Using Search in IdentityNow
Search allows you to create flexible inquiries that help you gain insight into all your data, and the power to manage your identities. Search allows you to find specific identities, entitlements, and other data that match criteria you enter. You can download reports of your search results, or create governance policies out of them.
Take a look at our documentation map for an overview of the documentation surrounding Search.
| Learn the Basics | Build a Search Query | More Information | Downloading Reports |
|
In this document, you can:
|
You are here! In this document, you can:
|
In this document, you can:
|
Downloading Reports from the Search Interface In this document, you can:
|
- Elements of a Search
- Searching Identity Data
- First-Level Fields for Identities
- Second-Level Fields for Identities
- Nested-Level Fields for Identities
- Searching Entitlement Data
- Searching Access Profile Data
- First-Level Fields for Access Profiles
- Nested-Level Fields for Access Profiles
- Searching Role Data
- Searching Event Data
- First-Level Fields for Events
- Second-Level Fields for Events
- Searching Account Activity
- First-Level Fields for Account Activity
- Second-Level Fields for Account Activity
- Nested-Level Fields for Account Activity
- Structuring a Search
- Search Terms
- Quotation Marks
- First-Level Fields
- Second-Level Fields
- Combining Multiple Search Criteria
- Using Operators
- Wildcards
- Using the .exact Keyword
- Using Range Queries
- Using Special Characters
- Using Nested Queries
- Combine Two Nested Queries
- Combine a Nested Query and a Simple Query
Elements of a Search
The organization of your data within IdentityNow is called the data model, and understanding this data model can help you create the most effective search queries.
IdentityNow's data model is represented in JSON. All items in the JSON can be searched, and many of them are defined below. You can find samples of our JSON data models here.
Searching Identity Data
By looking at the JSON for IdentityNow's data, you can get an idea of how to search for each item. The way you search for data depends on where you find it within the JSON.
You can search first-level fields (also known as top-level fields) directly. To search second-level fields append them to a first-level field with a period. Use nested queries to search on other fields.
First-Level Fields for Identities
To search first-level fields, use the following format:
field:<search terms>
The following table contains a list of first-level fields in identities. Below the first-level fields, you can see second-level fields and nested-level fields, which are separated within the table and labeled. Second- and nested-level fields are described later in this document.
| Field | Type | Description | Example |
| name | string | The name or alias of the identity. | name:john.smith |
| displayName | string | The identity's unique display name. This is the same as attributes.displayName. In some cases, this is also the same as the name. | displayName:john.smith |
| id | string | The technical ID of the identity in IdentityNow. | id:abc1 |
| string | The identity's unique email address. | email:steve@acme.com | |
| created | date | The date that the first source account for this identity was aggregated into IdentityNow, even if that account didn't come from the authoritative source. This date requires any ISO format that uses YYYY-MM-DD. | created:2017-09-25 |
| modified | date | The date the identity was last modified in any ISO format that uses YYYY-MM-DD. | modified:2018-03-30 |
| phone | string | The identity's alternate phone number. | phone:5558675309 |
| status | string | The status of the identity. | status:UNREGISTERED |
| synced | date | The date and time that this identity's information was last verified in any ISO format that uses YYYY-MM-DD. | synced:2019-03-25 |
| isManager | bool | A boolean describing whether the identity is listed as the manager of another employee. | isManager:TRUE |
| employeeNumber | string | The identity's unique employee number. | employeeNumber:123 |
| processingState | string | This field is blank unless the identity experienced an error during aggregation, in which case this field will be ERROR. | processingState:ERROR |
| appCount | integer | The number of apps the identity has access to. | appCount:6 |
| accountCount | integer | The number of sources the identity has an account on. | accountCount:4 |
| accessCount | integer | The number of access items the identity has. This includes entitlements, access profiles, and roles. | accessCount:16 |
| entitlementCount | integer | The number of entitlements the identity has. | entitlementCount:10 |
| roleCount | integer | The number of roles the identity has. | roleCount:4 |
| accessProfileCount | integer | The number of access profiles the identity has. | accessProfileCount:7 |
| Second- and Nested-Level Fields | |||
| Fields | Description | ||
| manager | Search for identities who have managers with certain characteristics. This object requires a second-level field. See below for details. | ||
| source | Search for identities based on the information in their authoritative source. This object requires a second-level field. See below for details. | ||
| identity profile | Search for identities who belong to a specific identity profile. This object requires a second-level field. See below for details. | ||
| owns | Search for identities who own specific items in IdentityNow, such as access profiles, sources, or roles. | ||
| attributes | Search for identities with specific identity attributes. This object requires a second-level field. See below for details. | ||
| apps | Search for identities by which apps they have. This nested object requires a nested query. See below for details. | ||
| accounts | Search for identities by which source accounts they have. This nested object requires a nested query. See below for details. | ||
| access | Search for identities by what specific access they have. This nested object requires a nested query. See below for details. | ||
NOTE: When you search on displayName, all identities with that displayName are returned, as well as all identities that have someone with that displayName listed as their manager.
