You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

EmpowerID Logs

EmpowerID maintains permanent logs of all activity and transactions that occur in the system. User logins as well as all activity within the EmpowerID system is logged in detail with date, time, initiator, approver, target, and other ancillary information regarding the transaction. Log events are categorized by type and include the following:

Audit Log

You can view these logs in the Web interface by expanding System Logs and clicking Audit Log.

  • Operation Audit Log – All activity within the EmpowerID system that impacts any protected resource object, such as user accounts, person objects and groups, is logged in detail with date, time, initiator, approver, target, and other ancillary information regarding the transaction.

  • Attribute Changes – EmpowerID monitors any changes currently taking place within your directories and between EmpowerID and those external directories. Changes detected in external systems can be viewed under Inbound Attribute Changes while any changes occurring within EmpowerID that are being passed to another system can be viewed under Outbound Attribute Changes. Outbound changes are processed by the Directory Change Processor job.

  • New Objects – The EmpowerID inventory engine monitors all connected systems for changes. One primary type of change detected is the creation of new objects within managed systems, such as Azure Active Directory or SharePoint online.

  • Membership Changes – EmpowerID's inventory process detects all changes to group membership and logs these changes for reporting and enforcement purposes. Both changes made via EmpowerID workflows as well as changes to group memberships made outside of EmpowerID with native tools are captured and classified by the change source.

Reports

EmpowerID provides over 75 reports out of the box to allow you to view information about the current status of your environment. Each report provides information pertinent to the resource type associated with the report, is searchable and provides links to initiate related workflows or view a specific resource contained in the report. Additionally, each grid in the user interfaces provides an Export button that allows you to download grid information as an Excel sheet.

Reports can be accessed by clicking Reports under System Logs.

  • Access Assignments to Person Direct – This report displays all access assignments made directly to a person.

  • Account Service Identities – This report displays all accounts used as service or app pool identities.

  • Accounts - Computer Local Admins – This report displays all users that are local computer administrators.

  • Accounts - High Security –  This report displays all accounts that are members of any high security group.

  • Accounts - Local Computer Accounts – This report displays all local computer accounts.

  • Accounts - Privileged Accounts – This report displays all accounts flagged as a privileged account usage type.

  • Accounts - Shared Credentials – This report displays all accounts used as shared credentials.

  • Accounts Created in the Last 30 Days – This report displays all accounts created in EmpowerID within the last 30 days.

  • Accounts No Login 90 Days – This report displays all AD accounts that have not logged in during the last 90 days.

  • Accounts Password Never Expires – This report displays all AD accounts where the password is set to never expire.

  • Accounts Password Older 120 Days – This report displays all account with password older than 120 days.

  • Accounts with Deleted Owners – This report displays all accounts owned by people who have been deleted from EmpowerID.

  • Accounts with Manager Expiring in 60 Days – This report displays all accounts where the manager of that user is expiring in 60 days.

  • Accounts without a Responsible Party – This report displays all accounts without a responsible party; to meet this qualification, the account in question must have no PersonID or OwnerAssigneeID.

  • Accounts without Managers – This report displays accounts without managers assigned in AD.

  • AD Accounts Expiring 60 Days – This report displays account in AD expiring within the next 60 days.

  • AD Accounts that Never Logged In – This report displays AD accounts that have never logged in.

  • All Access Assignments in the System – This report displays all access assignments in the system.

  • All High Security Groups – This report displays all groups flagged as high security groups in EmpowerID.

  • Audit Log Report – This report displays the audit log.

  • Computers without a Responsible Party – This report displays all computer that do not have a valid owner or a responsible person.

  • Core Identities Created Last 30 Days – This report displays all core identities created in the last 30 days.

  • Core Identity Without a Person – This report displays all cored identities without a person assigned to them.

  • Empty Groups – This report displays all groups that do not contain any members.

  • Enforcement Groups – This report displays all EID groups used by EmpowerID for permissions enforcement.

  • Expired Accounts – This report displays all accounts that have expired in AD.

  • Expired Groups – This report displays all groups where the ValidUntil date has passed.

