I want to create a saved search that:
I’d want to schedule it to run once a week. Basically, I am trying to see if users with a specific logon group entitlement change primaryRolecodes and if they do I want to get notified of it weekly so I can make necessary changes.
Hi Jared,
I think the optimal way to tackle this problem is to use workflow.
Thanks
Hey Kapil,
Thanks for the quick reply. I was wondering if this was a job for workflows. I figured I’d start with searches and work my way up from there. I am going to try that out and keep you posted on my results.
Hi Jared,
I don’t think search will be able to track attribute change. If you want to track attribute change, workflow is the way to go. Search will only list data based on the query and I don’t think you can generate query to track attribute change and list identities.
Thanks
Try this for attribute changes:
"Update Native Change Detected" AND attributes.singleValueAttributeChanges.exact:/.*\"name\":\"MYCUSTOMATTRIBUTENAME\".*/
(It doesn’t track identity attribute changes though, this is only native account attribute changes)
In order to track a ‘specific’ identity attribute change, we had to introduce an additional identity attribute. e.g. Previous Job Title, and Job Title.
And if the “when” is important, the value would be stored with a yyyymmdd prefix. e.g. “20241231:Summer Intern”
you can use the following Search command to pull the list of users for a specific entitlement.
@access(name:“EntitlementName” AND source.name:“sourcename”)
if you’re only looking for the data then, using the below search query to extract the list of identities updated for a specific attribute. This will extract the events and “Target” in the events is the updated Identity.
name:“Modify Account Passed” AND “attributename” AND created:[now-6d TO now]
I put this in changing “name” to the name of the attribute and “MYCUSTOMATTRIBUTENAME” to the name of the entitlement. Both returned nothing, so I think I’m using it wrong. I also ran it exactly as you wrote it, which returned nothing. Can you give me a little more detail on how to use that query?
“name” doesn’t need to change.
It’s the MYCUSTOMATTRIBUTENAME that you need to change. Change that to, say, “telephonNumber”, for example, if that’s the attribute you want to track.
Just take a look at a single “Update Native Change Detected” record, you’ll see what I mean.
Hey, Thanks for the help. I tried out these queries and tinkered with them a bit.
Search query: @access(name:“APP-PROD-Logon”) AND attributes.cloudLifecycleState:Active
This query gave me every active user.
@access(name:“EntitlementName” AND source.name:“sourcename”)
Gave me every user ever.
For some reason neither of these resolved just the users with the entitlement I’m looking for. They seemed to both give me every user.
HOWEVER, after some fiddling I found this:
@access(name:"APP-PROD-Logon" AND source.name:"Corp.MyOrg.com AD") AND NOT attributes.cloudLifecycleState:Terminate
This query finds all the users with a specific access item that are not TERMINATE.
When I tested this query
“Modify Account Passed” AND "primaryrolecode" AND created:[now-6d TO now]
It returned anything that had been modified in the past 6 days. I’m trying to return identites for whom the “primaryrolecode” attribute has changed in the past 6 days.
So right now, I feel like we’re half way there.
Hey Terry,
I tried
and I tried it with several other attributes, but it’s not returning anything. I’m wondering what I’m doing wrong.
You need to enable Native Change Detection on the source. (Then change a value on the target, natively, then aggregate)
The source already has native change detection enabled, and we run aggregation every 6 hours. Will this command detect changes that were identified in the last aggregation? I want to avoid testing on this source and prefer to rely on natural events. I tested the query with several attributes that should have changed in the past day or so.
Looking at triggers now, I’m guessing I need to come up with a JSON XPath filter expression to detect the attribute change?
Would $.identity.attributes. work?
It should be something like this using “Identity Attribute Change” trigger.
If you know what the changed value is, $.changes[?(@.attribute == “Your Attribute” && @.newValue == “new vlaue if you know”)]
If you don’t know the value. $.changes[?(@.attribute == “Your Attribute” )]
Thanks.