Fill the Gaps in Your
History and Audit
Logging
Auto Audit and View the Entire History for Any Given Identity Into a Surgical, Singular View
About the Plugin
The history plugin’s History Scanner is a background service or scheduled job that searches for Identity or Link objects updated since the last scan. Each of these is analyzed for differences, which are logged as permanent IIQ audit events. The scanner is multi-threaded and very efficient, currently in use on installations with many millions of Identities.
Configuration can be used to ignore changes to specified fields, specified identities, or specified applications.
The scanner uses a smart, IIQ-specific diff utility to avoid spurious change detection. For example, an AD account whose groups change from [A, b, C] to [B, c, A] would not be detected as a change.
The History Plugin provides a History Viewer, a standalone plugin page that merges all sources of history for a given Identity. The viewer shows all Identity history data in a single, searchable timeline table! You can use the History Viewer to see attribute changes to a specific account, to view the details of a historical role assignment, or to analyze certification outcomes.
The History Plugin’s history viewer shows the following types of historical or audit events:
- Attribute changes detected by the scanner
- Access request details and outcome
- Account creation and deletion
- Role assignment and removal
- Lifecycle events
- Provisioning audit events (and provisioning transactions if they’re available)
- Certification triggers and certifier actions
- Any custom audit events specified in the configuration
- Native IIQ access history data
- Task results that mention the Identity (optionally)
The timeline can be narrowed from both ends to view only events within a certain span of time. You can specify custom security assertions, restricting certain users from seeing some or all types of events.
The example here shows access request, lifecycle, identity-level attribute change, and provisioning events.
By checking “Show attribute view”, you can pivot the table into an alternative view showing a before-and-after change log for every Identity and Account attribute.
