To Create A Forensic Query

1. In the Administrator interface, click Compliance in the main menu.

   The Audit Policies page (Manage Policies tab) opens.

2. Click the Forensic Query secondary tab.

   The Search Data Warehouse page opens.

   Figure 16–5 Search Data Warehouse

   
   

3. Select whether to search user or role records from the Type drop-down menu.

4. Select the Use OR check box to cause Identity Manager to logically OR the results of each data type queried. By default, the system performs a logical AND on the results.

5. Select a tab that represents a data type that will be in the forensic query.

   1. Click Add Condition. A set of drop-down menus displays.

   2. Select an operand (condition to check for) from the left drop-down menu and the type of comparison to make in the right drop. Then enter a string or integer to search for. The list of possible operands is defined in the external schema. Refer to the online help for a description of each operand.

   3. Optionally, select a range of dates to narrow the scope of the query.

      Add more conditions as necessary to the currently-selected data type. Repeat this step for all data types that will be part of the forensic query definition.

6. Pick the attributes in the available attributes that you would like to display in the results of the forensic query.

7. Specify the a value in the Limit results to first field. When using conditions from multiple data types, the limit will be applied to the subquery for each type, and the final result is the intersection of all subqueries. As a result, the final result may exclude some records because of the limit on a subquery.

8. Click Search to run the forensic query immediately or Save Query to reuse the query. See Saving a Forensic Query for information about reusing your forensic queries.