I am attempting to fulfill a request for an audit process in regards to movers in our organization.
The route I would like to take is to leverage the search function in SailPoint to trigger every week if a users manager and job title changes. Based off of this trigger and data, I would then filter out low priority job changes and flag privileged users.
I am not quite familiar with these searchable fields and am not even sure if a time based or delta monitor is possible within SailPoint’s search. Any assistance is appreciated.
The Search feature in IdentityNow can be leveraged to identify users based on changes to certain attributes, such as manager and job title.
For Ex: identity.attributes.manager
identity.attributes.jobTitle
However, the native search function does not support time-based or delta-based searches directly (e.g., searching for changes within a certain timeframe.
You can try and trigger a workflow for your purpose if you have the module enabled for your tenant!
Thank you for confirming that time-based or delta searches are not available. Sadly, my company still has the legacy IdentityNow and we do not have workflows with our tenant. From the sound of it, it does not look like I will be able to leverage the search function to get the outcome I am looking for.
You may use search APIs to get your result and use it in a powershell script. Then you can schedule and run the powershell script from task scheduler as per your requirement.
I have written a few powershell scripts, however I am not proficient. Could you possible provide examples of what these API calls would look like to reference identity history?
Hi @jacobshoe ,
I have a workaround on this , Create an ISC workflow to detect attribute changes, and send an email to admin. as example if jobtitle and manager both changes occur , ISC will sent an email to admin notifying about potential mover.Admin team and keep track of those users or create a full report of those users weekly.
One way is to make use of the events search, incase you are doing an attribute sync on the manager & jobtitle attributes (eg. on Active Directory). The below search query should fetch you the events for the required attribute syncs (jobTitle & manager are the AD attribute names)
(attributes.attributeName:"jobTitle" OR attributes.attributeName:"manager") AND created:[now-1d TO now] AND attributes.sourceName:"ActiveDirectory"
The above query would only fetch you the event times and the user ID’s though. If you need more details, you can leverage the Search API with the body looking something as below :
{
"indices": [
"events"
],
"query": {
"query": "(attributes.attributeName:\"jobTitle\" OR attributes.attributeName:\"manager\") AND created:[now-1d TO now] AND attributes.sourceName:\"ActiveDirectory\""
},
"queryResultFilter": {
"includes": [
"name",
"displayName",
"target",
"attributes.accountName",
"attributes.attributeName",
"attributes.previousValue",
"attributes.attributeValue"
]
}
}