Second-Level Fields for Identities
Second-level fields are a type of object. Each second-level field contains at least one first-level field. They can give you additional information about your identities and their data.
To search second-level fields, use the following format:
secondLevelField.firstLevelField:<search terms>
For example, attributes.firstname:John will return all identities with John in their firstname attribute in your org.
The following table contains all available second-level objects on identities, and the fields they contain.
| Second-Level Field | First-Level Field | Type | Description | Example |
| manager | name | string | The name of the identity's manager. This corresponds to the name field for the manager. | manager.name:amanda.ross |
| displayName | string | The display name of the identity's manager. This corresponds with the displayName field for the manager. In some cases, this is the same as the name. | manager.displayName:amanda.ross | |
| id | string | The technical ID of the manager's identity. | manager.id:abc1 | |
| source | id | string | The technical ID of the identity's authoritative source. | source.id:abc1 |
| name | string | This represents the name of the identity's authoritative source. | source.name:acme.source | |
| identityProfile | name | string | The name of the identity profile. | identityProfile.name:Employees |
| id | string | The technical ID of the identity profile. | identityProfile.id:abc1 | |
| owns | sources.name | string | The display name of the source the identity owns. | owns.sources.name:"Active Directory" |
| sources.id | string | The technical ID of the source the identity owns. | owns.sources.id:abc1 | |
| accessProfiles.name | string | The display name of the access profile the identity owns. | owns.accessProfiles.name:"Engineering Management Access Profile" | |
| accessProfiles.id | string | The technical ID of the access profile the identity owns. | owns.accessProfiles.id:abc1 | |
| roles.name | string | The display name of the role the identity owns. | owns.roles.name:Engineers | |
| roles.id | string | The technical ID of the role the identity owns. | owns.roles.id:abc1 | |
| governanceGroups.name | string | The display name of the governance group the identity owns. | owns.governanceGroups.name:"IT Team" | |
| governanceGroups.id | string | The technical ID of the governance group the identity owns. | owns.governanceGroups.id:abc1 | |
| applications.name | string | The display name of the application the identity owns. | owns.applications.name:Acme | |
| applications.id | string | The technical ID of the application the identity owns. | owns.applications.id:abc1 | |
| attributes | uid | string | The UID as it appears on the identity profile. This comes from the authoritative source. | attributes.uid:abc1 |
| firstname | string | The identity's first name. | attributes.firstname:Rakesh | |
| cloudAuthoritativeSource | string | The technical ID of the authoritative source of the identity profile. | attributes.cloudAuthoritativeSource:abc1 | |
| cloudLifecycleState | string | The lifecycle state configured for the identity. | attributes.cloudLifecycleState:Active | |
| phone | string | The identity's alternate phone number. | attributes.phone:5551235555 | |
| displayName | string | The identity's unique display name. This is the same as displayName. In some cases, this is also the same as the name. | attributes.displayName:amanda.ross | |
| identificationNumber | string | The identity's employee number as configured in the identity profile. | attributes.identificationNumber:293409 | |
| workPhone | string | The identity's work phone number. | attributes.workPhone:5551235555 | |
| string | The email address of the identity. | attributes.email:o.price42@acme.com | ||
| lastname | string | The identity's last name. | attributes.lastname:kim | |
| startDate | date | The date the identity started at your company in ISO 8601 format. | attributes.startDate:2016-04-25 | |
| endDate | date | The date the identity's employment at your company ended in ISO 8601 format. | attributes.endDate:2019-01-25 | |
| personalEmail | string | The identity's alternate email address. | attributes.personalEmail:samantha.dobbs@gmail.com |
Note that if you add custom attributes to your identity profile, you can search on those as well using the technical name of the attribute. You can also configure your custom attributes to use the date type of value by adding the string dateType to the end of your attribute name.
Nested-Level Fields for Identities
If an identity is able to have more than one of a particular type of item, it must be searched with a nested query. Apps, accounts, and access are nested objects, and require nested queries.
To create a nested query, write your query in the format @nestedObject(secondLevelField.firstLevelField:query). See Using Nested Queries for details.
The following table contains a list of all nested objects on identities, their second-level fields, and the first-level fields they contain.
| Back to Top |
|---|
Searching Entitlement Data
The entitlement data model describes the data found within an entitlement. Currently, all entitlements only contain first-level fields. All fields can be searched.
