2.4 What Kind of Data Will I Get?

Identity Intelligence gathers audit data from data sources such as Identity Manager and Identity Governance. Identity Intelligence stores the data according to its fundamental type:

Activity data

Represents user activities logged by data sources. For example, requests for roles and the approval activities associated with those requests. Or activities associated with an access review in Identity Governance. Activity data can be associated with process instances or non-process instances.

Identity Intelligence places this data in an event datastore.

Entity data

Represents the contextual data associated with the activities. For example, the identity, account, or group that requested the role; the name and description of the role or access right; and the identity’s name and phone number.

Identity Intelligence places this data in an entity datastore.

In general, Views generate data from the event datastore, while Profiles access the entity datastore. However, the Views and Profiles are interconnected. When you select the name of an access right or user in a View, Identity Intelligence contacts the entity datastore to build the Profile for the selected object.

2.4.1 Displaying Data in a View

To reduce the amount of data points displayed in a View, Identity Intelligence consolidates all events associated with a unique request activity into a single data point referred to as a process instance. Depending on the View’s criteria, these process instances might be approved, denied, or still in progress. Other data points in the View might represent non-process instances.

Process Instances

Identity Intelligence classifies most activity data as process instances. A typical process instance contains all events included in a single workflow process that has a common correlation ID, which is assigned in the data source such as Identity Manager or Identity Governance. However, some process instances represent automated workflows that don't require approval to add or revoke a request. Within the process instance, you might find the following event data:

Initiating event

Represents events such as a request for an access right.

For example, when Emma requests the HGF_user role in Identity Manager, the data contains a Category Behavior attribute that equals Authorization/*/Request/Create.

Account or user that requested the access right

Represents the user or account that either receives the access right or makes the request on behalf of someone else. For example, Sarah Gibson requests the HGF_user role for her employee Emma. In this case, the Source Username attribute represents Sarah while Destination Username represents Emma. If Emma had made the request for herself, both attributes would indicate Emma.

Access right being requested

Represents the specific access right.

For example, when Emma requests the HGF_user role, the File Name attribute equals cn=HGF_user.

System events

Represents the workflow events that the data source (such as Identity Manager or Identity Governance) creates to manage the process.

For example, assigning the task to the first approver, then forwarding the request to the next approver in the process.

Ending event

Represents the final event in the workflow process, such as a cancellation, approval, or denial of the request.

For example, the Category Outcome attribute equals Success (approved) or Failed (denied).

Non-Process Instances

Identity Intelligence displays non-process events only when you configure the View to summarize the events by Activity lifecycles plotted over time

Sometimes, individuals grant and revoke access rights without using the request process in the Identity Intelligence data sources. For example, a system administrator creates an identity for Emma Belafonte in Active Directory. Then Avanti Rana, as the resource owner of the Home Grown Financial (HGF) application, logs in to HGF to manually grant Emma Belafonte the HGF_user role. A few days later, Identity Manager collects the updates from HGF and Active Directory. Then Identity Intelligence collects data from Identity Manager. Upon receiving data about Emma and her access rights, Identity Intelligence stores the data in the event datastore. However, because the events occurred outside of an Identity Manager process, Identity Intelligence classifies the events as non-process instances.

In general, non-process instances represent actions passed from an identity data source to Identity Manager or Identity Governance. However, non-process activities might also take place within Identity Manager or Identity Governance. For example, Avanti Rana creates the HGF_user role in Identity Manager, and then assigns the role to Emma Belafonte. With this assignment, Avanti has bypassed the request process for that access right and identity. Other non-process instances can include the initial collection of identities and access rights from a data source. That is, the provisioning activities occurred manually in the original application or Active Directory.

Non-process instances appear in the data as standalone events because have no recognizable associations with activities that usually occur in a process instance. From the Identity Intelligence perspective, these standalone events belong in a View because they meet one of the following criteria:

  • Creation, deletion, or modification of an identity

  • Association of an access right with an identity or account

In the visualization of a View, Identity Intelligence indicates non-process instances with .

Incomplete Data

A data point that the View shows as Incomplete data represents an activity process with either a start date or end date that falls outside the specified time range.

For example, Emma requests access to the HGF_user role on May 29, which gets provisioned on June 3. You configure the View to display request activity from June 1 to August 31. Although Emma’s request was fulfilled after June 1 (within the specified time range), the visualization shows the process as incomplete because the initial request action occurred before your time range.

If the View includes many incomplete processes at either end of the time range, you might want to modify the View criteria.