Searchable Fields
The organization of the data in your tenant is called the data model, and understanding this data model can help you create the most effective search queries.
These data models are represented in JSON. You can find sample data models in the Search FAQs. All items in the JSON can be searched, and many of them are defined below. All field names are case sensitive.
Searching Identity Data
The first search category is identities. You can search on the data about identities using the data model.
Identity Security Cloud can search on any attributes that have been successfully correlated to an identity. This means that uncorrelated accounts do not appear in this list and that an identity's manager attribute must be correlated to another valid identity for that data to be searchable.
First-Level Fields for Identities
The following table contains a list of first-level fields in identities. Below the first-level fields, the table contains a list of the second- and nested-level fields available for identities. Select one of those fields to review the stored data about that object.
| Field | Type | Description | Example |
| name | string | The name or alias of the identity. | name:john.smith |
| displayName | string | The identity's unique display name. This is the same as attributes.displayName. In some cases, this is also the same as the name. | displayName:john.smith |
| firstName | string | The identity's first name. This is the same as attributes.firstname. | firstName:john |
| lastName | string | The identity's last name. This is the same as attributes.lastname. | lastName:smith |
| id | string | The technical ID of the identity in Identity Security Cloud. | id:abc1 |
| string | The identity's unique email address. | email:steve@acme.com | |
| created | date | The date, in ISO 8601 format, that the first source account for this identity was aggregated into your tenant, even if that account didn't come from the authoritative source. If you want to include the time in your search query, escape the : characters using a \. | created:2018-08-16T18\:29\:02Z |
| modified | date | The most recent date that changes were made to this identity in ISO 8601 format. This includes changes made within your tenant and detected by aggregations. If you want to include the time in your search query, escape the : characters using a \. | modified:2018-03-30T18\:29\:02Z |
| phone | string | The identity's alternate phone number. | phone:5558675309 |
| status | string | The status of the identity. | status:UNREGISTERED |
| synced | date | The date that this identity's information was last synchronized with Search, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | synced:2018-08-16T18\:29\:02Z |
| isManager | bool | A boolean describing whether the identity is listed as the manager of another employee. | isManager:true |
| employeeNumber | string | The identity's unique employee number. | employeeNumber:123 |
| processingState | string | This field is blank unless the identity experienced an error during aggregation, in which case this field will be ERROR. | processingState:ERROR |
| appCount | integer | The number of apps the identity has access to. | appCount:6 |
| accountCount | integer | The number of sources the identity has an account on. | accountCount:4 |
| accessCount | integer | The number of access items the identity has. This includes entitlements, access profiles, and roles. | accessCount:16 |
| entitlementCount | integer | The number of entitlements the identity has. | entitlementCount:10 |
| roleCount | integer | The number of roles the identity has. | roleCount:4 |
| accessProfileCount | integer | The number of access profiles the identity has. | accessProfileCount:7 |
| tags | string | Tags assigned to the identity. | tags:PCI_COMPLIANCE |
| Second-Level Fields | |||
| Fields | Description | ||
| manager | Search for identities who have managers with certain characteristics. This object requires a second-level field. | ||
| source | Search for identities based on the information in their authoritative source. This object requires a second-level field. | ||
| identity profile | Search for identities who belong to a specific identity profile. This object requires a second-level field. | ||
| owns | Search for identities who own specific items in Identity Security Cloud, such as access profiles, sources, or roles. | ||
| attributes | Search for identities with specific identity attributes. This object requires a second-level field. | ||
| apps | Search for identities by which apps they have. This nested object requires a nested query. | ||
| accounts | Search for identities by which source accounts they have. This nested object requires a nested query. | ||
| access | Search for identities by what specific access they have. This nested object requires a nested query. | ||
Second-Level Fields for Identities
Second-level fields are a type of object. Each second-level field contains at least one first-level field. They can give you additional information about your identities and their data.