See the entitlement data model here.
| Field | Type | Description | Example |
| id | string | The technical ID of the entitlement. | id:abc1 |
| displayName | string | The display name of the entitlement, as seen in the UI. | displayName:"Manager Entitlement" |
| name | string | The entitlement name. | name:"manager entitlement" |
| description | string | The user-entered description of the entitlement. | description:"The entitlement assigned to managers." |
| privileged | bool | A boolean describing whether or not the entitlement is marked as privileged. | privileged:TRUE |
| attribute | string | The attribute used by the source to define the type of entitlement. | attribute:memberOf |
| value | string | The value used by the source for this entitlement. | value:"manager entitlement" |
|
modified |
date | The date the entitlement was last modified, in ISO YYYY-MM-DD format. | modified:2017-05-14 |
| synced | date | The date and time that this entitlement's information was last verified in any ISO format that uses YYYY-MM-DD. | synced:2019-03-21 |
| source.name | string | The name of the source the entitlement comes from. | source.name:"Acme Source" |
| source.id | string | The ID of the source the entitlement comes from. | source.id:abc1 |
| Back to Top |
|---|
Searching Access Profile Data
The access profile data model describes the information you can find about access profiles in your IdentityNow implementation. You can see the data model for access profiles here.
First-Level Fields for Access Profiles
The following table contains a list of first-level fields in access profiles. First-level field searches use the following format:
field:<search terms>
| Field | Type | Description | Example |
| created | date | The date the access profile was created, in ISO YYYY-MM-DD format. | created:2018-03-17 |
| description | string | The user-entered description of the access profile. | description:"Grants users access to Acme App." |
| entitlementCount | integer | The number of entitlements in the access profile. | entitlementCount:3 |
| id | string | The technical ID of the access profile. | id:abc1 |
| modified | date | The date the access profile was last modified, in ISO YYYY-MM-DD format. | modified:2018-07-15 |
| name | string | The name of the access profile. | name:"Acme App Admin Access" |
| requestable | bool | A boolean describing whether or not this access profile is marked as requestable. This field is case sensitive. | requestable:TRUE |
| synced | date | The date and time that this access profile's information was last verified in any ISO format that uses YYYY-MM-DD. | synced:2019-03-23 |
| owner.name | string | The name of the owner of the access profile. | owner.name:"Kirsten Jones" |
| owner.id | string | The technical ID of the owner of the access profile. | owner.id:abc1" |
| owner.type | string | The type of entity that owns this access profile. This is always an identity. | owner.type:identity |
| owner.email | string | The work email address of the identity that owns the access profile. | owner.email:"patricia.jones@acme.com" |
| source.name | string | The name of the source of the entitlements in the access profile. | source.name:"Active Directory" |
| source.id | string | The technical ID of the source of the entitlements in the access profile. | source.id:abc1 |
Nested-Level Fields for Access Profiles
If an access profile is able to have more than one of a particular type of item, it must be searched with a nested query. This means that entitlements within access profiles must be searched with a nested query.
To create a nested query, write your query in the format @nestedObject(firstLevelField:query). See Using Nested Queries for details.
| Nested Object | Field | Type | Description | Example |
| entitlements | attribute | string | The attribute used by the source to define the type of entitlement. | @entitlements(attribute:memberOf) |
| description | string | The user-entered description of the entitlement. | @entitlements(description:"The entitlement assigned to managers.") | |
| id | string | The technical ID of the entitlement. | @entitlements(id:abc1) | |
| name | string | The entitlement name. | @entitlements(name:"Manager Entitlement") | |
| value | string | The value used by the source for this entitlement. | @entitlements(value:managerEntitlement) |
| Back to Top |
|---|
Searching Role Data
The role data model describes the data found in roles. Currently, roles contain first-level fields. All of these fields can be searched. You can see the data model for roles here.
| Field | Type | Description | Example |
| name | string | The user-entered name of the role. | name:"Accounting Role" |
| id | string | The technical ID of the role. | id:abc1 |
| description | string | The user-entered description of the role. | description:"This is a role for accountants." |
| created | date | The date the role was created, in ISO YYYY-MM-DD format. | created:2017-11-18 |
| modified | date | The date the role was last modified, in ISO YYYY-MM-DD format. | modified:2018-08-25 |
| enabled | bool | A boolean describing whether the role is enabled. This field is case sensitive. | enabled:FALSE |
| requestable | bool | A boolean describing whether the role is requestable. This field is case sensitive. | requestable:TRUE |
| synced | date | The date and time that this role's information was last verified in any ISO format that uses YYYY-MM-DD. | synced:2019-03-20 |
| accessProfileCount | integer | The number of access profiles granted by the role. | accessProfileCount:3 |
| accessProfiles.id | array | Any of the technical IDs of the access profiles granted by the role. | accessProfiles.id:abc1 |
| accessProfiles.name | array | Returns all roles that contain the access profile you search for. | accessProfiles.name:"Access Profile 1" |
| owner.id | string | The technical ID of the owner of the role. | owner.id:abc1 |
| owner.name | string | The name of the owner of the role. | owner.name:"Bill Snide" |
| owner.type | string | The type of entity that owns this role. This is always an identity. | owner.type:identity |
| owner.email | string | The work email address of the identity that owns this role. | owner.email:"jackie.smith@acme.com" |
| Back to Top |
|---|
Searching Event Data
The data model for events describes how IdentityNow stores audit events. IdentityNow's audit events contain first-level fields and second-level fields.
