As per our requirement, when a user’s AD account is terminated, we are removing all the groups associated with the user. Is there anyway to audit/log in IdentityNow as to which all groups are removed/deleted ?
Hi Rashmi,
Are you looking for a reporting solution that exists in the IDN UI, or are you willing to work with APIs to try and get your answer?
I am looking for a solution for the exact same use, I am open to both UI and APIs.
Also, if you can break it down how the logging differs when using beforeProvRule vs aftermodifyrule (triggering a PS) for this use case that would be awesome.
@yunus_ali adding you to follow this.
Are the AD groups set up as entitlements on the AD source?
Yes, they are setup as entitlements.
And how are you assigning and removing the AD groups to identities? Are you using role membership criteria? What criteria/processes are you using? This could help us narrow down the specific processes so we know where to look for the activity data.
Assignment can happen via roles, access requests or LCS provisioning. This use cases is for blanket removing all group memberships from a user’s AD account when a user is terminated.
if you use BP rule to remove groups then all groups should be visible in account activities under remove action. Currently there is bug and it’s only showing one even if there are multiple groups but in past it used to show all.
I am pushing our CSM to get it fixed.
That would be great, do you have a screenshot or artifact showing what it would look like in the account activities?
@colin_mckibben I am looking for both options - reporting solution as well as APIs. From end user perspective, I would like to go with a feasible option and a consolidated view of groups removed.
Thanks
Rashmi
@accountRequests(op:Modify AND attributeRequests.op:Remove AND source.name:“sourcename”)
Use this query and you will get remove request for your source. You would see group names in attribute requests.