| Second-Level Field | First-Level Field | Type | Description | Example |
| manager | name | string | The name of the identity's manager. This corresponds to the name field for the manager. | manager.name:amanda.ross |
| displayName | string | The display name of the identity's manager. This corresponds with the displayName field for the manager. In some cases, this is the same as the name. | manager.displayName:amanda.ross | |
| id | string | The technical ID of the manager's identity. | manager.id:abc1 | |
| source | id | string | The technical ID of the identity's authoritative source. | source.id:abc1 |
| name | string | This represents the name of the identity's authoritative source. | source.name:acme.source | |
| identityProfile | name | string | The name of the identity profile. | identityProfile.name:Employees |
| id | string | The technical ID of the identity profile. | identityProfile.id:abc1 | |
| owns | sources.name | string | The display name of the source the identity owns. | owns.sources.name:"Active Directory" |
| sources.id | string | The technical ID of the source the identity owns. | owns.sources.id:abc1 | |
| accessProfiles.name | string | The display name of the access profile the identity owns. | owns.accessProfiles.name:"Engineering Management Access Profile" | |
| accessProfiles.id | string | The technical ID of the access profile the identity owns. | owns.accessProfiles.id:abc1 | |
| entitlements.name | string | The display name of the entitlement the identity owns. | owns.entitlements.name:"Database Read Access" | |
| entitlements.id | string | The technical ID of the entitlement the identity owns. | owns.entitlements.id:abc1 | |
| roles.name | string | The display name of the role the identity owns. | owns.roles.name:Engineers | |
| roles.id | string | The technical ID of the role the identity owns. | owns.roles.id:abc1 | |
| governanceGroups.name | string | The display name of the governance group the identity owns. | owns.governanceGroups.name:"IT Team" | |
| governanceGroups.id | string | The technical ID of the governance group the identity owns. | owns.governanceGroups.id:abc1 | |
| apps.name | string | The display name of the application the identity owns. | owns.apps.name:Acme | |
| applications.id | string | The technical ID of the application the identity owns. | owns.apps.id:abc1 | |
| fallbackApprover | boolean | Whether the identity is the fallback reviewer for an access item that can be requested. | owns.fallbackApprover:true | |
| attributes | uid | string | The UID as it appears on the identity profile. This comes from the authoritative source. | attributes.uid:abc1 |
| firstname | string | The identity's first name. This is the same as the first-level attribute firstName. | attributes.firstname:Rakesh | |
| cloudAuthoritativeSource | string | The technical ID of the authoritative source of the identity profile. | attributes.cloudAuthoritativeSource:abc1 | |
| cloudLifecycleState | string | The lifecycle state configured for the identity. | attributes.cloudLifecycleState:Active | |
| phone | string | The identity's alternate phone number. | attributes.phone:5551235555 | |
| displayName | string | The identity's unique display name. This is the same as displayName. In some cases, this is also the same as the name. | attributes.displayName:amanda.ross | |
| identificationNumber | string | The identity's employee number as configured in the identity profile. | attributes.identificationNumber:293409 | |
| workPhone | string | The identity's work phone number. | attributes.workPhone:5551235555 | |
| string | The email address of the identity. | attributes.email:o.price42@acme.com | ||
| lastname | string | The identity's last name. This is the same as the first-level attribute lastName. | attributes.lastname:kim | |
| startDate | date | The date the identity started at your company in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | attributes.startDate:2018-08-16T18\:29\:02Z | |
| endDate | date | The date the identity's employment at your company ended in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | attributes.endDate:2018-08-16T18\:29\:02Z | |
| nextProcessing | date | The next date, in ISO 8601 format, that this identity is set to undergo identity processing outside of the regularly scheduled identity processing. If you want to include the time in your search query, escape the : characters using a \. | attributes.nextProcessing:<=2024-10-20T13\:00\:00-05\:00 | |
| personalEmail | string | The identity's alternate email address. | attributes.personalEmail:samantha.dobbs@gmail.com |
Note that if you add custom attributes to your identity profile, you can search on those as well using the technical name of the attribute. You can also configure your custom attributes to use the date type of value by adding the string dateType to the end of your attribute name.
Nested-Level Fields for Identities
If an identity can have more than one of a type of item, it must be searched with a nested query. Apps, accounts, and access are nested objects, and require nested queries.