Events are how IdentityNow tracks audit data. Using Search, you can create and download a custom audit report.
See the event data model here.
First-Level Fields for Events
In an event's first-level fields, you can find basic metadata about the event.
Learn more about searching on first-level fields.
| Field | Type | Description | Example |
| created | date | The date and time the event began, in ISO 8601 format. | created:2019-01-25 |
| name | string | A user-friendly translation of the technical name. | name:"Create Source Passed" |
| operation | string | The action performed during the event. This is also captured in the technicalName. | operation:CREATE |
| status | string | The result of the event. | status:PASSED |
| technicalName | string | The normalized name of the event. This always follows the pattern objects_operation_status. | technicalName:SOURCE_CREATE_PASSED |
| details | string | When available, a description of the event. | details:"User approved access request for app." |
| type | string | The type, or classification, of the event. | type:SOURCE_MANAGEMENT |
| id | string | The technical ID of the event. | id:abc1 |
| ipAddress | string | The IP address of the target system, such as the app a user is signing in to or the source that the user is changing the password for. | ipAddress:207.123.123.150 |
| objects | string | The object the event is happening to. In some cases, there is more than one domain object. | objects:SOURCE |
| action | string | The name of the event as it appeared in legacy audit reports. | action:CONNECTOR_CREATE |
| trackingNumber | string | The ID of the group of events. Sometimes, this ID will be the same for multiple related events. This tracking number might also match the tracking number for an account activity entry. | trackingNumber:abc1 |
Second-Level Fields for Events
Second-level fields are a type of object. Each second-level field contains at least one first-level field.
To search second-level fields, use the following format:
secondLevelField.firstLevelField:<search terms>
| Back to Top |
|---|
Searching Account Activity
The account activity data model covers most activity that IdentityNow completes on a source account. You'll see the following types of actions when you search for account activity:
-
Access Request - Search on access requests.
-
Account Attribute Update - Search for events that involved updating a single attribute on an account.
-
Account State Update - Search for events that involved locking or unlocking an account on a source.
-
Certification - Search for events involving removing an entitlement from a user as a result of the entitlement being revoked during a certification.
-
Cloud Automated <Lifecyclestate> - Search automated lifecycle state changes that resulted in an identity being assigned to a different lifecycle state. The <Lifecyclestate> variable will be replaced with the name of the lifecycle state that identities changed to.
-
Identity Attribute Update - Search on the times when an identity's attribute was updated within IdentityNow as the result of a provisioning action. When updating an identity attribute also updates an identity's lifecycle state, you'll also see the event Cloud Automated <Lifecyclestate>. Updates to identity attributes that occur as a result of an aggregation are not included in Account Activity.
-
Identity Refresh - Search identity refreshes that happen whenever a user gets a new role, whenever an identity profile is updated, or whenever an app is assigned to users based on that app being assigned to All Users From Source or Specific Users From Source.
-
Lifecycle State Refresh - Search the actions that took place when a lifecycle state was changed. This event only occurs after Cloud Automated <Lifecyclestate> or Lifecycle State Change.
-
Lifecycle State Change - Search account activity that resulted in an identity being manually assigned to a null lifecycle state.
-
Password Change - Search password changes on sources.
When you search on account activity, you'll see only the set list of results described above. Each of those actions represents a specific event that occurred in your site.
You can search on attribute sync provisioning events in the Events tab.
To search for account activity, use the fields contained within the data model. Account activity contains first-level fields, second-level fields, and nested fields.
See the account activity data model here.
First-Level Fields for Account Activity
In an account action's first-level fields, you can find basic metadata about the request.
First-level field searches use the following format:
field:<search terms>
| Field | Type | Description | Example |
| action | string | The action performed. This will always match an action in the list above. | action:"Password Change" |
| status | string | The overall status of the account activity. | status:complete |
| id | string | The technical ID of the request. | id:acb1 |
| trackingNumber | string | The tracking number, which is sometimes used for auditing purposes. This tracking number might also match the tracking number for an event entry. | trackingNumber:1234 |
| created | date | The date the action was created in any ISO format that uses YYYY-MM-DD. | created:2018-08-13 |
| modified | date | The date of the last activity related to the action in any ISO format that uses YYYY-MM-DD. | modified:2018-09-13 |
| sources | list | The sources involved in the account activity. Searching on one source in this list will return all account activity that has that source within the sources list. This field is case sensitive. | sources:"Active Directory" |
| stage | string | The progress of the action, provided by the source. | stage:executing |
| errors | list | Any errors that the source provided while completing account actions. | errors:"Unable to provision to this source." |
| warnings | list | Any warnings the source provided while completing account actions. | warnings:"New value equal to old value." |
| Second- and Nested-Level Fields | |||
| Fields | Description | ||
| requester |
Search for account activity based on data about the system or person that first triggered the actions. This object requires a second-level field. See below for details. |
||
| recipient |
Search for account activity based on data about the system or person being modified by the account actions. This object requires a second-level field. See below for details. |
||
| originalRequests |
Search for account activity based on data about the original action that triggered all individual source actions related to this account action. For example, a lifecycle state change, a role change, a password update, etc. This object requires a nested query. See below for details. |
||
| accountRequests |
Search for account activity based on data about each individual source action that was triggered by the original request. This might include an entitlement being granted, an attribute update, a single account being created, etc. This object requires a nested query. See below for details. |
||
| expansionItems |
Search for account activity based on the controls that translated the attributeRequests into actual provisioning actions on a source. This object requires a nested query. See below for details. |
||
| approvals |
Search for account activity based on data about the approvals or rejections performed on an item. This item only applies to access requests. This object requires a nested query. See below for details. |
||
Second-Level Fields for Account Activity
Second-level fields are a type of object. Each second-level field contains at least one first-level field. They can give you additional information about your identities and their data.
To search second-level fields, use the following format:
secondLevelField.firstLevelField:<search terms>
For example, the search query requester.name:"john smith" will return all account activity that was initiated by John Smith.
Nested-Level Fields for Account Activity
If an account action is able to have more than one of a particular type of item, it must be searched with a nested query. Account activity also has originalRequests information, which uses a nested query even though an account action can only have one original request item. Account activity's nested objects are described below.
- originalRequests - The original account action within IdentityNow that triggered all related source actions. For example, a role being granted is an original request.
- accountRequests - Each account request is a description of the changes made to an individual source. You'll see the original request duplicated here.
NOTE: Both originalRequests and accountRequests contain a field called attributeRequests. Each attribute request is a granular description of each individual attribute that must be modified on the source. - expansionItems - Each account action will have one expansion item for every attribute request. The expansionItems field is an internal logging mechanism to help SailPoint troubleshoot account activity, and includes details about why each attributeRequest was completed the way it was.
- approvals - Approval items are present only for access request account actions. They include information about who the reviewers were and any comments they left.
To create a nested query, write your query in the format @nestedObject(secondLevelField.firstLevelField:query).
The following table contains a list of all nested objects and the fields they contain.
| Nested Object | Second-Level Field | First-Level Field | Type | Description | Example |
| originalRequests | accountId | string | The account ID of the user on the source that the request was made for. | @originalRequests(accountId:sam.smith | |
| op | string | The requested operation. This can be create, modify, lock, unlock, enable, disable, or delete. | @originalRequests(op:create) | ||
| source | id | string | The technical ID of the source that the actions will happen on. | @originalRequests(source.id:abc1) | |
| name | string | The name of the source that the actions will happen on. | @originalRequests(source.name:"Active Directory") | ||
| displayName | string | The display name of the source that the actions will happen on. | @originalRequests(source.displayName:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @originalRequests(source.type:"Generic Flat File") | ||
| provisioningTarget | id | string | The technical ID of the source that's fulfilling the request. | @originalRequests(provisioningTarget.id:abc1) | |
| name | string | The display name of the source that's fulfilling the request. | @originalRequests(provisioningTarget.name:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @originalRequests(provisioningTarget.type:"Active Directory") | ||
| attributeRequests | op | string | The operation for an individual attribute that must be edited. This might be add, set, or remove. | @originalRequests(attributeRequests.op:add) | |
| name | string | The name of the individual attribute that's being updated. | @originalRequests(attributeRequests.name:displayName) | ||
| value | string | The new value of the attribute that's being updated. | @originalRequests(attributeRequests.value:"Bob Dobbs") | ||
| accountRequests | accountId | string | The native identity that the request was made for. | @accountRequests(accountId:"cn=I17Manager1,dc=flatfile,dc=endtoend,dc=com") | |
| op | string | The requested operation. This can be create, modify, lock, unlock, enable, disable, or delete. | @accountRequests(op:enable) | ||
| source | id | string | The technical ID of the source that the actions will happen on. | @accountRequests(source.id:abc1) | |
| name | string | The name of the source that the actions will happen on. | @accountRequests(source.name:"Active Directory") | ||
| displayName | string | The display name of the source that the action will happen on. | @accountRequests(source.displayName:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @accountRequests(source.type:"Generic Flat File") | ||
| provisioningTarget | id | string | The technical ID of the source that's fulfilling the request. | @accountRequests(provisioningTarget.id:abc1) | |
| name | string | The display name of the source that's fulfilling the request. | @accountRequests(provisioningTarget.name:"Active Directory") | ||
| type | string | The type of source that's being modified as the result of these actions. | @accountRequests(provisioningTarget.name:"Generic Flat File") | ||
| result | status | string | The status of the individual action on the specific source. | @accountRequests(result.status:retry) | |
| errors | string | Any errors that the source provided while completing account actions. | @accountRequests(result.errors:"There was an error during provisioning.") | ||
| warnings | string | Any warnings that the source provided while completing account actions. | @accountRequests(result.warnings:"Warning: Memory running low.") | ||
| ticketId | string | If a ticket has been created in an external system such as ServiceNow to track the provisioning for this request, this is the ticket ID that has been provided to IdentityNow. | @accountRequests(result.ticketId:1234) | ||
