Forensic queries allow Identity Manager to read data that has been stored in the data warehouse. They can identify users or roles based on current or historical values of the user, role, or related data types. A forensic query is similar to a Find User or Find Role report, but it differs in that the matching criteria can be evaluated against historical data, and because it allows you to search attributes that are of data types other than the user or role being queried.
The purpose of the forensic query is to take action on the results using Identity Manager. The forensic query is not a general-purpose reporting tool.
A forensic query can ask questions similar to the following:
Who had access to system X between time A and B, and who approved of that access?
How many provisioning requests have been processed in the last 48 hours, and how long did each request take?
The results of a forensic query cannot be saved. General reporting on the warehouse data should be accomplished using commercial reporting tools.
A forensic query can search for either User or Role objects. The query can be very complex, allowing the author to select one or more attribute conditions on related data types. User forensic queries can search attributes with the data types of User, Account, ResourceAccount, Role, and Entitlement, and WorkItem. Role forensic queries can search attributes with data types of Role, User, and Work Item.
Within a single data type, all attribute conditions are logically ANDed, so that all conditions must be met for a match to occur. By default, matches are ANDed across data types, but if you select the Use OR check box, the matches across data types are logically ORed.
The warehouse may contain multiple records for a single User or Role object, and a single query could return multiple matches for the same user or role. To help differentiate these matches, each data type can be constrained with a date range, such that only records from within the specified date range are considered matches. Each related data type may be constrained with a date range, so it is possible to issue a query of the form:
find all Users with Resource Account on ERP1 between May and July 2005 who were attested by Fred Jones between June and August 2005
The date range is from midnight to midnight. For example, the range May 3, 2007 to May 5, 2007 is 48 hours. It would not include any records from May 5, 2007.
The operands (values to be compared to) for each attribute condition must be specified as part of the query definition. The schema restricts some attributes to have a limited set of potential values, while other attributes have no restrictions. For example, most date fields must be entered in YYYY-MM-DD HH:mm:ss format.
Due to the potentially large volume of data in the warehouse, and the complexity of the query, it may take a long time for the query to produce results. If you navigate away from the query page while a forensic query is running. you will not be able to see the results of the query.
In the Administrator interface, click Compliance in the main menu.
The Audit Policies page (Manage Policies tab) opens.
Click the Forensic Query secondary tab.
The Search Data Warehouse page opens.
Select whether to search user or role records from the Type drop-down menu.
Select the Use OR check box to cause Identity Manager to logically OR the results of each data type queried. By default, the system performs a logical AND on the results.
Select a tab that represents a data type that will be in the forensic query.
Click Add Condition. A set of drop-down menus displays.
Select an operand (condition to check for) from the left drop-down menu and the type of comparison to make in the right drop. Then enter a string or integer to search for. The list of possible operands is defined in the external schema. Refer to the online help for a description of each operand.
Optionally, select a range of dates to narrow the scope of the query.
Add more conditions as necessary to the currently-selected data type. Repeat this step for all data types that will be part of the forensic query definition.
Pick the attributes in the available attributes that you would like to display in the results of the forensic query.
Specify the a value in the Limit results to first field. When using conditions from multiple data types, the limit will be applied to the subquery for each type, and the final result is the intersection of all subqueries. As a result, the final result may exclude some records because of the limit on a subquery.
Click Search to run the forensic query immediately or Save Query to reuse the query. See Saving a Forensic Query for information about reusing your forensic queries.
After you have configured a query (and optionally executed it to ensure that it produces the desired results), you can save the query for later execution.
From the Search Data Warehouse page, click Save Query. The Save Forensic Query page opens.
Specify a name and description for query.
Select the Save condition values check box to save the values of the conditions (strings and integers) you entered on the Search Data Warehouse page. If you do not select this check box, then the saved forensic query serves as a template, and you must enter values each time you run the query.
Anyone can execute any saved query, but by default only the query author can modify the query. To allow other users to modify your query, select the Allow others to alter this query check box.
Because the query returns User or Role objects, you can choose which attributes of the objects to display in the results. If you want to display attributes that are not included in the Attributes to Display list, you can go to Data Exporter Configuration page and add new displayable attributes to the User or Role type.
You can load any query that has been saved by any user, but you can only alter queries that you have created, or that other people have marked as modifiable by anyone.