As part of our internal audit controls, we’d like to track approved access requests that failed during provisioning. We’ve made several search queries, but couldn’t find the one that satisfies our need.
Can anyone help us build this report?
Thanks.
Hi @khalilgahbiche,
You are correct, we do not have much on the search about access requests which will tell you complete lifecycle in a single query, but you can use below search query to find the request which failed to provision after approval:
"Access Request" AND status:Failure
Please check the below document, will help you build your query as per the event (find with Access_Request):
Audit Events in Cloud Audit - Compass
You can also see the below option:
get-historical-identity-events | SailPoint Developer Community
Hope this will help!
Hi @shekhardas1825 ,
Thank you for your reply. Do you know how we can filter on a specific source?
@khalilgahbiche You can use below:
"Access Request" AND status:Failure AND sources:"Active Directory"
Replace with your source name.
3 Likes
You can also try this if you want to
@accountRequests(source.name:"Active Directory") AND status:"Failure" AND action:"Access Request"
3 Likes
Thank you for your answer.
I added the status “Incomplete” as it also shows errors for the source we need to monitor.
The updated request is the following:
“Access Request” AND (status:Failure OR status:Incomplete) AND sources:“Active Directory”
2 Likes
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.