  • Group Membership High Security – This report displays all groups memberships for high security groups.

  • Group Membership Not People – This report displays all group memberships for accounts that aren’t people.

  • Group Membership Not RBAC Assigned – This report displays all groups memberships where account is a member of a group not by RBAC policy.

  • Groups - Possible Stale Disabled Members – This report displays all groups that may be stale because all members of the group are disabled or expired.

  • Groups and their Native AD Managed By – This report displays all groups and their native AD managers.

  • Groups Expiring 30 Days – This report displays all groups expiring in the next 30 days.

  • Groups O365 Type – This report displays all Office 365 groups.

  • Groups without a Responsible Party – This report displays all sensitive groups that do not have a valid owner or responsible party.

  • High Security People – This report displays all high security people - where they have at least one high security group membership.

  • Locked Out Accounts – This report displays all AD accounts that were locked out as of the last inventory.

  • Mailboxes Owned by Deleted People – This report displays all mailboxes owned by people that have been terminated.

  • Management Roles without a Responsible Party – This report displays all Management Roles that do not have a valid owner or responsible Person.

  • Orphan Accounts – This report displays all accounts that do not belong to a person.

  • Password Manager Enrollments – This report displays all people who have enrolled for password management.

  • People Created in Last 30 Days – This report displays all people created in the last 30 days.

  • People Logged In Last 1 Day – This report displays all people who have logged in to the system during the previous day.

  • People Not Enrolled – This report displays all people who have not enrolled for password self-service reset.

  • People Not Logged In 30 Days – This report displays all people who have not logged in to the system within the last 30 days.

  • People That Have Ever Logged In – This report displays all people that ever logged in to the system.

  • People with Invalid Managers – This report displays all people with disabled or terminated managers.

  • People without Accounts – This report displays all people that do not own any user accounts.

  • Person Duplicate Email – This report displays all people with duplicate email addresses.

  • Person Duplicate Phone Number – This report displays people with the same phone number.

  • Person Logged In 30 Days – This report displays all people that have logged in to the system at least once during the last 30 days.

  • Person Verified Addresses – This report displays all verified person communication channels to include verified emails, SMS and voice call numbers.

  • Possible Stale Groups – This report displays all groups that have not had a change in membership within the last 180 days.

  • Recertification Fulfillment Report – This report displays all fulfillment actions.

  • Recertification Revokes All – This report displays recertification revokes.

  • Recertification revokes Completed – This report displays all recertification revokes that are flagged as completed.

  • Recertification Revokes Failed – This report displays all recertification revokes that are flagged as failed.

  • Recertification Revokes Ignored – This report displays all recertification revokes that are flagged as ignored.

  • Recertification Revokes In Progress – This report displays all recertification revokes that are still in progress.

  • SAP Role and Profile Membership Changes – This report displays any change history for SAP Roles and Profiles.

  • Status by Location – This report displays all recertification stats by location.

  • Too 100 High Security Groups – This report displays the top 100 high security groups with the most members.

  • Top 100 Riskiest Groups – This report displays the top 100 groups with the highest risk scores. Risk scores are calculated by what members of the group can do in the system.

  • Top 100 Riskiest People – This report displays the top 100 people with the highest risk scores. Risk scores are calculated by what people can do in the system.

  • Your Access Assignments – This report displays all of the access assignments granted to the currently logged in user.

  • Your Expiring Access Assignments – This report displays all of the access assignments granted to the currently logged in user that are due to expire.

  • Your Reports Access – This report displays all of the access assignments of the directs reports assigned to the currently logged in user.

  • Your Reports Expiring Assignments – This report displays all of the access assignments granted to the direct reports of the currently logged in user that are due to expire.

System Change Outbox

The system change outbox detects changes

Inbox Logs

Account Inbox

EmpowerID flows all new accounts though the Account Inbox, which determines – based on configurable join and provision rules – whether the new account is an account that should be joined to an existing person, an account that needs to have a new person provisioned for it, or an account that should be ignored. The Account Inbox can be accessed by expanding Identity Lifecycle and clicking Account Inbox.

 

The Account Inbox provides four log views.

