cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to use changes detected to quickly spot new users and new access in access reviews

How to use changes detected to quickly spot new users and new access in access reviews

 

One of the columns your reviewers can choose to display and in their IdentityIQ access reviews is “Changes Detected.” This column is available only in IdentityIQ certifications and access reviews that certify identities: Manager, Advanced, Application Owner, and Targeted certifications.

This column categorizes changes in access since the last time the identity was included in a certification of this type, as well as flagging new identities that have not previously been certified.  In other words, changes can be detected in access between one Manager Certification and the next, but are not detected between a Manager Certification and an Advanced Certification for the same identity.

The values that can appear in the Changes Detected column are:

  • New User: This identity has never been certified before, in a certification of this type
  • No: The identity has been certified before in a certification of this type, and there have been no changes to the identity's access since that time.
  • Yes: Once an identity has been certified, any new access items that are detected the next time a certification of the same type is generated will have a Yes value.

Here's an example to illustrate how the type of certification run can impact the values in the Changes Detected column.

  • Jim has access to AppA and AppB
  • Pam has access to AppB and AppC
  • Both Jim and Pam report to Michael

The scenarios below assume that the Perform Maintenance task is run regularly in between these various certifications.

  • May 1: An application owner certification is run for AppA for the first time. Jim's access is detected as a New User. Pam doesn't appear in these reviews at all.
  • May 10: An application owner certification is run for AppB. Jim's access appears as No, and Pam's as New User.
  • May 20: A manager certification is run for Michael's team. Both Jim and Pam appear as New User.
  • May 30: After a reorganization, Jim & Pam now report to Andy. A manager certification is run for Andy's team. Both Jim and Pam appear as No.
  • June 10: Jim & Pam are given new access to AppZ. If either an application owner certification for AppZ or a manager certification for Andy's team are run, Jim and Pam will show Yes for all AppZ entitlements, and No for their other entitlements.

Be aware that certain maintenance and system tasks in IdentityIQ must run for certification status to be updated. For example, if two certification campaigns are running concurrently, and they both include Jim, then Jim's "Changes Detected" status in each will depend on whether the other review has been completed, and whether the IdentityIQ system tasks that refresh status have run.

Note: The "Changes Detected" feature focuses on changes to the identity as a whole; filters on included items (such as which application they are on) are not factored in to change detection. This means that application owner certifications, and using application as a filter for manager certifications may not produce the "Changes Detected" results that are expected. For example, once an identity has been certified in an application owner certification for AppA, a later application owner certification for AppB will not show that AppB's items as changed, even if those specific items were not certified in the AppA application owner certification, unless the items for AppB were added to the identity after the AppA certification was completed.

If you are in doubt about the changed status of an identity's access, you can see details about certifications in the Identity Warehouse for any user, on the History tab.

 

Adding the changes detected column to your review

To add the Changes Detected column to your display:

  1. In the access review, click Columns
  2. Click Add Column and choose Changes Detected from the drop-down
  3. Drag the column tile as needed to put in the position you want relative to the other columns
  4. Save your changes.

Note that the column displayed on the Important tab and on the Open tab can vary, so if your review includes both of these tabs, you will need to add the Changes Detected column in each.


CD-ColumnDisplayed.png

 

Sorting, grouping, and filtering for changes detected

To sort items by Changes Detected status, click on the Changes Detected column heading.

To group items by Changes Detected status, click Group By and choose Changes Detected from the drop-down. If bulk decisions are enabled for your review, you can select all the items in a group (all New User items, for example) by checking the box beside the Changes Detected heading, and then process them in bulk.


CD-GroupBy.png

 

To filter items by Changes Detected:

  1. Click Filter
  2. If Changes Detected isn’t shown as a filter option, click Add Filter and choose Changes Detected.
  3. Choose the status (Yes, No, New User) to you want to filter on in the Changes Detected filter field.
  4. Click Apply.
  5. To remove this filtering, click Filter again, and click Clear.

CD_Filtered.png

Comments

Based on my testing results for this feature, it also relies on the existence of the IdentitySnapShot that was created when the previous certification was generated. Can you describe how the "Days before snapshot deletion" configuration and the IdentitySnapShot objects play into being able to use this feature? I have a similar open question currently in Compass (https://community.sailpoint.com/t5/IdentityIQ-Forum/Certification-quot-Changes-Detected-field/m-p/16...). 

Thank you.

Another question on this…

Is there a way to have IIQ show the “Changes Detected” value on the cert item as “Yes”, unless the account had not ever been certified (in which case it would show “New User”) or the account entitlement had been previously been certified (in which case it would show “No")?

Perhaps my test case (with results) below would better describe the issue that we’re seeing with this…

These steps were processed sequentially.

  1. Certification 1 certifies entitlements on App A
    1. Refresh Identity
    2. Generate certification
      1.       Results in IdentitySnapshot creation for identity being reviewed.
      2.       “Changes Detected” value “New User” for all cert items in UI
    3. Approve cert and signoff
    4. Close cert by running Perform Maintenance
  2. Update account on App A
    1. Update account
      1.       Add 8 new entitlements to account for App A
    2. Aggregate acct
    3. Refresh Identity
  3. Certification 2 certifies entitlements on App B
    1. Generate cert
      1.       Results in IdentitySnapshot creation for identity being reviewed.
      2.       “Changes Detected” value “No” for all cert items in UI
    2. Approve cert and signoff
    3. Close cert by running Perform Maintenance
  4. Certification 3 certifies entitlements on App A
    1. Refresh identity
    2. Generate cert
      1.       Did not result in IdentitySnapshot creation
      2.       “Changes Detected” value “No” for all cert items for App A in UI, including the new entitlement assignments that were made in App A between Certification 1 and Certification 2. These new entitlements were never certified and the “Changes Detected” value for these entitlements is “No”.

Thank you.

(REF: https://community.sailpoint.com/t5/IdentityIQ-Forum/Changes-Detected-field-in-Certifications/m-p/167...)

Is it possible to use the "Changes Detected" as a parameter in setting the contents of the access review itself?  I would like to create an access review that only contains items that meet the "Changes Detected" criteria (New or changed since the last certification).

I'm sure there is a way to do this in IIQ.  We are currently running on ver 8.1

If anyone knows how this could be done, I'd appreciate some advice! 

Version history
Revision #:
13 of 13
Last update:
‎Jun 28, 2023 02:17 PM
Updated by: