ryan2000
November 13, 2023, 9:59pm
1
Version 8.3
No, this question is not regarding a custom connector.
When I look at a user’s cube in the UI, I can go to the Events Tab and see what events exist for the user. if there aren’t any, it is blank and obvious.
I am trying to find how I can pull this data for a user during a Rule. But I am not sure I see where this information is stored. Would someone help point me in the right object type that I should be pulling up?
thanks for your help
sunnyajmera
November 13, 2023, 10:31pm
2
Have you tried using Advanced Analytics → Audit → Action IdentityLifecycle event to see if that can provide the information you are looking for?
ryan2000
November 13, 2023, 11:10pm
3
I have. I don’t know that I am seeing anything yet that I would be able to use that would tell me “Hey here is a user cube event” that i could act on.
I should have mentioned my overall plan. Overall plan is to delete cubes without events from our production IIQ server and purge the cubes to ensure we have an accurate representation for user licenses.
users with events need to stay so we dont get in trouble by audit
Remold
November 13, 2023, 11:37pm
4
Hi Ryan,
Can you test the following?
import sailpoint.object.*;
Identity identity = context.getObjectByName(Identity.class,"1");
QueryOptions qo2 = new QueryOptions();
List targets = new ArrayList();
targets.add((new AuditEvent((String)null, (String)null, identity)).getTarget());
targets.add(identity.getId());
targets.add(identity.getName());
qo2.addFilter(Filter.in("target", targets));
List actions = new ArrayList();
actions.add("identityLifecycleEvent");
actions.add("activate");
actions.add("deactivate");
qo2.addFilter(Filter.in("action", actions));
qo2.addOrdering("created", false);
List audits = this.context.getObjects(AuditEvent.class, qo2);
if (null != audits) {
Iterator var7 = audits.iterator();
while(var7.hasNext()) {
AuditEvent audit = (AuditEvent)var7.next();
log.error("AuditEvent=" + audit.toXml());
}
}
Taken from the source code of IdentityIQ 8.3
This gives me:
AuditEvent=<?xml version='1.0' encoding='UTF-8'?> <!DOCTYPE AuditEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd"> <AuditEvent action="identityLifecycleEvent" clientHost="x.x.x.x" created="1644333000175" id="7f0000017eb517626317ed9e265ef5660" interface="UI" serverHost="spiiq" source="spadmin" target="Identity:1"> <String1>Change Notification</String1> <String3>Launched workflow 'Change Notification: aad mos'</String3> <String4>Attribute 'type' changed from null to employee</String4> </AuditEvent>
Last update: 2023-11-14 00:31:49.317
Which is the same as:
I hope this is what you are looking for
– Remold
2 Likes
ryan2000
November 14, 2023, 12:07am
5
That is exactly what I needed. Thank you very much.
next question might seem silly, so thank you for saving any laughs lol
Thank you again for your help Remold!
Remold
November 14, 2023, 5:28pm
6
This was a tricky one
In broad terms I followed these steps (and yes it took me some time to find the correct ones
In the browser with developer-tools table name: pastEventTbl
search through the files of IIQ and found this tabled in events.xhmtl
There is a reference to: identity.eventsHelper.pastIdentityEvents
in indetityiq.jar there is a class called eventsHelper, decompiled it
the getPastIdentityEvents function refers to (new IdentityEventLogger(this.parent.getContext())).getIdentityEvents(this.parent.getObject());
enabled trace logging on class: sailpoint.web.identity
here I found:
2023-11-14T17:05:36,958 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:138 - Entering getObject()
2023-11-14T17:05:36,958 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:150 - Exiting getObject = sailpoint.object.Identity@1e8469c3[id=0a000004760b19c981760b60427e0021,name=1]
2023-11-14T17:05:36,959 TRACE http-nio-8080-exec-1 sailpoint.web.identity.EventsHelper:150 - Exiting getPastIdentityEvents = [sailpoint.api.IdentityEventLogger$IdentityEvent@417a1452]
2023-11-14T17:05:36,959 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:138 - Entering getEventsHelper()
2023-11-14T17:05:36,960 TRACE http-nio-8080-exec-1 sailpoint.web.identity.IdentityDTO:150 - Exiting getEventsHelper = sailpoint.web.identity.EventsHelper@59ca1c80
2023-11-14T17:05:36,960 TRACE http-nio-8080-exec-1 sailpoint.web.identity.EventsHelper:138 - Entering getPastIdentityEvents()
2023-11-14T17:05:36,960 TRACE http-nio-8080-exec-1 sailpoint.web.identity.EventsHelper:150 - Exiting getPastIdentityEvents = [sailpoint.api.IdentityEventLogger$IdentityEvent@417a1452]
Decompiled sailpoint.api.IdentityEventLogger from identityiq.jar
there was the function:
public List<IdentityEvent> getIdentityEvents(Identity id) throws GeneralException {
JoinPoint var9 = Factory.makeJP(ajc$tjp_2, this, this, id);
try {
ajc$sailpoint_tools_TracingAspect$localAspectOf().traceMethodEntry(var9);
List events = new ArrayList();
QueryOptions qo = new QueryOptions();
List targets = new ArrayList();
targets.add((new AuditEvent((String)null, (String)null, id)).getTarget());
targets.add(id.getId());
targets.add(id.getName());
qo.add(new Filter[]{Filter.in("target", targets)});
List actions = new ArrayList();
actions.add("identityLifecycleEvent");
actions.add("activate");
actions.add("deactivate");
qo.add(new Filter[]{Filter.in("action", actions)});
qo.addOrdering("created", false);
List audits = this.context.getObjects(AuditEvent.class, qo);
if (null != audits) {
Iterator var7 = audits.iterator();
while(var7.hasNext()) {
AuditEvent audit = (AuditEvent)var7.next();
events.add(new IdentityEvent(audit));
}
}
ajc$sailpoint_tools_TracingAspect$localAspectOf().traceMethodExit(var9, events);
return events;
} catch (Throwable var14) {
ajc$sailpoint_tools_TracingAspect$localAspectOf().traceMethodThrow(var9, var14);
throw var14;
}
}
As this function is public, you could also directly use this function
– Remold
system
January 13, 2024, 5:29pm
7
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.