  • All – Displays all external accounts that have been processed by the Account Inbox and their status within the system.

    • Processed (Ago) – The time and date the external account was processed by the inbox

    • Result – The processing result for the account

      • No result – The account has not been processed

      • Ignored – The account does not meet the conditions specified by the Join and Provision Rules, i.e., it is not a user account

      • Provisioned – The account does not meet the condition of the Join rule, but it is a user account. An new EmpowerID Person has been provisioned and joined to the account

      • Joined – The account meets the conditions of the Join rule and has been joined to an existing EmpowerID Person

    • Logon Name – The logon name of the account

    • Domain or Directory – The domain from where the account was inventoried

    • EmpowerID Logon – The login of the EmpowerID Person that was provisioned or joined to the account, if any.

    • Last Login – The last login of the person account

    • Process Status – Displays whether the account was processed by the Account Inbox.

      • 0 – Unprocessed

      • 1 – Ignored

      • 2 – Processed

    • Display Name – The name for the user account in the EmpowerID user interfaces

    • Deleted – Displays whether the account has been deleted in EmpowerID

    • Distinguished Name – Distinguished name of the account

    • Disabled – Displays whether the user is disabled

    • Employee ID – Employee ID set for the account

    • Employee ID Other – Value set for the Employee ID other attribute

    • eMail – Email address for the user account

    • Person Deleted – Displays whether the Person linked to the account has been deleted in EmpowerID

    • Discovered – Date and time the account was discovered in the external system by EmpowerID (inventory)

    • Processed By Server – The server that processed the account entry

  • Proposed – Displays external accounts discovered by EmpowerID that were not processed for Person provisioning by the Account Inbox because a Person already exists. In these cases, the accounts are joined to their respective Person objects based on the Join rule.

    • Discovered – Date and time the account was discovered in the external system by EmpowerID (inventory)

    • Result – The processing result for the account

    • Max Allowed Accounts – Maximum number of user accounts allowed for the EmpowerID Person as set on the account store

    • Person Display Name – Display name of the Person account

    • EmpowerID Logon – EmpowerID Logon of the Person account

    • Display Name – Display name of the user account

    • Logon Name – Logon name of the user account

    • Domain or Directory – The domain from where the account was inventoried

    • Distinguished Name – Distinguished name of the account

    • Last Login – Date and time of the last login by the EmpowerID Person linked to the account

    • Deleted – Specifies whether the account is deleted

    • Disabled – Specifies whether the account is disabled

    • Employee ID – Employee ID set for the account

    • Employee ID Other – Value set for the Employee ID other attribute

    • eMail – Email address for the user account

    • Person Deleted – Specifies whether the Person account is deleted

  • Orphans – Displays all user accounts not linked to an EmpowerID Person.

    • Logon Name – The logon name of the account

    • Domain or Directory – The domain from where the account was inventoried

    • Usage Type – The type of account

    • Display Name – The name for the account in the EmpowerID user interfaces

    • Description – Description of the account

    • Disabled – Whether the account is disabled

    • Distinguished Name – Distinguished name of the account in EmpowerID

    • First Name – First name, if any

    • Last Name – Last name, if any

  • Dashboard – Provides a visual summary of Account Inbox information.

     

Provisioning (RET) Inbox

The Provisioning (RET) Inbox continuously evaluates Provisioning (RET) policies, comparing those policies to information obtained from connected directories and resource systems. The inbox process determines mismatches between the resources (user accounts, mailboxes, etc.) a person should have (according to the RET policies they receive) and the resources they actually have. If mismatches are present, entries are created in the RET Inbox to record what provisions, de-provisions, or moves are required to rectify these differences. EmpowerID then processes those changes to perform the recommended actions. The RET Inbox can be accessed by expanding Identity Lifecycle and clicking Provisioning (RET) Inbox.

The Provisioning (RET) Inbox provides the below log views.

  • All – Displays all resource entitlement entries in the Provisioning (RET) Inbox.

