Auditing with the FIM Query Tool

Brad Turner recently received a question from a blog reader:

"I am interested in knowing how can we track/audit which user did a certain change on a user/group account through the ILM portal. Have you written a previous post about this issue? Do you have any information that might help me?"

There are a few ways you could approach this challenge. First, you could find all requests on an object. Here's how you can do that with the FIM Query Tool:

1. Run the FIM Query Tool and filter for "Request" object types.



2. Select the following attributes to capture in your audit:
   
   • Created Time
   • Creator
   • Display Name
   • Operation
   • Request Parameters
   • Target


3. Change the Reference Format to DisplayName, so that you're not just looking at GUIDs.



4. Finally, use the following XPath filter:
   
   /Request[Target = /Person[DisplayName = 'Joe Zamora']]
   
   To kind of translate this XPath, we're looking for Request objects whose Target matches the following condition: a Person whose display name is "Joe Zamora". In a production scenario, you'd probably want to use the object's GUID to do the search (ObjectId = '12345678-ABCD-1234-ABCD-1234567890AB'), but I use the display name to make it more readable.

One nice feature of the FIM Query Tool is that, because the results are displayed in a data grid view, you can sort results without re-running the query. Just click on a column header to sort by that column.



One additional note on the results set: to see the details of the request, you'll want to pay attention to the RequestParameters attribute. This is where you'll find which attributes were updated and their new values. This is also where the FIM Query Tools falls a bit short. The attribute is stored in XML, and isn't formatted neatly for quick review. There's a good enhancement request!

Now, this query is pretty handy, but if the object has been updated many times, you may find yourself waiting longer than you'd bargained for to see the results of the audit. Brad suggested that we use the XPath historical query functions to narrow the results set down to a certain time window.

So, the second approach is to use the "betweenTime" XPath function to plug in the time window of interest. Try this in the FIM Query Tool with the rest of the settings remaining the same as above:

betweenTime(/Request[Target = /Person[DisplayName = 'Joe Zamora']], '2008-10-31', '2008-12-31')

Voila! Now you see all the users who made updates to the object during your desired time period. Brad also mentioned a few other XPath functions that he and David Lundell presented at TEC 2009:

• allTime(filter) - Show me the objects that ever satisfied this filter


• betweenTime(filter, begin datetime, end datetime) - Show me the objects that ever satisfied this filter during the time range specified


• atTime(filter, datetime) - Show me the object that satisfied the filter at the specified date and time

David builds some good examples here:

Who were payroll admins at the precise moment of the theft?
atTime(/Person[ObjectID = /Group[DisplayName = 'Payroll Admins']/ComputedMember, '2009-02-01T00:00')

Who were the payroll admins in the merry merry month of of May?
betweenTime(/Person[ObjectID = /Group[DisplayName = 'Payroll Admins']/ComputedMember, '2008-05-01T00:00' , '2008-05-31T23:59:59')

Webinar: Geneva (aka WIF)

Ensynch will be co-presenting a webinar with Quest next week on the Geneva framework (now called Windows Identity Foundation).

When: Wednesday, July 29, 2009 10:30 to 11:30 (PST) 12:30 to 1:30 (CST) 1:30 to 2:30 (EST) Where: Web/Online Live Meeting Information will be sent to attendees Presenters: David Lundell, Identity Management Practice Leader, Ensynch Jonathan Sander IAM and Security Analyst Quest Software	Webinar: How Microsoft Geneva Streamlines Business - Learn How to Reap the Benefits of True Web  Single-Sign-On and Federation Has your organization been forced to deploy one-off solutions to solve login or compliance problems with a newly deployed technology? Are your employees tired of using multiple logins for all kinds of access needs? Having trouble managing shared resources users both inside and outside of your organization? Using open platform identity management solution Microsoft Geneva, you can save money and make your business more efficient today, and also make it more easily scalable for the future. I would like to invite you to our latest exclusive "no frills" webinar: "How Microsoft Geneva Streamlines Business," the 1st in a 4-part Identity Management Webinar Series from Ensynch's Identity Management Practice Leader and Microsoft Identity Management MVP, David Lundell, and Quest Software IAM and Security Analyst, Jonathan Sander. This webinar is designed for business leaders, and will present business value propositions for the Microsoft Geneva framework. Whether identity management is a major concern for your organization or if you are simply curious about using Microsoft Geneva as an asset to help your business, this webinar is for you. Webinar Agenda: - Yikes! The business pain points of managing lots of identities - High level discussion of Microsoft Geneva - Business value of Geneva - Gaps of the Geneva framework - Possible solutions to the gaps - ROI of Geneva versus other Single-Sign-On solutions - Geneva and the Cloud - Q & A Stay Tuned for the other three parts of this webinar series: A Technical Overview of the Microsoft Geneva Infrastructure Thursday, August 20, 2009 Using the Microsoft Geneva Framework to Solve Your Federation Needs Thursday, September 10, 2009 Accelerate Your Businesses for the Future with Microsoft Geneva and the Cloud Thursday, October 1, 2009   [Register Now]