Review Using Nested Queries for details on putting together a nested query.
| Nested Object |
Second-Level Field | First-Level Field | Description | Example |
| apps | id | The technical ID of the app. | @apps(id:386) | |
| name | The display name of the app. | @apps(name:Adobe) | ||
| source | name | The display name of the source that grants the app. | @apps(source.name:acme_source) | |
| id | The technical ID of the source that grants the app. | @apps(source.id:abc1) | ||
| account | id | The technical ID of the user's account on the source that grants the app. | @apps(account.id:abc1) | |
| accountId | The user's display name for the account on the source that grants the app. | @apps(account.accountId:"Amanda Ross") | ||
| accounts | id | The ID of the account. |
@accounts(id:abc1) |
|
| name | The display name of the account. | @accounts(name:Amanda Ross) | ||
| accountId | If available, it's the aiqAccountName from the source. If not, it's the display name for the account. |
@accounts(accountId:"cn=I17Manager1,dc=flatfile,dc=endtoend,dc=com") |
||
| disabled | A boolean based on whether identities have disabled accounts. Accounts can be disabled from the UI. This field is case sensitive. | @accounts(disabled:true) | ||
| locked | A boolean based on whether identities have locked accounts. This could be due to invalid login attempts. This field is case sensitive. | @accounts(locked:false) | ||
| privileged | A boolean based on whether identities have accounts marked as privileged. This is determined on the source itself. | @accounts(privileged:true) | ||
| manuallyCorrelated | A boolean based on whether identities have accounts that were manually correlated. This field is case sensitive. | @accounts(manuallyCorrelated:false) | ||
| passwordLastSet | The date in ISO 8601 format that the password for the account was last changed. If you want to include the time in your search query, escape the : characters using a \. | @accounts(passwordLastSet:2018-08-16T18\:29\:02Z) | ||
| created | The date in ISO 8601 format that an identity's account on a source was first created. If you want to include the time in your search query, escape the : characters using a \. | @accounts(created:2018-08-16T18\:29\:02Z) | ||
| entitlementAttributes | memberOf | The entitlement attributes and values associated with the account. The "memberOf" field is only available for accounts on Active Directory sources. Other sources might use other values in place of "memberOf"(*). | @accounts(entitlementAttributes.memberOf:"manager entitlement") | |
| source | name | The display name of the source the account is on. | @accounts(source.name:"Acme Source") | |
| id | The technical ID of the source the account is on. | @accounts(source.id:abc1) | ||
| type | The type of source the account is on. | @accounts(source.type:DelimitedFile) | ||
| access | id | The technical ID of the access item. | @access(id:abc1) | |
| type | The type of access item. | @access(type:ENTITLEMENT) | ||
| displayName | The display name of the access item, as configured in the UI. This is the same as access.name. | @access(displayName:"Manager Entitlement") | ||
| name | The name of the access item, as configured in the UI. This is the same as access.displayName. | @access(name:"Manager Entitlement") | ||
| description | The description of the access item, as entered in the UI. | @access(description:"Entitlement given to managers in Engineering") | ||
| privileged | A boolean based on whether the access item is marked as privileged. For access items that are not entitlements, this boolean describes whether the access item contains an entitlement that is marked as privileged. | @access(privileged:false) | ||
| attribute | For entitlements, the attribute used by the source to define the type of entitlement. | @access(attribute:memberOf) | ||
| value | For entitlements, the value used by the source for the entitlement. | @access(value:"manager entitlement") | ||
| disabled | For roles, a boolean based on whether the role is enabled or disabled in the UI. This field is case sensitive. | @access(disabled:false) | ||
| source | name | The display name of the source the access comes from. | @access(source.name:"Active Directory") | |
| id | The technical ID of the source the access comes from. | @access(source.id:abc1) | ||
| owner | id | The technical ID of the access owner. | @access(owner.id:abc1) | |
| name | The access owner's name as it appears on the Identities page. | @access(owner.name:amanda.ross) | ||
| displayName | The access owner's display name as it appears on the Identities page. | @access(owner.displayName:"Amanda Ross") |
(*) The entitlementAttributes field can be followed by any first-level field name that has been defined as an entitlement attribute on the source. For example, instead of memberOf, a query could use groups, license, or roles, depending on the source.
