You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
EmpowerID Logs
EmpowerID maintains permanent logs of all activity and transactions that occur in the system. User logins as well as all activity within the EmpowerID system is logged in detail with date, time, initiator, approver, target, and other ancillary information regarding the transaction. Log events are categorized by type and include the following:
Audit Log
You can view these logs in the Web interface by expanding System Logs and clicking Audit Log.
Operation Audit Log – All activity within the EmpowerID system that impacts any protected resource object, such as user accounts, person objects and groups, is logged in detail with date, time, initiator, approver, target, and other ancillary information regarding the transaction.
Attribute Changes – EmpowerID monitors any changes currently taking place within your directories and between EmpowerID and those external directories. Changes detected in external systems can be viewed under Inbound Attribute Changes while any changes occurring within EmpowerID that are being passed to another system can be viewed under Outbound Attribute Changes. Outbound changes are processed by the Directory Change Processor job.
New Objects – The EmpowerID inventory engine monitors all connected systems for changes. One primary type of change detected is the creation of new objects within managed systems, such as Azure Active Directory or SharePoint online.
Membership Changes – EmpowerID's inventory process detects all changes to group membership and logs these changes for reporting and enforcement purposes. Both changes made via EmpowerID workflows as well as changes to group memberships made outside of EmpowerID with native tools are captured and classified by the change source.
Reports
EmpowerID provides over 75 reports out of the box to allow you to view information about the current status of your environment. Each report provides information pertinent to the resource type associated with the report, is searchable and provides links to initiate related workflows or view a specific resource contained in the report. Additionally, each grid in the user interfaces provides an Export button that allows you to download grid information as an Excel sheet.
Reports can be accessed by clicking Reports under System Logs.
System Change Outbox
The system change outbox detects changes
Inbox Logs
Account Inbox
EmpowerID flows all new accounts though the Account Inbox, which determines – based on configurable join and provision rules – whether the new account is an account that should be joined to an existing person, an account that needs to have a new person provisioned for it, or an account that should be ignored. The Account Inbox can be accessed by expanding Identity Lifecycle and clicking Account Inbox.
Â
The Account Inbox provides four log views.
All – Displays all external accounts that have been processed by the Account Inbox and their status within the system.
Processed (Ago) – The time and date the external account was processed by the inbox
Result – The processing result for the account
No result – The account has not been processed
Ignored – The account does not meet the conditions specified by the Join and Provision Rules, i.e., it is not a user account
Provisioned – The account does not meet the condition of the Join rule, but it is a user account. An new EmpowerID Person has been provisioned and joined to the account
Joined – The account meets the conditions of the Join rule and has been joined to an existing EmpowerID Person
Logon Name – The logon name of the account
Domain or Directory – The domain from where the account was inventoried
EmpowerID Logon – The login of the EmpowerID Person that was provisioned or joined to the account, if any.
Last Login – The last login of the person account
Process Status – Displays whether the account was processed by the Account Inbox.
0 – Unprocessed
1 – Ignored
2 – Processed
Display Name – The name for the user account in the EmpowerID user interfaces
Deleted – Displays whether the account has been deleted in EmpowerID
Distinguished Name – Distinguished name of the account
Disabled – Displays whether the user is disabled
Employee ID – Employee ID set for the account
Employee ID Other – Value set for the Employee ID other attribute
eMail – Email address for the user account
Person Deleted – Displays whether the Person linked to the account has been deleted in EmpowerID
Discovered – Date and time the account was discovered in the external system by EmpowerID (inventory)
Processed By Server – The server that processed the account entry
Proposed – Displays external accounts discovered by EmpowerID that were not processed for Person provisioning by the Account Inbox because a Person already exists. In these cases, the accounts are joined to their respective Person objects based on the Join rule.
Discovered – Date and time the account was discovered in the external system by EmpowerID (inventory)
Result – The processing result for the account
Max Allowed Accounts – Maximum number of user accounts allowed for the EmpowerID Person as set on the account store
Person Display Name – Display name of the Person account
EmpowerID Logon – EmpowerID Logon of the Person account
Display Name – Display name of the user account
Logon Name – Logon name of the user account
Domain or Directory – The domain from where the account was inventoried
Distinguished Name – Distinguished name of the account
Last Login – Date and time of the last login by the EmpowerID Person linked to the account
Deleted – Specifies whether the account is deleted
Disabled – Specifies whether the account is disabled
Employee ID – Employee ID set for the account
Employee ID Other – Value set for the Employee ID other attribute
eMail – Email address for the user account
Person Deleted – Specifies whether the Person account is deleted
Orphans – Displays all user accounts not linked to an EmpowerID Person.
