Identity Snapshot

Which IIQ version are you inquiring about?

8.3p4

Please share any images or screenshots, if relevant.

image

Please share any other relevant files that may be required (for example, logs).

[Please insert files here, otherwise delete this section]

Share all details about your problem, including any error messages you may have received.

We have several custom reports that are run daily (mostly custom rules to send us an email of the data we’re looking for), and on at least one instance, a report which is supposed to give us insight into certification revocations and if the identity still has the entitlement that was revoked seems to have given us incorrect data, which brings the validity of the report into question.
Our report shows that an identity, which had specific entitlements revoked, did not still retain the revoked entitlements, but on manual inspection of the identity, we saw that they did in fact still have the entitlements. When attempting to check the identity snapshot for that date (9/20/2024), we saw that there was no snapshot for that date.
So our problem is two-fold:

  • is there anything that could cause entitlements to not show on an identity temporarily (outside of provisioning), even when using the beanshell API
  • is there anything that would cause a snapshot to not be created

We have the Refresh Identity Cube task set to run every three hours, and the maintain identity history is selected. We can see snapshots for nearly every day, but it appears that on random days the snapshot is missing. It could be coincidence that on this particular day, the snapshot was not created, but we’re trying to understand a bit more of what generates these snapshots and what could cause a snapshot to not be created.

@RSanders happy to help here. some thread already there on compass

Solved: Re: How do identity snapshots work? - Compass

Snapshot Frequency - IdentityIQ (IIQ) - SailPoint Developer Community

IdentityIQ Object Model and Usage - Compass - check here on page “Other Historical Records”

Hope this will give you what you wanted…

thanks,
Pravin

Thanks for the response!

So, that kind of helps. Our snapshot frequency is the default 24 hours, and granularity for identity history is 1 month. The only changes we have actually made to default values is the days before snapshot deletion - which we set to 1097 (about 3 years). Our confusion lies with snapshot generation - ‘maintain identity histories’ is there to create a snapshot with information that has changed since the last refresh. The description implies that a snapshot should only be created when something has changed since the last refresh. With that in mind, it would stand to reason that we wouldn’t normally see very many snapshots at all, yet snapshots are created at least once a day (with some exceptions - the reason we’re now looking deeper into what generates these). Additionally, the frequency appears off. Our identity refresh runs every 3 hours between 7am and 7pm, and the snapshots appear randomly during one of those runs, so the time between snapshots could be slightly more or slightly less than 24hours.
With all of that - the refresh identity cube is configured to maintain identity histories and runs every three hours between 7am and 7pm. Barring a task failure, would there be anything that would prevent the task from creating a snapshot without failing the task?

@RSanders pls try to change in system configuration (it should be 3 times a day)

<entry key="identitySnapshotInterval" value="28800"/> 

logically it should work but let’s try.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.