Searching Entitlement Data
The entitlement data model describes the data found within an entitlement. Refer to our sample data models for an example of an entitlement data model.
First-Level Fields for Entitlements
The following table contains a list of the first-level fields found in entitlements.
| Field | Type | Description | Example |
| id | string | The technical ID of the entitlement. | id:abc1 |
| displayName | string | The display name of the entitlement, as seen in the UI. | displayName:"Manager Entitlement" |
| name | string | The entitlement name. | name:"manager entitlement" |
| description | string | The user-entered description of the entitlement. | description:"The entitlement assigned to managers." |
| privileged | bool | A boolean describing whether or not the entitlement is marked as privileged. | privileged:true |
| requestable | bool | A boolean describing whether or not the entitlement is marked as requestable. | requestable:true |
| attribute | string | The attribute used by the source to define the type of entitlement. | attribute:memberOf |
| value | string | The value used by the source for this entitlement. | value:"manager entitlement" |
|
modified |
date | The most recent date that changes were made to this entitlement in ISO 8601 format. This includes changes made within your tenant and detected by aggregations. If you want to include the time in your search query, escape the : characters using a \. | modified:2018-08-16T18\:29\:02Z |
| synced | date | The date that this entitlement's information was last synchronized with Search, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | synced:2018-08-16T18\:29\:02Z |
| tags | string | Tags assigned to the entitlement. | tags:PCI_COMPLIANCE |
Second-Level Fields for Entitlements
Entitlements also have second-level fields.
| Second-Level Field | First-Level Field | Type | Description | Example |
| source | name | string | The name of the source the entitlement comes from. | source.name:"Acme Source" |
| id | string | The ID of the source the entitlement comes from. | source.id:abc1 | |
| segments | name | string | The name of a segment the entitlement is in. | segments.name:"Financial Services" |
| id | string | The technical ID of a segment the entitlement is in. | segments.id:abc1 | |
| owner | name | string | The display name of the identity listed as this entitlement's owner. | owner.name:"Sam Johnson" |
| id | string | The technical ID of the identity listed as the entitlement's owner. | owner.id:abc1 |
Searching Access Profile Data
The access profile data model describes the information you can find about access profiles in your tenant's implementation. Refer to our sample data models for an example of an access profile data model.
First-Level Fields for Access Profiles
The following table contains a list of first-level fields in access profiles, as well as brief introductions to the second- and nested-level fields in access profiles.
| Field | Type | Description | Example |
| created | date | The date the access profile was created, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | 2018-08-16T18\:29\:02Z |
| description | string | The user-entered description of the access profile. | description:"Grants users access to Acme App." |
| entitlementCount | integer | The number of entitlements in the access profile. | entitlementCount:3 |
| id | string | The technical ID of the access profile. | id:abc1 |
| modified | date | The most recent date that changes were made to this access profile in ISO 8601 format. This includes changes made within your tenant and detected by aggregations. If you want to include the time in your search query, escape the : characters using a \. | modified:2018-08-16T18\:29\:02Z |
| name | string | The name of the access profile. | name:"Acme App Admin Access" |
| requestable | bool | A boolean describing whether or not this access profile is marked as requestable. This field is case sensitive. | requestable:true |
| synced | date | The date that this access profile's information was last synchronized with Search, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | synced:2018-08-16T18\:29\:02Z |
| tags | string | Tags assigned to the access profile. | tags:PCI_COMPLIANCE |
| Second-Level Fields | |||
| Fields | Description | ||
| owner | Search for access profiles with a specific identity listed as their owner. This object requires a second-level field. | ||
| source | Search for access profiles that have entitlements from a specific source. This object requires a second-level field. | ||
| entitlements | Search for access profiles by the characteristics of the entitlements they contain. This object requires a nested-level field. | ||
| apps | Search for access profiles by the characteristics of the apps associated with them. This object requires a nested-level field. | ||
Second-Level Fields for Access Profiles
Access profiles also have second-level fields.
