SailPoint IdentityIQ ships with a variety of historical and audit logging. Aggregation jobs can save a snapshot of an Identity containing all of its attributes and accounts so an admin can refer to it later. You can view the history of lifecycle events for an Identity. You can view certification information. You can view historical requests. You can view audit events (assuming you have them enabled) for provisioning actions.
However, the provided history functions have two major shortcomings:
- Attribute changes on Identities and Accounts are not audited permanently or immediately.
- There is not a single user interface to view all history for a given Identity.
The IdentityWorks IIQ History Plugin easily resolves both of these problems.
History Scanner
The plugin’s History Scanner is a background service or scheduled job that searches for Identity or Link objects updated since the last scan. Each of these is analyzed for differences, which are logged as permanent IIQ audit events. The scanner is multi-threaded and very efficient, currently in use on installations with many millions of Identities.
Configuration can be used to ignore changes to specified fields, specified identities, or specified applications.
The scanner uses a smart diff utility to avoid spurious change detection. For example, an AD account whose groups change from [A, b, C] to [B, c, A] would not be detected as a change.
History Viewer
The History Viewer is a standalone plugin page that merges all sources of history for a given Identity, displaying it in a searchable timeline and a table. You can use the History Viewer to see attribute changes to a specific account, to view the details of a historical role assignment, or to analyze certification outcomes.
The viewer shows the following types of historical or audit events in a single timeline:
- Attribute changes detected by the scanner
- Access request details and outcome
- Account creation and deletion
- Role assignment and removal
- Lifecycle events
- Provisioning audit events (and provisioning transactions if they’re available)
- Certification triggers and certifier actions
- Any custom audit events specified in the configuration
The timeline can be narrowed from both ends to view only events within a certain span of time.
See the screenshots below for examples of the History Viewer interface. These screenshots show access request, lifecycle, identity-level attribute change, and provisioning events.
Attribute View
By checking “Show attribute view”, you can pivot the table into an alternative view showing a change log for every Identity and Account attribute.