| attributeRequests | op | string | The operation for an individual attribute that must be edited. This might be add, set, or remove. | @accountRequests(attributeRequests.op:set) | |
| name | string | The name of the individual attribute that's being updated. | @accountRequests(attributeRequests.name:lastName) | ||
| value | string | The new value of the attribute that's being updated. | @accountRequests(attributeRequests.value:Jones) | ||
| expansionItems | accountId | string | The unique account identifier for the account being modified. | @expansionItems(accountId:Andrew.Beck) | |
| cause | string | The internal reason why this attributeRequest is being performed. This can be Role, AttributeSync, AttributeAssignment, or ProvisioningPolicy. | @expansionItems(cause:Role) | ||
| name | string | Additional information about the reason this attributeRequest is being performed. | @expansionItems(name:"Accounting Role") | ||
| source | name | string | The name of the source that the account being modified is on. | @expansionItems(source.name:AD) | |
| id | string | The technical ID of the source the account being modified is on. | @expansionItems(source.id:abc1) | ||
| type | string | The type of source that the account being modified is on. | @expansionItems(source.type:"Active Directory") | ||
| attributeRequest | op | string | The operation for an individual attribute that must be edited. This might be add, set, or remove. | @expansionItems(attributeRequest.op:set) | |
| name | string | The name of the individual attribute being updated on the source. | @expansionItems(attributeRequest.name:roleAttribute) | ||
| value | string | The new value of the attribute being updated. | @expansionItems(attributeRequest.value:"Accounting Manager") | ||
| approvals | workItemId | string | The technical ID of the approval item. | @approvals(workItemId:abc1) | |
| created | date | The date that the approval item was created. | @approvals(created:2018-08-13) | ||
| modified | date | The date that the approval item was last modified in any ISO format that uses YYYY-MM-DD. | @approvals(modified:2018-08-16) | ||
| result | string | The status of the approval item. This can be Finished or Rejected. | @approvals(result:finished) | ||
| comments | commenter | string | The display name of the user who left the comment. | @approvals(comments.commenter:bob.smith) | |
| comment | string | The comment that was left on the approval item. | @approvals(comments.comment:"This access is privileged and is not appropriate for this requester.") | ||
| date | date | The date that the comment was left in any ISO format that uses YYYY-MM-DD. | @approvals(comments.date:2018-08-16) | ||
| owner | name | string | The name of the reviewer of the access request. | @approvals(owner.name:jane.smith) | |
| id | string | The technical ID of the reviewer of the access request. | @approvals(owner.id:abc1) |
| Back to Top |
|---|
Structuring a Search
Once you're familiar with the fields that are available for you to search on, you can start constructing queries. You can use those fields and choose search terms to find important information about your identities.
In a search, a field is where you search, and a term is what you search for.
In most queries, your search will look like this:
field:term
Make sure not to put spaces in the field portion of your query, or after the colon following the field. If you have spaces in your term, put them in double quotes. All spaces that aren't in double quotes will be treated as an OR operator.
Search Terms
Terms are simply words you use in a query.
Some terms can be searched on with no other words in the query.
Single-word terms can be searched alone or with double quote marks surrounding them. If you search using quote marks, the search results will contain all words in your query.
| Description of Results |
Query |
| All identities with any attribute that contains the word london are returned. | london |
| All identities with any attribute that contains the word sydney are returned. | sydney |
| All identities with any attribute that contains the phrase sao paulo are returned. | "sao paulo" |
A query without a field, like the ones above, searches all identity data. For example, searching on "london" returns all identities in London - but also all identities who are named London, or who have any entitlements based in London.
If you want to specify which search categories to return, click the filter icon next to the Search bar. To specify which data about the search category to return, use fields.
Quotation Marks
You can use quote marks to help you make your query more specific.
Single-quotes are treated as an ordinary character. If there's more than one word in single quotes, our search engine treats the terms as if they have an OR operator between them.
Double quotes should be placed around words that must be searched exactly, or as a phrase.
| Description of Results | Query |
| All results that contain the words sao or paulo are returned. | sao paulo |
| All results that contain the words sao or paulo are returned. | 'sao paulo' |
| All results that contain the phrase sao paulo are returned. | "sao paulo" |
| All identities that have the phrase sao paulo listed as their location are returned. | attributes.location:"sao paulo" |
First-Level Fields
First-level field searches are constructed using this format:
field:term
All fields are based on the IdentityNow data model. You can specify the field for anything you search for. In Elements of a Search, you can find the items that can be searched with first-level fields.