Nested-Level Fields for Access Profiles
If an access profile is able to have more than one of a particular type of item, it must be searched with a nested query. Because an access profile can have multiple entitlements associated with it, those entitlements are considered nested objects and they must be searched using nested queries.
Searching Role Data
The role data model describes the data found in roles. Roles contain first- and second-level fields. Refer to our sample data models for an example of a searching role data model.
First-Level Fields
| Field | Type | Description | Example |
| name | string | The user-entered name of the role. | name:"Accounting Role" |
| id | string | The technical ID of the role. | id:abc1 |
| description | string | The user-entered description of the role. | description:"This is a role for accountants." |
| created | date | The date the role was created, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | created:2018-08-16T18\:29\:02Z |
| modified | date | The most recent date that changes were made to this role in ISO 8601 format. This includes changes made within your tenant and detected by aggregations. If you want to include the time in your search query, escape the : characters using a \. | modified:2018-08-16T18\:29\:02Z |
| enabled | bool | A boolean describing whether the role is enabled. This field is case sensitive. | enabled:false |
| requestable | bool | A boolean describing whether the role is requestable. This field is case sensitive. | requestable:true |
| synced | date | The date that this role's information was last synchronized with Search, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | synced:2018-08-16T18\:29\:02Z |
| accessProfileCount | integer | The number of access profiles granted by the role. | accessProfileCount:3 |
| entitlementCount | integer | The number of entitlements granted by the role that aren't associated with access profiles. | entitlementCount:5 |
| tags | string | Tags assigned to the role. | tags:PCI_COMPLIANCE |
| Second- and Nested-Level Fields | |||
| Fields | Description | ||
| accessProfiles | Search for roles based on the access profiles they grant. | ||
| owner | Search for roles based on information about the identities marked as their owners. | ||
| segments | Search for roles by the segments they are in. | ||
| entitlements | Search for roles based on the entitlements they grant separately from access profiles. | ||
Second-Level Fields for Roles
Roles also have second-level fields. The access profiles list for each role has been flattened in your search data so that you query them as second-level fields, rather than nested objects.
Nested-Level Fields for Roles
Some fields within roles are considered nested objects and must be searched with a nested query.
| Nested Object | Field | Type | Description | Example |
| entitlements | attribute | string | The attribute used by the source to define the type of entitlement. | @entitlements(attribute:memberOf) |
| schema | string | The entitlement type. | @entitlement(schema:group) | |
| description | string | The user-entered description of the entitlement. | @entitlements(description:"The entitlement assigned to managers.") | |
| id | string | The technical ID of the entitlement. | @entitlements(id:abc1) | |
| name | string | The entitlement name. | @entitlements(name:"Manager Entitlement") | |
| value | string | The value used by the source for this entitlement. | @entitlements(value:managerEntitlement) | |
| hasPermissions | bool | Whether there are permissions associated with this entitlement. | @entitlements(hasPermissions:true) |
Searching Event Data
The data model for events describes how audit events are stored. Audit events in Search contain first-level fields and second-level fields.
Events are how Identity Security Cloud tracks audit data. Using Search, you can create and download a custom audit report. Refer to Downloading Reports from the Search Interface for details. Refer to our sample data models for an example of an event data model.
Events stay in Search for one year plus the current month. Review the data retention policy in the FAQ for details.
First-Level Fields for Events
In an event's first-level fields, you can find basic metadata about the event.
