Need help finding Identity Event History

Which IIQ version are you inquiring about?

Version 8.3

Is this question regarding a custom connector? If so, please share relevant details below.

No, this question is not regarding a custom connector.

Share all details related to your problem, including any error messages you may have received.

When I look at a user’s cube in the UI, I can go to the Events Tab and see what events exist for the user. if there aren’t any, it is blank and obvious.

I am trying to find how I can pull this data for a user during a Rule. But I am not sure I see where this information is stored. Would someone help point me in the right object type that I should be pulling up?
Right now I am trying to understand Audit events better and if that is something that could be leveraged.

thanks for your help :slight_smile:

Have you tried using Advanced Analytics → Audit → Action IdentityLifecycle event to see if that can provide the information you are looking for?

I have. I don’t know that I am seeing anything yet that I would be able to use that would tell me “Hey here is a user cube event” that i could act on.
still reviewing though.

I should have mentioned my overall plan. Overall plan is to delete cubes without events from our production IIQ server and purge the cubes to ensure we have an accurate representation for user licenses.

users with events need to stay so we dont get in trouble by audit :slight_smile:

Hi Ryan,

Can you test the following?

import sailpoint.object.*;

Identity identity = context.getObjectByName(Identity.class,"1");

      QueryOptions qo2 = new QueryOptions();
      List targets = new ArrayList();
      targets.add((new AuditEvent((String)null, (String)null, identity)).getTarget());
      qo2.addFilter("target", targets));
      List actions = new ArrayList();
      qo2.addFilter("action", actions));
      qo2.addOrdering("created", false);
      List audits = this.context.getObjects(AuditEvent.class, qo2);
      if (null != audits) {
        Iterator var7 = audits.iterator();

        while(var7.hasNext()) {
          AuditEvent audit = (AuditEvent);
          log.error("AuditEvent=" + audit.toXml());

Taken from the source code of IdentityIQ 8.3 :slight_smile:

This gives me:

AuditEvent=<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE AuditEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd"> <AuditEvent action="identityLifecycleEvent" clientHost="x.x.x.x" created="1644333000175" id="7f0000017eb517626317ed9e265ef5660" interface="UI" serverHost="spiiq" source="spadmin" target="Identity:1"> <String1>Change Notification</String1> <String3>Launched workflow 'Change Notification: aad mos'</String3> <String4>Attribute 'type' changed from null to employee</String4> </AuditEvent>
Last update: 2023-11-14 00:31:49.317

Which is the same as:

I hope this is what you are looking for :slight_smile:

– Remold


That is exactly what I needed. Thank you very much.

next question might seem silly, so thank you for saving any laughs lol
when you say you found this in the source code, would you please explain to me where you went and looked exactly? I would like to better understand what you did, that i did not think of :slight_smile: I am sure i will see many other times where i could go look at the source code for these types of details, but just don’t look in the right place.

Thank you again for your help Remold!

This was a tricky one :wink:

In broad terms I followed these steps (and yes it took me some time to find the correct ones :wink: ):

  • In the browser with developer-tools table name: pastEventTbl
  • search through the files of IIQ and found this tabled in events.xhmtl
  • There is a reference to: identity.eventsHelper.pastIdentityEvents
  • in indetityiq.jar there is a class called eventsHelper, decompiled it
  • the getPastIdentityEvents function refers to (new IdentityEventLogger(this.parent.getContext())).getIdentityEvents(this.parent.getObject());
  • enabled trace logging on class: sailpoint.web.identity
  • here I found:
2023-11-14T17:05:36,958 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:138 - Entering getObject()
2023-11-14T17:05:36,958 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:150 - Exiting getObject = sailpoint.object.Identity@1e8469c3[id=0a000004760b19c981760b60427e0021,name=1]
2023-11-14T17:05:36,959 TRACE http-nio-8080-exec-1 sailpoint.web.identity.EventsHelper:150 - Exiting getPastIdentityEvents = [sailpoint.api.IdentityEventLogger$IdentityEvent@417a1452]
2023-11-14T17:05:36,959 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:138 - Entering getEventsHelper()
2023-11-14T17:05:36,960 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:150 - Exiting getEventsHelper = sailpoint.web.identity.EventsHelper@59ca1c80
2023-11-14T17:05:36,960 TRACE http-nio-8080-exec-1 sailpoint.web.identity.EventsHelper:138 - Entering getPastIdentityEvents()
2023-11-14T17:05:36,960 TRACE http-nio-8080-exec-1 sailpoint.web.identity.EventsHelper:150 - Exiting getPastIdentityEvents = [sailpoint.api.IdentityEventLogger$IdentityEvent@417a1452]
  • Decompiled sailpoint.api.IdentityEventLogger from identityiq.jar
  • there was the function:
  public List<IdentityEvent> getIdentityEvents(Identity id) throws GeneralException {
    JoinPoint var9 = Factory.makeJP(ajc$tjp_2, this, this, id);

    try {
      List events = new ArrayList();
      QueryOptions qo = new QueryOptions();
      List targets = new ArrayList();
      targets.add((new AuditEvent((String)null, (String)null, id)).getTarget());
      qo.add(new Filter[]{"target", targets)});
      List actions = new ArrayList();
      qo.add(new Filter[]{"action", actions)});
      qo.addOrdering("created", false);
      List audits = this.context.getObjects(AuditEvent.class, qo);
      if (null != audits) {
        Iterator var7 = audits.iterator();

        while(var7.hasNext()) {
          AuditEvent audit = (AuditEvent);
          events.add(new IdentityEvent(audit));

      ajc$sailpoint_tools_TracingAspect$localAspectOf().traceMethodExit(var9, events);
      return events;
    } catch (Throwable var14) {
      ajc$sailpoint_tools_TracingAspect$localAspectOf().traceMethodThrow(var9, var14);
      throw var14;

As this function is public, you could also directly use this function :stuck_out_tongue_winking_eye:

– Remold

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.