| Description of Results | Query |
| Returns identities with john.smith as their IdentityNow display names. | displayName:john.smith |
| Returns all identities that were created on June 1, 2018. | created:2018-06-01 |
| Returns all identities that are listed as Active in the identity list. | status:ACTIVE |
Second-Level Fields
Second-level field searches from any search category are constructed using the following format:
secondLevelField.firstLevelField:term
All objects and fields are based on the IdentityNow data model. Second-level fields are present in identity data, event data, and account activity data.
| Description of Results | Query |
| Returns all identities that have the word london in the location attribute on their identity profile. | attributes.location:london |
| Returns all identities that have Amanda Ross as their manager. | manager.name:amanda.ross |
| Returns a list of identities that are in an identity profile called ID_Profile_1. | identityProfile.name:ID_Profile_1 |
| Returns a list of account activity that was initiated by the user bob.dobbs. | requester.name:bob.dobbs |
Combining Multiple Search Criteria
You can include more than one criteria in your query to narrow down results.
When you're combining multiple search criteria, make sure you're using fields from the same search category. For example, searching for a field from identity data and a field from account activity data in the same query won't return any results.
Using Operators
Combine queries using operators. All operators must always be in all capital letters. If you don't specify an operator between two queries, the OR operator will be used.
OR
The OR operator, which can be symbolized by ||, links two terms, and finds a matching identity if either term exists anywhere in the item.
| Description of Query | Query |
| Search for identities that have the text sao paulo or london anywhere in their identity data | "sao paulo" OR london |
| Using fields, search for identities that list Sao Paulo or London as their location. | attributes.location:"sao paulo" OR attributes.location:london |
| Search for identities in Sao Paulo or London using the symbols for the OR operator. | attributes.location:"sao paulo" || attributes.location:london |
AND
The AND operator, which can be symbolized by &&, returns items which have both of your search terms in the identity data.
| Description of Query | Query |
| Search for identities that have the text london and amanda.ross anywhere in their identity data. | london AND amanda.ross |
| Search for identities that have their location listed as London, whose manager is Amanda Ross. | attributes.location:london AND manager.name:amanda.ross |
| Using symbols in place of the AND operator, search for identities in London whose manager is Amanda Ross. |
attributes.location:london && manager.name:amanda.ross |
NOT
The NOT operator, which can be symbolized with !, excludes search items that contain the term you enter after NOT.
| Description of Query | Query |
| Search for identities that contain the text amanda.ross that don't contain the text london. | amanda.ross NOT london |
| Specify fields to search for identities whose manager is amanda.ross who aren't located in London. | manager.name:amanda.ross NOT attributes.location:london |
| Use symbols in place of the NOT operator to find identities with amanda.ross as their manager, who aren't located in London. | manager.name:amanda.ross ! attributes.location:london |
| Search for identities who don't have amanda.ross listed as their manager. Note that because the ! operator is at the beginning of the query string, it must always be followed immediately by the query, with no space. | !manager.name:amanda.ross |
Range operators > and <
The greater than and less than operators (> and <) can be used to search for dates and numbers that are greater or less than the value you state. You can also use these operators with an equal sign (=> and <=) to symbolize greater than or equal to, or less than or equal to. Be sure not to add a space between the colon and your range operator.
| Description of Query | Query |
| All identities that have more than 12 apps | appCount:>12 |
| All identities created on or before February 4, 2015 | created:<=2015-02-04 |
Combining Multiple Operators
You can determine how your query is evaluated using parentheses. Anything in parentheses will be evaluated as a single query within your original query.
| Description of Query | Query |
| Search for identities that have amanda.ross listed as their manager, are in London, and have the last name of either Trent or Primrose. | attributes.location:london AND manager.name:amanda.ross AND (lastName:trent OR lastName:primrose) |
| This query returns the same results as the one above. The parentheses are slightly different. | attributes.location:london AND manager.name:amanda.ross AND lastName:(trent OR primrose) |
Wildcards
You can also include wildcards in any search you make. The * wildcard represents any number of characters, while the ? wildcard always represents only a single character.
| Description of Query | Query |
| Returns all search data in your site. | * |
| Return all identities named Jon, John, Johnson, and Jan. | j*n |
| Return identities named Jon and Jan only. | j?n |
Using the .exact Keyword
You can add .exact to your first- and second-level field searches for results that match the exact string including case sensitivity. You can also use the wildcards * and ?. Adding .exact is not required to search on an email.
Use the .exact keyword to search on data that includes any characters that aren’t letters or numbers.
On identities, the .exact keyword is available for use with the following fields and field types :
- name
- displayName
- lastName
- firstName
- description
- All identity extended attributes
- Other free text fields
See below for some examples of queries that use .exact and results.
| Description of Results |
Query |
| Returns only identities who have a manager named "amanda ross" in lowercase. | manager.name.exact:"amanda ross" |
| Returns only identities who have the last name "Ross" with a capital R. | lastName.exact:Ross |
| Returns only identities whose locations start with "Aus", such as Austin or Australia. | attributes.location.exact:Aus* |
| Returns only identities that have an account source called "ad", not Azure AD or Active Directory. | @accounts(source.name.exact:"ad") |
| Return identities with the name jon-smith. | name.exact:"jon-smith" |
| Search for roles with the name TaxProject#2019. | name.exact:"TaxProject#2019" |
Using Range Queries
You can search for a range of numerical values in IdentityNow by using brackets.
