How to identify an actor in an event if appearing as system?

Hi!

We need to identify who are changing identity lifecycle state. But looking at event, it appears that actor is “system”.

Also, search does not give us more information:

Client needs to audit the real autor of this event. Is there some way where ISC logs this information?

Hi @jsosa,

You maybe using a transform or a rule to set the lifecycle state for the identity. Because it system who is calculating these and triggers that event the actor will always come as “system”.

If you manually switch the lifecycle state then you can see the event “Update Identity Attribute Value Passed” where you can see the actor as the user who manually moved the user to different LCS.

Use below search query:

"Update Identity Attribute Value Passed" AND cloudLifecycleState
2 Likes

Hello Julian,
If you want to see who is changing thant attribute you should identify the “Update Idenitty Attribute Value Passed” and the actor will be the one who changes that attribute. If the event is not available you can review the identityprofile and it transform to verify the correct samaccountname calculation

Hi Shekhar, thanks for your response. In this particular case, LCS comes with its final value, directly from RH. Also, client have a team who can log into ISC and manually change LCS. For auditing purpose, he needs to know who entered into ISC and changed somebody LCS.

1 Like

In that case definitely above suggested search query will work for you.

Worked! Many thanks!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.