PingOne Advanced Identity Cloud

Historical change report

Advanced Identity Cloud add-on capability

Contact your Ping Identity representative if you want to add Advanced Reporting to your PingOne Advanced Identity Cloud subscription. Learn more in Add-on capabilities.

Advanced Identity Cloud’s advanced reporting capability allows you to generate historical data reports for IDM objects, summarizing the audit trail of changes to these managed identities. For each IDM profile change, Advanced Identity Cloud tracks the modified attribute, its previous and new values, the actor who made the change, timestamp, and transaction ID.

As a report author, you can generate reports on the history of managed identities. For example, you can create reports that list all profile changes for specific users over a period, show which users were deleted, or detail attribute changes for objects like roles, accounts, and applications.

Important tips for historical change reporting

The following are important points to keep in mind when using historical change reporting:

  • Scope

    • Advanced Identity Cloud reports display changes for all IDM-managed entities with the ability to filter by specific entity types. This includes users, roles, accounts, and applications.

    • Support is limited to IDM object profile changes only.

    • Relationship changes between entities aren’t included in the historical data reports.

  • Entity identification

    • To identify entities in reports, Advanced Identity Cloud uses a generic name attribute:

      • For end users: The report uses username.

      • For other IDM-managed entities like roles or applications: The report uses name.

      • For entity-specific display attributes: The report doesn’t show entity-specific display attributes, such as an end user’s first or last name, as part of the entity identifier. However, it does capture and display all attribute changes with their before and after values.

  • Custom objects

    • For custom objects, the report uses the name attribute as the entity name. If a name attribute doesn’t exist, it uses the object ID.

  • Actor representation

    • A universally unique identifier (UUID) represents the actor who performed the change and can correspond to a user, application, or another system actor.

  • Quota query limits

    • Historical reports adhere to the same paid tier query limits as existing reports. Learn more in Query limits.

Goals

After completing this use case, you’ll know how to do the following:

  • Create a historical data report template.

  • Run and view a historical data report.

Before you begin

Before you start work on this use case, ensure you have these prerequisites:

  • Make sure you have the advanced reporting capability in your Advanced Identity Cloud tenant.

  • Ensure you have the necessary permissions to create and run reports in Advanced Identity Cloud.

Tasks

Nova Fleming, an end user, needs to track all new account provisions within the organization. She asks the reports administrator to create a report for this purpose.

The reports administrator creates a new report template using the IDM Activity data source. To make sure the report only shows recent account provisions, the administrator adds a filter to track profile changes from the start of the year.

Task 1: Create the report template

  1. In the Advanced Identity Cloud admin console, go to Reports.

  2. On the Reports page, click add New Report.

  3. In the New Report modal, enter this information:

    • Name: Enter a name for your report.

    • Description: (optional) enter a description for your report.

    • Who Can Run: Select the end users who can run the report.

    • Report Viewer Group: Click to select a group of users who can view the report results. If not selected, all users who can run the report can view the results.

      UI example of the new report modal for historical data reports

  4. Click Next.

Task 2: Add the data source

  1. On the Add Data page, click add Data Source.

    UI example of the add data source page for historical data reports

  2. In the Add Data Source modal, select a Data Source and click Next. For example, select IDM Activity.

    UI example of the add data source modal for historical data reports

  3. On the draft report page, select the properties in the right column that you want to appear in the report. For example:

    • Actor: The actor who made the change.

    • Changed Attribute: The specific attribute that was modified in the IDM object.

    • Entity Name: The name of the IDM-managed entity that was changed. For end users, this is the username. For other entities like roles or applications, this is the name attribute. For custom objects, this is the name attribute if it exists, or the object ID if a name attribute doesn’t exist.

    • Entity Type: The type of the IDM-managed entity that was changed, such as user, role, account, or application.

    • Old Value: The value of the modified attribute before the change was made.

    • New Value: The value of the modified attribute after the change was made.

    • Timestamp: The date and time when the change occurred.

    • Transaction ID: The unique identifier for the transaction that triggered the change, which can be used to correlate related changes across different entities.

      You can rearrange the columns by dragging and dropping them in the desired order.
      UI example of a historical data report template with selected properties

  4. Limit the report results to a specific time range by adding filters on the timestamp property and excluding automated processes:

    1. In the right pane, scroll down to Add Filters and click add.

    2. In the Add Filters modal, enter this information:

      • Value: Enter a value for the filter. For example, select idm_activity_logs.Timestamp.

      • Operator: Select an operator for the filter. For example, select greater than or equal to.

      • Literal: Select the Literal option.

      • Value: Enter the literal value. For example, enter 2026-01-01T00:00:00.

    3. Click add, and then click Add Rule.

    4. Repeat the previous step to add another filter for the timestamp property to set an end date for the report results. For example, you can set the end date to the current date to show all account provisions from the start of the year.

      • Value: Enter a value for the filter. For example, select idm_activity_logs.Timestamp.

      • Operator: Select an operator for the filter. For example, select less than or equal to.

      • Literal: Select the Literal option.

      • Value: Enter the literal value. For example, enter 2026-02-07T00:00:00.

    5. Repeat the previous step to add another filter to exclude some automated processes and service accounts. Use the does not contain operator with the actor property to exclude any activity performed by specific actors, such as service accounts or automated processes that you don’t want to include in the report results.

      • idm-provisioning: idm-provisioning is an internal service account used to authenticate and securely provision user accounts within IDM (Identity Management).

      • org-engine-client: org-engine-client is an OAuth 2.0 or OIDC application registration client.

      • autoid-resource-server: autoid-resource-server is a resource server in an OAuth 2.0 flow.

    6. Click Save.

      UI example of the add filter modal for historical data reports

  5. On the report template, click Save in the top right.

Task 3: Run the report

  1. On the Reports page, click on the report you just created.

  2. Click Run Report.

  3. On the Run History tab, click View Report to see the result.

    The report shows a historical view of all profile changes for the IDM-managed entities matching the report filters. For example:

    UI example of the report results for a historical data report