Is it possible to query an audit event for revocation during Certification ?
Using Source and action and application as input for the query
Thanks
@Manisha - Please elaborate the issue more clearly. Why we need to query provisioning audit event in certification revocation time ?
@NandanaGopu, I need that to get the time when revocation happened
Hello @maniG
Yes all certification remediations are also audited, but you may have to check if audits are enabled in your SailPoint. Global Settings → Audit Configurations → General → Enable Remediate Certification item and Provision.
You can then have log from both the audits-
Remediate Certification Item - Creates an audit entry when a policy violation is corrected or a certification item is remediated, resulting in a remediation action; the remediation requestor and target identity are both shown, as are the owner of the remediation and the type of remediation action
Provision - Creates an audit event for any provisioning result indicates the requester, the user to whom the provisioning action applies, and in your case, the source as Certification
Hi @jainanimesh,
Thanks, those are already enabled
I am looking for solutions on how to get audit for deprovisioning especially certifications using code
One way I see is to use a custom audit in the after provisioning rule but then we need to add it for each app
Is there another way, we can get the audit which will work for all the application deprovisioning
Hi @maniG - We have 2 options.
- Query the ProvisioningTransaction: Sample code below.
import sailpoint.object.ProvisioningTransaction;
import sailpoint.object.QueryOptions;
import sailpoint.object.Filter;
import sailpoint.object.Attributes;
import sailpoint.object.ProvisioningPlan;
import sailpoint.object.ProvisioningPlan.AccountRequest;
import sailpoint.object.ProvisioningPlan.AttributeRequest;
import java.text.SimpleDateFormat;
import java.util.Date;
QueryOptions qo = new QueryOptions();
qo.addFilter(Filter.eq("identityName","NAME"));
qo.addFilter(Filter.eq("applicationName","APP_NAME"));
qo.addFilter(Filter.eq("nativeIdentity","ACCOUNT_NAME"));
qo.addFilter(Filter.eq("source","Certification"));
qo.addFilter(Filter.eq("status","Success"));
try{
Iterator itr = context.search(ProvisioningTransaction.class,qo);
ProvisioningTransaction ptr = new ProvisioningTransaction();
while(itr.hasNext()){
ptr = (ProvisioningTransaction)itr.next();
Attributes atr= ptr.getAttributes();
AccountRequest accReq= atr.get("request");
AttributeRequest atrReq = accReq.getAttributeRequest("ENT_NAME");
String value = atrReq.getValue();
if(value.equalsIgnoreCase("ENT_VALUE")){
Date dt= ptr.getCreated();
SimpleDateFormat formatter = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss z");
formatter.setTimeZone(TimeZone.getTimeZone("America/New_York"));
String date = formatter.format(dt);
return date;
}
}
}catch(Exception e){
log.error("Error "+e);
}
Please replace NAME, APP_NAME, ACCOUNT_NAME, ENT_NAME, ENT_VALUE from the certification data. This will return the date of successful deprovisioning request.
Option2: We can write similar code to fetch the record from the auditEvent Action=“Provision”. But this involves fetching the audit twice for 1 revocation to know the status of provisioning. Hence I prefer option1.
Note: If you are choosing option1 - ProvisioningTransaction, Please configure required retention period in your environment. You can find the settings from Global Settings → IdentityIQ Configuration->Miscellaneous → Provisioning Transaction Log settings.
Please let me know if you need the code for Option2. I can share a sample snippet for reference.