| Field | Type | Description | Example |
| created | date | The date the event began, in ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | created:2018-08-16T18\:29\:02Z |
| name | string | A user-friendly translation of the technical name. | name:"Create Source Passed" |
| operation | string | The action performed during the event. This is also captured in the technicalName. | operation:CREATE |
| status | string | The result of the event. | status:PASSED |
| technicalName | string | The normalized name of the event. This always follows the pattern objects_operation_status. | technicalName:SOURCE_CREATE_PASSED |
| details | string | When available, a description of the event. | details:"User approved access request for app." |
| type | string | The type, or classification, of the event. | type:SOURCE_MANAGEMENT |
| id | string | The technical ID of the event. | id:abc1 |
| ipAddress | string | The IP address of the target system, such as the app a user is signing in to or the source that the user is changing the password for. | ipAddress:207.123.123.150 |
| objects | string | The object the event is happening to. In some cases, there is more than one domain object. | objects:SOURCE |
| action | string | The name of the event as it appeared in legacy audit reports. | action:CONNECTOR_CREATE |
| trackingNumber | string | The ID of the group of events. Sometimes, this ID will be the same for multiple related events. This tracking number might also match the tracking number for an account activity entry. | trackingNumber:abc1 |
Second-Level Fields for Events
| Second-Level Field | First-Level Field | Type | Description | Example |
| actor | name | string | The name of the identity, source, or system that generated this event. | actor.name:"Andrew Beck" |
| target | name | string | The name of the recipient of the event. This can be an identity, source, or system. | target.name:"Active Directory" |
Additional information about each event can be found within the second-level field attributes for each event. Because each audit event has a different set of attributes, SailPoint does not document all sub-fields associated with the attributes object.
For example, you might see the following fields within the attributes section in an event:
errors- The error message returned when the event is in an error.provisioningResult- The status of a completed provisioning action. This will be either COMMITTED or FAILED.sourceName- The name of the source involved in the event._beforeand_after- These are appended to a source configuration field to indicate the values of that field before and after it is changed. For example,clientId_beforeandclientId_after.
Searching Account Activity Data
The account activity data model covers most activity that Identity Security Cloud completes on a source account. The following types of actions are available in account activity:
- Access Request - Search on access requests.
- Account Attribute Update - Search for events that involved updating a single attribute on an account.
- Account State Update - Search for events that involved locking or unlocking an account on a source.
- Certification - Search for events involving removing an entitlement from a user as a result of the entitlement being revoked during a certification.
- Cloud Automated
<Lifecyclestate>- Search automated lifecycle state changes that resulted in an identity being assigned to a different lifecycle state. Thevariable will be replaced with the name of the lifecycle state that identities changed to. - Identity Attribute Update - Search on the times when an identity's attribute was updated within Identity Security Cloud as the result of a provisioning action. When updating an identity attribute also updates an identity's lifecycle state, the Cloud Automated
action also takes place. Updates to identity attributes that occur as a result of an aggregation are not included in Account Activity. - Identity Refresh - Search identity refreshes that happen whenever a user gets a new role, whenever an identity profile is updated, or whenever an app is assigned to users based on that app being assigned to All Users From Source or Specific Users From Source.
- Lifecycle State Refresh - Search the actions that took place when a lifecycle state was changed. This event only occurs after Cloud Automated
<Lifecyclestate>or Lifecycle State Change. - Lifecycle State Change - Search account activity that resulted in an identity being manually assigned to a null lifecycle state.
- Password Change - Search password changes on sources.
When you search on account activity, only the set list of results described above is displayed. Each of those actions represents a specific type of event that occurred in your site.
You can search on attribute sync provisioning events in the Events tab using the query attributes.interface:"AccountAttributeUpdate".
To search for account activity, use the fields contained within the data model. Account activity contains first-level fields, second-level fields, and nested fields.
Completed account actions are stored in Search for 7 days. Review the data retention policy in our FAQ for details.
Refer to our sample data models for an example of an account activity data model.
First-Level Fields for Account Activity
In an account action's first-level fields, you can find basic metadata about the request.
Below the first-level fields, the table contains a list of the second- and nested-level fields available for account actions. Select one of those fields to review the data stored about that object.
