Creating a Query

A forensic query can search for either User or Role objects. The query can be very complex, allowing the author to select one or more attribute conditions on related data types. User forensic queries can search attributes with the data types of User, Account, ResourceAccount, Role, and Entitlement, and WorkItem. Role forensic queries can search attributes with data types of Role, User, and Work Item.

Within a single data type, all attribute conditions are logically ANDed, so that all conditions must be met for a match to occur. By default, matches are ANDed across data types, but if you select the Use OR check box, the matches across data types are logically ORed.

The warehouse may contain multiple records for a single User or Role object, and a single query could return multiple matches for the same user or role. To help differentiate these matches, each data type can be constrained with a date range, such that only records from within the specified date range are considered matches. Each related data type may be constrained with a date range, so it is possible to issue a query of the form:

find all Users with Resource Account on ERP1 between May and July 2005 
who were attested by Fred Jones between June and August 2005

The date range is from midnight to midnight. For example, the range May 3, 2007 to May 5, 2007 is 48 hours. It would not include any records from May 5, 2007.

The operands (values to be compared to) for each attribute condition must be specified as part of the query definition. The schema restricts some attributes to have a limited set of potential values, while other attributes have no restrictions. For example, most date fields must be entered in YYYY-MM-DD HH:mm:ss format.

Due to the potentially large volume of data in the warehouse, and the complexity of the query, it may take a long time for the query to produce results. If you navigate away from the query page while a forensic query is running. you will not be able to see the results of the query.

To Create A Forensic Query

1. In the Administrator interface, click Compliance in the main menu.

   The Audit Policies page (Manage Policies tab) opens.

2. Click the Forensic Query secondary tab.

   The Search Data Warehouse page opens.

   Figure 16–5 Search Data Warehouse

   
   

3. Select whether to search user or role records from the Type drop-down menu.

4. Select the Use OR check box to cause Identity Manager to logically OR the results of each data type queried. By default, the system performs a logical AND on the results.

5. Select a tab that represents a data type that will be in the forensic query.

   1. Click Add Condition. A set of drop-down menus displays.

   2. Select an operand (condition to check for) from the left drop-down menu and the type of comparison to make in the right drop. Then enter a string or integer to search for. The list of possible operands is defined in the external schema. Refer to the online help for a description of each operand.

   3. Optionally, select a range of dates to narrow the scope of the query.

      Add more conditions as necessary to the currently-selected data type. Repeat this step for all data types that will be part of the forensic query definition.

6. Pick the attributes in the available attributes that you would like to display in the results of the forensic query.

7. Specify the a value in the Limit results to first field. When using conditions from multiple data types, the limit will be applied to the subquery for each type, and the final result is the intersection of all subqueries. As a result, the final result may exclude some records because of the limit on a subquery.

8. Click Search to run the forensic query immediately or Save Query to reuse the query. See Saving a Forensic Query for information about reusing your forensic queries.