Searching Between Inclusive Values: [ TO ]
If you'd like to search between two values and include those values in your results, use square brackets.
For example, the following query will return all identities who have accounts created during March of 2018.
@accounts(created:[2018-03-01 TO 2018-03-31])
Searching Between Exclusive Values: { TO }
If you'd like to search between two values but exclude those values from your results, use curly brackets.
For example, the following query will return only identities that have 2 or 3 accounts.
accountCount:{1 TO 4}
Using Special Characters
Many search queries, such as queries to find an identity's distinguished name, use special characters. These characters include =, +, -, and others.
There are some additional requirements for queries that use special characters.
- They must use the .exact keyword.
- They must use a regular expression format, which requires wrapping them in forward slashes: /
- If your query uses wildcards, those wildcards must use a different format.
- Any * wildcards must be preceded by a period: .*
- Any ? wildcards must be replaced by a period: .
See below for some examples of queries using special characters.
| Description | Query |
| Returns all identities with hyphens in their last name. |
attributes.lastName.exact:/.*-.*/ |
| Returns all items with "AUSTIN_<any single character>_GI" and "File Access" as organizational units, including distinguished names with other OU's before or after this pair. |
name.exact:/.*OU=AUSTIN_._GI.*OU=File Access*/ |
Using Nested Queries
You'll need to use a nested query to search for data when it's possible for a searchable category to have more than one of the item. Nested queries give IdentityNow more information so that it can search those fields correctly.
Nested queries follow a distinct format:
@<nestedObject>(<object.field:term>)
<nestedObject> is where you specify the type of data you're searching for.
<object.field:term> is where you'll enter the rest of your query.
Nested-level fields are present in identity data, access profile data, and account activity data.
If your search term is multiple words in a nested query, you should surround it with double quote marks. Results will exactly match the text in your query.
See below for some examples of complete nested queries that search for only one term. Everything not in bold is the same between all queries.
| Description | Query |
| Searches within each identity's accounts for the source name, Acme. |
@accounts(source.name:Acme) |
| Searches within each identity's access for items marked as privileged. |
@access(privileged:TRUE) |
|
Searches within each identity's apps for apps that have an account source identical to Azure AD. |
@apps(source.name:"Azure AD") |
| Returns all account activity with one or more create action performed on a source. | @accountRequests(op:create) |
| Returns all account activity that contained one or more actions that failed to complete successfully. | @accountRequests(result.status:failed) |
You can also combine nested queries with other queries.
Combine Two Nested Queries
@<nestedObject>(<object.field:term>) <operator> @<nestedObject>(<object.field:term>)
The <nestedObject> is the nested object in each nested query.
The <object.field:term> is the rest of your query. This is based on the format for nested queries.
The <operator> is AND, OR, or NOT, or their symbols.
See below for some examples of two or more nested queries combined.
| Description | Query |
| This query returns all identities who have an account on the Acme source, but don't have the Adobe app. | @accounts(source.name:Acme) AND NOT @apps(name:Adobe) |
| This query returns all identities with disabled accounts who have an entitlement with the title Building_Access. | @accounts(disabled:TRUE) && @access(name:Building_Access) |
| This query returns a list of all identities that have the access profiles Acme Accounts Payable and Acme Accounts Receivable. | @access(name:"Acme Accounts Payable") AND @access(name:"Acme Accounts Receivable") |
Combine a Nested Query and a Simple Query
@<nestedObject>(<object.field:term>) <operator> <simple_query>
The <nestedObject> is the nested object in your nested query.
The <object.field:term> is the rest of your nested query.
The <operator> is AND, OR, or NOT.
The <simple_query> is any complete simple query, such as those described in search terms, first-level fields, and second-level fields.
See below for some examples of nested queries combined with simple queries. Everything not in bold is the same between all queries of this type.
| Description | Query |
|
This query returns a list of all identities that have amanda.ross listed as their manager and who have the access item that has the display name Engineering_Access. |
@access(displayName:"Engineering_Access") AND manager.name:"amanda.ross" |
| This query returns a list of all identities in Chicago that have an access item exactly called Admin_Access. |
@access(name:"Admin_Access") AND attributes.location:Chicago |
|
This query returns a list of all identities who are listed as Not Invited in the identity list, who have an access item called Base Access. |
status:"UNREGISTERED" AND @access(displayName:"Base Access") |
You've finished the second document in our four-part series on how to use IdentityNow's Search feature. Take a look at the map below to decide how to proceed.
| Learn the Basics | Build a Search Query | More Information | Downloading Reports |
|
In this document, you can:
|
Take me to the top of this document. In this document, you can:
|
In this document, you can:
|
Downloading Reports from the Search Interface In this document, you can:
|