Logon Name – The logon name of the account
Domain or Directory – The domain from where the account was inventoried
Usage Type – The type of account
Display Name – The name for the account in the EmpowerID user interfaces
Description – Description of the account
Disabled – Whether the account is disabled
Distinguished Name – Distinguished name of the account in EmpowerID
First Name – First name, if any
Last Name – Last name, if any
Dashboard – Provides a visual summary of Account Inbox information.
Â
Provisioning (RET) Inbox
The Provisioning (RET) Inbox continuously evaluates Provisioning (RET) policies, comparing those policies to information obtained from connected directories and resource systems. The inbox process determines mismatches between the resources (user accounts, mailboxes, etc.) a person should have (according to the RET policies they receive) and the resources they actually have. If mismatches are present, entries are created in the RET Inbox to record what provisions, de-provisions, or moves are required to rectify these differences. EmpowerID then processes those changes to perform the recommended actions. The RET Inbox can be accessed by expanding Identity Lifecycle and clicking Provisioning (RET) Inbox.
The Provisioning (RET) Inbox provides the below log views.
All – Displays all resource entitlement entries in the Provisioning (RET) Inbox.
ID – Unique identifier for the entry
Processed (Ago) – Hours and minutes from the current time that the entry was processed
RET Action – Displays the action to be taken by the system for the entry
Grant
Revoke
Entitlement Type – The resource to be granted or revoked, i.e., Azure AD User Account
Processed By Server – The server that processed the entry
Resource – Provides a link to the View page for the specific resource processed for the entry
Resource System – The resource system, i.e., Azure tenant, where the entitlement was granted or revoked
EmpowerID Login – The login of the EmpowerID Person receiving the resource entitlement action
Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement
Process Status – Displays the process status of resource entitlement entry
Not processed
In Progress
Processed
Error
Ignored
Pending Reprocessing
Failed Count – The number of times processing the resource entitlement failed, if any.
Last Failed – The date and time of the last failure to process the resource entitlement, if any.
Person Display Name – Display name of the Person receiving the resource entitlement
Created (Ago) – The time and date the resource entitlement was processed by the system
Priority (Lower is Higher Priority) – Priority of the resource entitlement as set by the policy
Display Name – Display name, if any
Object Class – Object class of the provisioned resource
Path – Path of the provisioned resource, if any
Processed By Server – Server that processed the inbox entry
Approved – Displays whether the resource entitlement was approved by a person
Auto Process – Displays whether the resource entitlement was auto-processed by the system
Reviewer – The person who reviewed the resource entitlement, if any
Reviewed Date – The date the resource entitlement was reviewed, if any
Pending Approval – Displays all resource entitlements that need to be approved before the system provisions those entitlements.
ID – Unique identifier for the entry
Batch ID – Unique identifier of the batch containing the inbox entry
Processed By Server – N/A
Approve – Provides a drop-down of approval actions visible to delegated users
Approve
Reject
Processed (Ago) – Value should be 0 mins
RET Action – Displays the action (grant or revoke) for the resource entitlement entry as specified by the RET policy
Entitlement Type – The type of resource to be provisioned or revoked for the entry, i.e., Windows Home Folder
Resource System – The system where the entitlement is to be provisioned or revoked
EmpowerID Login – The login for the EmpowerID Person receiving the resource entitlement entry
Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement entry
Process Status – Not Processed
Person Display Name – Display name of the EmpowerID Person targeted by the entry
Created (Ago) – Number of days from the current day that the entry was created
Priority (Lower is Higher Priority) – Priority of the resource entitlement as set by the policy
Display Name – Display Name of the Person account to receive the resource entitlement
Object Class – Object class of the pending resource entitlement, such as user
Path – N/A
Processed By Server –N/A
Auto Matched – N/A
Approved or Rejected – Displays all resource entitlements that have been approved or rejected by status.