| Field | Type | Description | Example |
| action | string | The action performed. This will always match an action in the list above. | action:"Password Change" |
| status | string | The overall status of the account activity. | status:complete |
| id | string | The technical ID of the request. | id:acb1 |
| trackingNumber | string | The tracking number, which is sometimes used for auditing purposes. This tracking number might also match the tracking number for an event entry. | trackingNumber:1234 |
| created | date | The date the action was created in any ISO format that uses YYYY-MM-DD. If you want to include the time in your search query, escape the : characters using a \. | created:2018-08-16T18\:29\:02Z |
| modified | date | The date of the last activity related to the action in any ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | modified:2018-08-16T18\:29\:02Z |
| sources | list | The sources involved in the account activity. Searching on one source in this list will return all account activity that has that source within the sources list. This field is case sensitive. | sources:"Active Directory" |
| stage | string | The progress of the action, provided by the source. | stage:executing |
| errors | list | Any errors that the source provided while completing account actions. | errors:"Unable to provision to this source." |
| warnings | list | Any warnings the source provided while completing account actions. | warnings:"New value equal to old value." |
| Second-Level Fields | |||
| Fields | Description | ||
| requester |
Search for account activity based on data about the system or person that first triggered the actions. This object requires a second-level field. |
||
| recipient |
Search for account activity based on data about the system or person being modified by the account actions. This object requires a second-level field. |
||
| originalRequests |
Search for account activity based on data about the original action that triggered all individual source actions related to this account action. For example, a lifecycle state change, a role change, a password update, etc. This object requires a nested query. |
||
| accountRequests |
Search for account activity based on data about each individual source action that was triggered by the original request. This might include an entitlement being granted, an attribute update, a single account being created, etc. This object requires a nested query. |
||
| expansionItems |
Search for account activity based on the controls that translated the attributeRequests into actual provisioning actions on a source. This object requires a nested query. |
||
| approvals |
Search for account activity based on data about the approvals or rejections performed on an item. This item only applies to access requests. This object requires a nested query. |
||
Second-Level Fields for Account Activity
Second-level fields are a type of object. Each second-level field contains at least one first-level field. They can give you additional information about your identities and their data.
Nested-Level Fields for Account Activity
If an account action is able to have more than one of a particular type of item, it must be searched with a nested query. Account activity also has originalRequests information, which uses a nested query because it's considered an object, even though an account action can only have one original request item. Account activity's nested objects are described below.
- originalRequests - The original account action within Identity Security Cloud that triggered all related source actions. For example, a role being granted is an original request.
-
accountRequests - Each account request is a description of the changes made to an individual source. The original request is duplicated here.
Note
Both originalRequests and accountRequests contain a field called attributeRequests. Each attribute request is a granular description of each individual attribute that must be modified on the source.
-
expansionItems - Each account action will have one expansion item for every attribute request. The expansionItems field is an internal logging mechanism to help SailPoint troubleshoot account activity, and includes details about why each attributeRequest was completed the way it was.
- approvals - Approval items are present only for access request account actions. They include information about who the reviewers were and any comments they left.
The following table contains a list of all nested objects in account activity and the fields they contain.
| Nested Object | Second-Level Field | First-Level Field | Type | Description | Example |
| originalRequests | accountId | string | The account ID of the user on the source that the request was made for. | @originalRequests(accountId:sam.smith | |
| op | string | The requested operation. This can be create, modify, lock, unlock, enable, disable, or delete. | @originalRequests(op:create) | ||
| source | id | string | The technical ID of the source that the actions will happen on. | @originalRequests(source.id:abc1) | |
| name | string | The name of the source that the actions will happen on. | @originalRequests(source.name:"Active Directory") | ||
| displayName | string | The display name of the source that the actions will happen on. | @originalRequests(source.displayName:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @originalRequests(source.type:"Generic Flat File") | ||
| provisioningTarget | id | string | The technical ID of the source that's fulfilling the request. | @originalRequests(provisioningTarget.id:abc1) | |
