How to log Identity Attribute changes

Hello SailPoint Community,

I wanted to share a simple BeanShell rule I’ve created achieve simple but quite important audit event. Usualy when incident happens it’s Identity Management System the one guilty of the problem. Sometimes it’s true but more often it’s just because of wrong data received from source systems. That’s why I believe it is crucial to have an audit trail for changes made to identity attributes due to updates in authoritative source systems. This rule logs all such changes into the audit system.

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Log Identity Attribute Change" type="Listener">
	<Source>
  	        import sailpoint.object.AuditEvent;

		AuditEvent auditEvent = new AuditEvent();
		auditEvent.setAction("identityAttributeChange");
		auditEvent.setSource("aggregation");
		auditEvent.setTarget(identity.getName());
		auditEvent.setAttributeName(attributeName);
		auditEvent.setAttribute("oldValue", oldValue);
		auditEvent.setAttribute("newValue", newValue);

		context.saveObject(auditEvent);
		context.commitTransation();
  </Source>
</Rule>

This rule can be tied with any identity attribute like this

  1. Directly in Debug via ListenerRule reference
  2. In Identity Mappings

Output of this rule looks like this

Feel free to use it if you think it might be usefull for you.

3 Likes