Approved – True or false
Reviewer – PersonID link of the person who approved or rejected the resource entitlement. Clicking the link opens the Person View page for that person in another tab
Reviewed Date – The number of days, hours and minutes from current that the entry was reviewed by the reviewer, if any
ID – Unique identifier for the entry
Batch ID – Unique identifier of the batch containing the entry
Processed (Ago) – The number of days, hours and minutes from current that the entry was processed by the system
Processed By Server – The server that processed the entry, if any
RET Action – Displays the action ( grant or revoke) for the resource entitlement entry as specified by the RET policy
Entitlement Type – Type of resource for the entry, i.e., Azure AD User Account
Resource – The person to whom the resource would be granted or revoked
Resource System – The system where the entitlement is to be provisioned or revoked once approved
EmpowerID Login – The login of the EmpowerID Person receiving the resource entitlement action
Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement
Process Status – Displays the process status of resource entitlement entry
Person Display Name – Display name of the EmpowerID Person targeted by the
Created (Ago) – Number of days, hours and minutes from the current that the entry was created
Priority (Lower is Higher Priority) – Priority of the resource entitlement as set by the policy
Display Name – Display name, if any
Object Class – Object class of the resource
Path – Path of the provisioned resource, if any
Processed By Server – Server that processed the inbox entry
Auto Process – Displays whether the resource entitlement was auto-processed by the system
Pending Batches – Displays all resource entitlement batches pending approval in the system.
Approve – Provides a drop-down of approval actions visible to delegated users
Approve
Reject
Batch ID – Unique identifier of the batch containing the entry
Batch Count – Number of entries in the batch
Processed By Server – N/A
Resource Type – Type of resource in the batch, i.e., User Account
Resource System – The system where the entitlements are to be provisioned or revoked once approved
Resource Entitlement (Provisioning Policy) – The Provisioning policy linked to the resource entitlement
Created (Ago) – Number of days, hours and minutes from the current that the entry was created
Dashboard – Provides a visual summary of Provisioning (RET) Inbox information.
Login History
EmpowerID automatically logs all login attempts to EmpowerID or to any system using EmpowerID for login authentication. The Login History log provides a convenient searchable view of these login events. The log can be viewed by expanding Apps and Authentication and selecting Login History.
The Login History provides the below logging views.
Login History – Displays all logins for all users.
When (Ago) – The number of days, hours and minutes from current that the login attempt occurred
Message – Displays details about the login attempt and the reason for failure, if any
Who – The person who attempted to log in; could be anonymous
Successful – Displays whether the login attempt succeeded
Message – Displays details about the login attempt and the reason for failure, if any
Level of Assurance (LoA) – Number of points required for the login, if any. This is derived from the Password Manager Policy of the person.
Speed (Miles per Hour) – Speed traveled for login, if any
EmpowerID Login – The EmpowerID login of the person
Identity Provider – The IdP used to authenticate the person
Service Provider – The SP
Device – Device used to login
Method – Login method, i.e., WEB
IP – IP recorded for the login attempt
City – City from where the login attempt originated
State – State from where the login attempt originated
Country – Country from where the login attempt originated
Organization – Organization of the person attempting to log in
User Name – User name of the person
Failure Reason – Reason for login failure, if any
Date – Date and time of the login attempt
Browser Technical Details – Browser used
My Reports Logins – Displays all logins for the direct reports of the current user
When (Ago) – The number of days, hours and minutes from current that the login occurred
Person – Person who attempted to log in
Method – Login method, i.e., WEB
Successful – Displays whether the login attempt succeeded
EmpowerID Login – The EmpowerID login of the person
Identity Provider – The IdP used to authenticate the person
Service Provider – The SP
Device – Device used to login
Level of Assurance (LoA) – Number of points required for the login, if any. This is derived from the Password Manager Policy of the person.
IP – IP recorded for the login attempt
Speed (Miles per Hour) – Speed traveled for login, if any
City – City from where the login attempt originated
State – State from where the login attempt originated
Country – Country from where the login attempt originated
Organization – Organization of the person attempting to log in
Message – Displays details about the login attempt and the reason for failure, if any
Failure Reason – Reason for login failure, if any
When – Date and time login attempt occurred
Recent Login Sessions – Displays all login sessions occurring within the last 48 hours
When (Ago) – Displays the number of days, hours and minutes from now that the login session occurred within the last 48 hours
Person Display Name – Display Name of the Person who logged in
User Name – User name of the person
Identity Provider – The IdP used to authenticate the person
Service Provider – The SP
IP Address – IP address recorded for the login session
Device – Device used to login
Level of Assurance (LoA) – Number of points required for the login, if any. This is derived from the Password Manager Policy of the person.
Workflow Errors
The Workflow Error Log captures any exceptions thrown by EmpowerID during a workflow execution which and provides a convenient way to locate problems when troubleshooting. The log displays fields that allow you to view where the error occurred, what account and which person was executing the workflow, the severity of the error, and other values. The Workflow Error log can be viewed by expanding Infrastructure Admin > EmpowerID Servers and Settings and selecting Workflow Errors.
Â