Auditing an executed job to find who or what triggered an event.

Hello Experts,

I am in need of some assistance.  We had an incident where a few users got removed from a group and i've been tasked to find out how and who did it.  i found the job that did it but it says it was done by "sa" and when i look at created by it says "QBM_PJobCreate"  i've tried to look at the jonqueue logs but it doesn't tell me much...  is there a table or query i can run to see what or who may have triggered this?  Unfortunately, we do not have group membership logged in time trace.

i sure would appreciate your help.

Thanks,

JP

Parents
  • Hi,

    You haven't said which version you are using but I'm assuming it's V7 or higher.

    So it looks like a dbqueue job generated the delete jobs in the jobqueue.

    So something happened to the group itself or the group members or the conditions under which the membership is assigned/removed ...... was the membership directly assigned or indirect?  Did the isGroupAccount flag change on the members? Is the group membership still there in the assignment table but with XIsInEffect=False.

    Need a bit more to go on to track this down.

    Cheers, Barry.

  • Hi Barry,

    My apologies..  Yes, we are using 8.0.1.  These are unmanaged accounts so do not have "isGroupAccount" flag.  The membership was direct and this job removed the membership...  the group shows it was last updated by "sa" and the user last updated by "Synchronization".....  so i am thinking It was a group that was updated rather than accounts.  

    Thanks,

    Jay

Reply
  • Hi Barry,

    My apologies..  Yes, we are using 8.0.1.  These are unmanaged accounts so do not have "isGroupAccount" flag.  The membership was direct and this job removed the membership...  the group shows it was last updated by "sa" and the user last updated by "Synchronization".....  so i am thinking It was a group that was updated rather than accounts.  

    Thanks,

    Jay

Children
  • Hi Jay,

    So what is the namespace we are talking about here? ADSAccount? LDAPAccount?  Other?  You say that the user was updated by Synchronization so I'm guessing it's a namespace that you sync from a target ..... users/groups/group memberships etc ...... so could it be that the membership was removed in the target system and that was then sync'd to OI resulting in the membership removal in OI?

    HTH, Barry.