| name | string | The display name of the source that's fulfilling the request. | @originalRequests(provisioningTarget.name:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @originalRequests(provisioningTarget.type:"Active Directory") | ||
| attributeRequests | op | string | The operation for an individual attribute that must be edited. This might be add, set, or remove. | @originalRequests(attributeRequests.op:add) | |
| name | string | The name of the individual attribute that's being updated. | @originalRequests(attributeRequests.name:displayName) | ||
| value | string | The new value of the attribute that's being updated. | @originalRequests(attributeRequests.value:"Bob Dobbs") | ||
| accountRequests | accountId | string | The native identity that the request was made for. | @accountRequests(accountId:"cn=I17Manager1,dc=flatfile,dc=endtoend,dc=com") | |
| op | string | The requested operation. This can be create, modify, lock, unlock, enable, disable, or delete. | @accountRequests(op:enable) | ||
| source | id | string | The technical ID of the source that the actions will happen on. | @accountRequests(source.id:abc1) | |
| name | string | The name of the source that the actions will happen on. | @accountRequests(source.name:"Active Directory") | ||
| displayName | string | The display name of the source that the action will happen on. | @accountRequests(source.displayName:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @accountRequests(source.type:"Generic Flat File") | ||
| provisioningTarget | id | string | The technical ID of the source that's fulfilling the request. | @accountRequests(provisioningTarget.id:abc1) | |
| name | string | The display name of the source that's fulfilling the request. | @accountRequests(provisioningTarget.name:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @accountRequests(provisioningTarget.name:"Generic Flat File") | ||
| result | status | string | The status of the individual action on the specific source. | @accountRequests(result.status:retry) | |
| errors | string | Any errors that the source provided while completing account actions. | @accountRequests(result.errors:"There was an error during provisioning.") | ||
| warnings | string | Any warnings that the source provided while completing account actions. | @accountRequests(result.warnings:"Warning: Memory running low.") | ||
| ticketId | string | If a ticket has been created in an external system such as ServiceNow to track the provisioning for this request, this is the ticket ID that has been provided to Identity Security Cloud. | @accountRequests(result.ticketId:1234) | ||
| attributeRequests | op | string | The operation for an individual attribute that must be edited. This might be add, set, or remove. | @accountRequests(attributeRequests.op:set) | |
| name | string | The name of the individual attribute that's being updated. | @accountRequests(attributeRequests.name:lastName) | ||
| value | string | The new value of the attribute that's being updated. | @accountRequests(attributeRequests.value:Jones) | ||
| expansionItems | accountId | string | The unique account identifier for the account being modified. | @expansionItems(accountId:Andrew.Beck) | |
| cause | string | The internal reason why this attributeRequest is being performed. This can be Role, AttributeSync, AttributeAssignment, or ProvisioningPolicy. | @expansionItems(cause:Role) | ||
| name | string | Additional information about the reason this attributeRequest is being performed. | @expansionItems(name:"Accounting Role") | ||
| source | name | string | The name of the source that the account being modified is on. | @expansionItems(source.name:AD) | |
| id | string | The technical ID of the source the account being modified is on. | @expansionItems(source.id:abc1) | ||
| type | string | The type of source that the account being modified is on. | @expansionItems(source.type:"Active Directory") | ||
| attributeRequest | op | string | The operation for an individual attribute that must be edited. This might be add, set, or remove. | @expansionItems(attributeRequest.op:set) | |
| name | string | The name of the individual attribute being updated on the source. | @expansionItems(attributeRequest.name:roleAttribute) | ||
| value | string | The new value of the attribute being updated. | @expansionItems(attributeRequest.value:"Accounting Manager") | ||
| approvals | workItemId | string | The technical ID of the approval item. | @approvals(workItemId:abc1) | |
| created | date | The date that the approval item was created. | @approvals(created:2018-08-13) | ||
| modified | date | The date that the approval item was last modified in any ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | @approvals(modified:2018-08-16T18\:29\:02Z) | ||
| result | string | The status of the approval item. This can be Finished or Rejected. | @approvals(result:finished) | ||
| comments | commenter | string | The display name of the user who left the comment. | @approvals(comments.commenter:bob.smith) | |
| comment | string | The comment that was left on the approval item. | @approvals(comments.comment:"This access is privileged and is not appropriate for this requester.") | ||
| date | date | The date that the comment was left in any ISO 8601 format. If you want to include the time in your search query, escape the : characters using a \. | @approvals(comments.date:2018-08-16T18\:29\:02Z) | ||
| owner | name | string | The name of the reviewer of the access request. | @approvals(owner.name:jane.smith) | |
| id | string | The technical ID of the reviewer of the access request. | @approvals(owner.id:abc1) |
To learn more about putting fields and terms together into search queries, read Building a Search Query.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.