that you can search on related information easily. See below for the type as it appears on the event, its description, and a search query to return all results of that type.
| Type | Description | Search Query |
|---|---|---|
| AUTH | Events related to any kind of authentication. | type:auth |
| SSO | Any events involving signing into an app using SSO. | type:sso |
| PROVISIONING | Audit events related to provisioning. | type:provisioning |
| PASSWORD_ACTIVITY | Events related to password changes within IdentityNow. | type:password_activity |
| SOURCE_MANAGEMENT | Events related to managing a source. | type:source_management |
| ACCESS_REQUEST | Audit events related to access request activity. | type:access_request |
| USER_MANAGEMENT | Events generated by a user or admin performing actions that impact a user's IdentityNow experience. | type:user_management |
| CERTIFICATION | Audit events related to certifications. | type:certification |
| ACCESS_ITEM | Any events related to changes made to entitlements, access profiles, or roles. | type:access_item |
| SYSTEM_CONFIG | Changes made at the org-level, such as adding new strong-authentication questions or branding. | type:system_config |
| IDENTITY_MANAGEMENT | Events generated by an admin performing management on an identity in the system. | type:identity_management |
| NON_EMPLOYEE | All events related to the management of non-employees, as configured in non-employee sources. | type:non_employee |
You can search on an event's status to see whether it represents a completed action or whether it represents a failure.
| Status | Description | Search Query |
|---|---|---|
| approved | An access request was approved. | status:approved |
| detected | A system involved captured this event when a state changed. | status:detected |
| escalated | An access request was escalated by the system to a new reviewer. | status:escalated |
| failed | The event was captured when an action failed. | status:failed |
| forwarded | An access request was manually forwarded to another user. | status:forwarded |
| ignored | A request sent from the Password Interceptor was ignored. | status:ignored |
| passed | The event was completed successfully. | status:passed |
| processed | A request sent from the Password Interceptor was processed. | status:processed |
| rejected | An access request was rejected. | status:rejected |
| started | A job was started and hasn't been completed yet. | status:started |
| terminated | A system involved cancelled the request. | status:terminated |
Account Activity
Searching in account activity can give you extensive insight into the actions IdentityNow performs on a third-party system. You can see a complete list of these actions here.
Account Activity Search Results
When you search for account activity, you'll see a page that looks like this.
Select the Account Activity tab in your search results. Select the arrow icon beside each column header to sort your search results by that column.
Account Action Overview
When you click any row in the account activity search results, you can see an overview of information about the action and its progress.
The account activity overlay displays a list of the involved sources in the column on the left. Select a source to view details about the account action performed on that source. In the column on the right, you can see the status and the stage of the overall work on that source. The action's most basic metadata, such as the entity that requested it and the recipient of the action, are also displayed .
Source Details
While viewing the details about an account action, click any source to see additional details about the specific actions that were requested on that source.
After clicking an individual account action, you can see a list of the sources involved and the status of IdentityNow's work on that source. Click a source to see details about the provisioning being performed on that source.
An explanation of that status is included in the details about a source . You can also see the specific account requests and attribute requests among this information.
If there are any errors or warnings related to your account action, you can see those in the second column of the source details.
Search on those items using fields in the @accountRequests object.
Click the Copy icon beside the error or warning to copy it.
Account Activity Status Definitions
There are several different types of statuses available in account activity. Each is searchable using a different query and refers to a different part of the action being performed.
Status
The status of an account action is its overall status. For example, if the status of an account attribute update action is complete, all modifications to the account have been finished, and all of the applicable account attributes were updated. Status can also be found in the list of account activity search results, using the column header Status.
| Status | Description | Search Query |
|---|---|---|
| Complete | All actions that were approved have been completed successfully. If an access request was rejected, the Completed badge will still display even though no account actions took place. |
status:complete |
| Failure | All actions related to this account activity failed. | status:failure |
| Incomplete | Some of the actions requested were completed successfully, but some failed. | status:incomplete |
| Pending | The account activity hasn't been attempted yet, but it's scheduled to be attempted. | status:pending |
Stage
The stage of an account action is its progress. This reflects whether IdentityNow still has actions ongoing related to the account activity or whether it's finished. Stage can also be found in the list of account activity search results, using the column header Stage.
| Stage | Description | Search Query |
|---|---|---|
| Completed | The action was confirmed on the source. | stage:completed |
| Executing | The action is in progress. | stage:executing |
| Terminated | The action was cancelled and won't be retried. | stage:terminated |
Account Request Status
The account request status is the status of each individual part of the larger action that was triggered in IdentityNow. For example, if you're looking at an account attribute update, IdentityNow might have attempted to update four different accounts related to a single user. Each source account being edited might have a different account request status. This data can be found by clicking an account action and navigating to one of the sources being updated.
| Account Request Status | Description | Search Query |
|---|---|---|
| Pending | The actions on the account are in progress. | @accountRequests(result.status:pending) |
| Committed | IdentityNow has sent the requests to the connector in question. | @accountRequests(result.status:committed) |
| Finished | IdentityNow has confirmed the results, whether successful or failed, on the source. | @accountRequests(result.status:finished) |
| Unverifiable | IdentityNow sent the request to the source, but the source's account schema doesn't have the attribute being provisioned. | @accountRequests(result.status:unverifiable) |
| Failed | The action failed and won't be retried. | @accountRequests(result.status:failed) |
| Retry | The action failed, but IdentityNow is going to try again. | @accountRequests(result.status:retry) |
| Manual Task Created | The action was requested on a source that isn't a direct connect source. We've created a manual task for the source owner. | @accountRequests(result.status:"Manual Task Created") |
| IdentityNow Task | The action was performed on IdentityNow successfully. | @accountRequests(result.status:"IdentityNow Task") |
Take a look at our additional Search documentation to learn more about what you can search on and how to build a query.