    • ID – Unique identifier for the entry

    • Processed (Ago) – Hours and minutes from the current time that the entry was processed

    • RET Action – Displays the action to be taken by the system for the entry

      • Grant

      • Revoke

    • Entitlement Type – The resource to be granted or revoked, i.e., Azure AD User Account

    • Processed By Server – The server that processed the entry

    • Resource – Provides a link to the View page for the specific resource processed for the entry

    • Resource System – The resource system, i.e., Azure tenant, where the entitlement was granted or revoked

    • EmpowerID Login – The login of the EmpowerID Person receiving the resource entitlement action

    • Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement

    • Process Status – Displays the process status of resource entitlement entry

      • Not processed

      • In Progress

      • Processed

      • Error

      • Ignored

      • Pending Reprocessing

    • Failed Count – The number of times processing the resource entitlement failed, if any.

    • Last Failed – The date and time of the last failure to process the resource entitlement, if any.

    • Person Display Name – Display name of the Person receiving the resource entitlement

    • Created (Ago) – The time and date the resource entitlement was processed by the system

    • Priority (Lower is Higher Priority) – Priority of the resource entitlement as set by the policy

    • Display Name – Display name, if any

    • Object Class – Object class of the provisioned resource

    • Path – Path of the provisioned resource, if any

    • Processed By Server – Server that processed the inbox entry

    • Approved – Displays whether the resource entitlement was approved by a person

    • Auto Process – Displays whether the resource entitlement was auto-processed by the system

    • Reviewer – The person who reviewed the resource entitlement, if any

    • Reviewed Date – The date the resource entitlement was reviewed, if any

  • Pending Approval – Displays all resource entitlements that need to be approved before the system provisions those entitlements.

    • ID – Unique identifier for the entry

    • Batch ID – Unique identifier of the batch containing the inbox entry

    • Processed By Server – N/A

    • Approve – Provides a drop-down of approval actions visible to delegated users

      • Approve

      • Reject

    • Processed (Ago) – Value should be 0 mins

    • RET Action – Displays the action (grant or revoke) for the resource entitlement entry as specified by the RET policy

    • Entitlement Type – The type of resource to be provisioned or revoked for the entry, i.e., Windows Home Folder

    • Resource System – The system where the entitlement is to be provisioned or revoked

    • EmpowerID Login – The login for the EmpowerID Person receiving the resource entitlement entry

    • Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement entry

    • Process Status – Not Processed

    • Person Display Name – Display name of the EmpowerID Person targeted by the entry

    • Created (Ago) – Number of days from the current day that the entry was created

    • Priority (Lower is Higher Priority) – Priority of the resource entitlement as set by the policy

    • Display Name – Display Name of the Person account to receive the resource entitlement

    • Object Class – Object class of the pending resource entitlement, such as user

    • Path – N/A

    • Processed By Server –N/A

    • Auto Matched – N/A

  • Approved or Rejected – Displays all resource entitlements that have been approved or rejected by status.

    • Approved – True or false

    • Reviewer – PersonID link of the person who approved or rejected the resource entitlement. Clicking the link opens the Person View page for that person in another tab

    • Reviewed Date – The number of days, hours and minutes from current that the entry was reviewed by the reviewer, if any

    • ID – Unique identifier for the entry

    • Batch ID – Unique identifier of the batch containing the entry

    • Processed (Ago) – The number of days, hours and minutes from current that the entry was processed by the system

    • Processed By Server – The server that processed the entry, if any

    • RET Action – Displays the action ( grant or revoke) for the resource entitlement entry as specified by the RET policy

    • Entitlement Type – Type of resource for the entry, i.e., Azure AD User Account

    • Resource – The person to whom the resource would be granted or revoked

    • Resource System – The system where the entitlement is to be provisioned or revoked once approved

    • EmpowerID Login – The login of the EmpowerID Person receiving the resource entitlement action

    • Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement

    • Process Status – Displays the process status of resource entitlement entry

    • Person Display Name – Display name of the EmpowerID Person targeted by the

    • Created (Ago) – Number of days, hours and minutes from the current that the entry was created

    • Priority (Lower is Higher Priority) – Priority of the resource entitlement as set by the policy

    • Display Name – Display name, if any

    • Object Class – Object class of the resource

    • Path – Path of the provisioned resource, if any

    • Processed By Server – Server that processed the inbox entry

    • Auto Process – Displays whether the resource entitlement was auto-processed by the system

  • Pending Batches – Displays all resource entitlement batches pending approval in the system.

