Toxic policy audit log entry
R
Randolf Broer
When a configured toxic policy rule decides to deny an entitlement in favor of another entitlement, I would like to see that decision mentioned in the persons audit log. Otherwise it would be hard to see why a person should get an entitlement according to a business rule but does not get it.
R
Rick van den Dijssel
Randolf Broer This information is available, but not in the person overview. To find it, go to the Evaluations section and select the latest evaluation. There, you should see which individuals have had entitlements denied. If this information is not displayed, adjust the filter settings for that view, as entitlement denials are excluded by default.
We did not include this in the person audit logs for two main reasons:
- The audit log only records actions performed against external systems, such as account creation, permission granting, or account deletion.
- More importantly, entitlement denials occur during each evaluation. Logging every denial would generate an overwhelming number of audit log entries, making it difficult to track other critical actions.
Therefore, I understand this request as a need to see the denied entitlements from the latest evaluation for a particular person. This way, you wouldn’t have to navigate to the evaluation overview but could access this information directly on the person’s overview. I believe this is the core issue you’re trying to address. Am I correct?
R
Randolf Broer
Rick van den Dijssel Correct, I'd like to see all information of a person in one place. If for some reason I have to proof access, I'd expect to see all related information in the person view. And thank you for your clear explanation, that clarifies a lot, but I think there must be a way to show the denial somewhere and somehow on the persons view.