When reviewing data for a user, I can see in the Admin → Identity Management → Access History page for the user there is an entry on the date in question for “ADDED ENTITLEMENT” with the next line showing “[ENTITLEMENT NAME] ( from [SOURCE_NAME] )”
When I go to the Search UI, and try to search for this event, I am unable to find it. I use the search (Date of event was 2024-09-02)
(actor.name:* AND target.name:[USER_NAME]) AND created:[2024-09-01 TO 2024-09-03]
Is there a way to see this access and the details of how it was added? I am unable to click on the item in the Access History, and no additional details are shown.
Was typing the same thing that Anshu just posted. Access History will show any changes to the Identity, either via ISC or the directly on the target system. But Search will only show what ISC has done.
Yes you could do that. A better way would be to turn on “Native Change Detection” on your sources. That would cause an entry to be added to the ISC Logs when something has changed directly on the source.
Then you can do a search like:
"Update Native Change Detected" AND target.name:<USERNAME> AND created:[2024-08-01 TO now]
Ok, I validated the approach I mentioned in Sandbox. I had a Role that assigned an Entitlement on an account. I can see the request for the role, the request to add the entitlement, and the request passed events in the search. When looking at the Access History, the Added Entitlement record appears exactly as if it was just assigned from the source itself. This means there is no way to differentiate how the Entitlement was added from the Access History.
I will have to try the Native Change Detection approach. This seems like it could add more events that we are looking for.