    • Approve – Provides a drop-down of approval actions visible to delegated users

      • Approve

      • Reject

    • Batch ID – Unique identifier of the batch containing the entry

    • Batch Count – Number of entries in the batch

    • Processed By Server – N/A

    • Resource Type – Type of resource in the batch, i.e., User Account

    • Resource System – The system where the entitlements are to be provisioned or revoked once approved

    • Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement

    • Created (Ago) – Number of days, hours and minutes from the current that the entry was created

  • Dashboard – Provides a visual summary of Provisioning (RET) Inbox information.

Login History

EmpowerID automatically logs all login attempts to EmpowerID or to any system using EmpowerID for login authentication. The Login History log provides a convenient searchable view of these login events. The log can be viewed by expanding Apps and Authentication and selecting Login History.

The Login History provides the below logging views.

  • Login History – Displays all logins for all users.

    • When (Ago) – The number of days, hours and minutes from current that the login attempt occurred

    • Message – Displays details about the login attempt and the reason for failure, if any

    • Who – The person who attempted to log in; could be anonymous

    • Successful – Displays whether the login attempt succeeded

    • Message – Displays details about the login attempt and the reason for failure, if any

    • Level of Assurance (LoA) – Number of points required for the login, if any. This is derived from the Password Manager Policy of the person.

    • Speed (Miles per Hour) – Speed traveled for login, if any

    • EmpowerID Login – The EmpowerID login of the person

    • Identity Provider – The IdP used to authenticate the person

    • Service Provider – The SP

    • Device – Device used to login

    • Method – Login method, i.e., WEB

    • IP – IP recorded for the login attempt

    • City – City from where the login attempt originated

    • State – State from where the login attempt originated

    • Country – Country from where the login attempt originated

    • Organization – Organization of the person attempting to log in

    • User Name – User name of the person

    • Failure Reason – Reason for login failure, if any

    • Date – Date and time of the login attempt

    • Browser Technical Details – Browser used

  • My Reports Logins – Displays all logins for the direct reports of the current user

    • When (Ago) – The number of days, hours and minutes from current that the login occurred

    • Person – Person who attempted to log in

    • Method – Login method, i.e., WEB

    • Successful – Displays whether the login attempt succeeded

    • EmpowerID Login – The EmpowerID login of the person

    • Identity Provider – The IdP used to authenticate the person

    • Service Provider – The SP

    • Device – Device used to login

    • Level of Assurance (LoA) – Number of points required for the login, if any. This is derived from the Password Manager Policy of the person.

    • IP – IP recorded for the login attempt

    • Speed (Miles per Hour) – Speed traveled for login, if any

    • City – City from where the login attempt originated

    • State – State from where the login attempt originated

    • Country – Country from where the login attempt originated

    • Organization – Organization of the person attempting to log in

    • Message – Displays details about the login attempt and the reason for failure, if any

    • Failure Reason – Reason for login failure, if any

    • When – Date and time login attempt occurred

  • Recent Login Sessions – Displays all login sessions occurring within the last 48 hours

    • When (Ago) – Displays the number of days, hours and minutes from now that the login session occurred within the last 48 hours

    • Person Display Name – Display Name of the Person who logged in

    • User Name – User name of the person

    • Identity Provider – The IdP used to authenticate the person

    • Service Provider – The SP

    • IP Address – IP address recorded for the login session

    • Device – Device used to login

    • Level of Assurance (LoA) – Number of points required for the login, if any. This is derived from the Password Manager Policy of the person.

Workflow Errors

The Workflow Error Log captures any exceptions thrown by EmpowerID during a workflow execution which and provides a convenient way to locate problems when troubleshooting. The log displays fields that allow you to view where the error occurred, what account and which person was executing the workflow, the severity of the error, and other values. The Workflow Error log can be viewed by expanding Infrastructure Admin > EmpowerID Servers and Settings and selecting Workflow Errors.