7.4 Searching for Items in the Catalog

Identity Governance gives you several ways to find the information in your catalog. All catalog tables support a quick lookup of items by name or description. Some catalog tables also support an advanced filtering capability where users can build complex expressions based on searchable attributes. These complex expressions allow users to add attribute conditions to the search criteria or to add sub-expressions, known as filters, which can contain attribute conditions as well as other filters to refine the search results. Users can also save these filters for future searches. Both the quick lookup and filter expressions search are limited to a specific table. Insight Queries give flexibility in searching for entities in your system, including searching across entity relationships.

7.4.1 Searching with Insight Queries

Identity Governance provides the ability to query data interactively by using Insight Queries. You can query the catalog across entity types, such as finding all users that have access to a certain permission. You can also query compliance activity and other information such as finding all users who have outstanding revocations.

You must have one of the following authorizations to have access to Insight Queries:

  • Global Administrator

  • Auditor

  • Data Administrator

  • Governance Insights Administrator

Insight queries are interactive, allowing you to change query options and update results without having to open a new window each time. You can download queries and import them and you can also download results of the queries. You can also create custom metrics using a query to populate the SQL statement and the metric columns fields. For more information about custom metrics, see Creating Custom Metrics.

To access Insight Queries:

  1. Log in using the Global, Data, or Data Query administrator or the Auditor authorization.

  2. Select Catalog > Governance Insights.

  3. Select the + icon to create a query or select a query you have previously created.

  4. Complete the form with the desired criteria. The criteria includes a set of attribute conditions or sub-expressions and filters that can be used to filter the result set based on specific attribute values.

  5. (Optional) Add a cross-reference filter or add expression criteria to the search criteria. Cross-reference filters are relationships between the selected entity type being searched and other entities in the system. They do not widen the data search, but limit the query based on the specified filter. For example, if you are searching for identities and want to only find all identities that are members of business roles, then add Member of Business Role as a cross-reference filter. If you only want to find users who are in violation of an Separation of Duty policy, then add Violating SoD cross-reference filter.

  6. Select the columns (attributes) to include in the results. The column order for the results matches the order you specify, and you can drag and drop the listed columns to change the order of display.

    Default columns display automatically in the selected column list when changing the searched entity type or when adding a cross-reference filter. Columns associated with a cross-reference filter are also automatically removed from the selected column list when you remove the reference filter.

  7. Select the Run icon to see query results. As you change the query options, select the Run icon to update the results.

  8. Select the Save icon to save the query.

  9. (Optional) Select Download as CSV to save the results.

If you include columns that contain multi-valued attributes, the query results contain multiple rows for those columns.

Identity Governance combines duplicate rows in the query results lists to avoid showing many rows with same value. For example, a query of identities on the Title attribute lists only one row for each title in your catalog, even though multiple identities might share the same title. In Oracle environments, the following object types and attributes do show multiple rows in the query results if you select any of these as a column:

  • User: Geo Location

  • Access Request Item: Change Item Comment

  • Change Item Action: Item Comment

7.4.2 Searching within Catalog Items

You can search for specific items in the catalog by selecting the type of item under Catalog, such as Users or Groups. Then type your search criteria in the search box, and select the search icon.

Identity Governance attempts to complete your search entry as you type. To ensure that users can more easily find a group, always include a description of the group that matches what users might use as a search term. For example, "Finance Team" for your financial group.

You can add additional criteria to the search by clicking the filter icon, where available, and using the expression builder. The expression builder gives you the ability to use AND, OR, and NOT expressions with the additional search criteria. You can save and reuse filters that you have defined.

The application or owner control provides a type-ahead feature to select applications or users in the system. Searching for applications, groups, or users requires selecting the catalog item.

HINT:You can configure the application wait time in milliseconds after the last time you press a key and before the application performs a type-ahead search by selecting Configuration > General Settings > Typeahead Delay.

The attributes that appear in the refinement list are fixed for Technical Roles, however, they can be configured for other catalog items.

To add or remove user attributes from the refinement list:

  1. Select Data Administration and then select the type of catalog item, such as Identity Attributes.

  2. Select an attribute to edit the attribute definition.

  3. Select the desired searchable option for the attribute to have it displayed in the catalog or not:

    Available in catalog searches. Change takes effect after publication.

    Select this option to enable the attribute for quick searches. If the option is selected, the attribute is available in the catalog list for searches. This means the search is performed against this column even if this column is not shown in the catalog list.

    Display as refine search option

    Select this option to enable the attribute for advanced searches.

    Display in review item selection criteria

    Select this option when you want the attribute displayed in review items. For more information, see Section 11.0, Running a Review Instance.

    Display in business role selection criteria

    Select this option when you want the attribute displayed when creating a business role membership expression. The membership expression contains the search criteria for membership in a business role. For more information, see Section 14.0, Creating and Managing Business Roles.

  4. Select Save, then publish the changes to the catalog.

7.4.3 Managing Filters

Where available in Identity Governance, you can add additional criteria to searches by clicking the filter icon and using the expression builder. The expression builder gives you the ability to use AND, OR, and NOT expressions with a set of attribute conditions or sub-expressions and filters that can be used to filter the result set based on specific values.

If you have filters you want to reuse in your environment, Identity Governance helps you manage these filters. Except for Insight Queries, you can save these filters and edit or delete them as needed for searches such as identities, permissions, roles, and policies.

  1. After using the expression builder to add a filter to a search, name the filter and select Save.

  2. The next time you select the filter icon, a menu allows you to select from several options.

  3. Select Manage saved filters.

  4. Here you can see all your saved filters, edit them, or delete them.

  5. Select Save or Close.