Oracle® Identity Manager Audit Report Developer's Guide Release 9.1.0.1 Part Number E14045-03 |
|
|
View PDF |
Group profile audits cover changes to group profile attributes, group administrators, and direct subgroups.
This chapter discusses the following topics:
Unlike user auditing, an independent audit level is not defined for group profile auditing. Instead, the audit levels defined for user profile auditing are used for group profile auditing. Group profile auditing takes place only if the audit level defined for user profile audit level is Membership
or a level higher than that. By default, user profile auditing is enabled and the audit level is set to Resource Form
when you install Oracle Identity Manager. As a result, group profile auditing is also enabled by default because the default audit level for user profile audit is Resource Form
, which is higher than Membership
.
This section discusses the following topics:
Each time a group profile changes, Oracle Identity Manager takes a snapshot of the group profile and stores the snapshot in an audit table in the database.
Oracle Identity Manager generates a snapshot when an audit is created for a group, even if an initial snapshot is missing. The current snapshot is treated as the initial snapshot.
The following are the components of a group profile and the tables that constitute these components:
User Group Record: UGP
table, including all UDFs for groups
User group administrators: GPP
table
Subgroup information: GPG
table
Oracle Identity Manager stores group snapshot data as XML in the Group Profile Audit (GPA) tables. The following sections describe the XML representation of snapshots and changes to snapshots:
The following elements constitute the XML representation of a group profile snapshot:
This is the topmost element in the XML representation. This element contains a group key and a version for each XML entry. For a particular group profile, the value of the group key is fixed and the version number assigned to the snapshot is incremented by 1 for each new snapshot created for the group profile.
The remaining elements in this list are child elements of the GroupSnapshot
element.
This element contains general group profile information.
This element contains information about group administrators.
This element contains information about subgroups.
Example 4-1 is the XML representation of a sample group profile snapshot.
Example 4-1 XML Representation of a Group Profile Snapshot
<?xml version="1.0" encoding="UTF-8" ?> - <GroupSnapshot key="311" version="1.0"> - <GroupInfo> <Attribute name="Groups.Creation Date">2007-04-12 17:27:17.231</Attribute> <Attribute key="311" name="Groups.Group Name">TESTGROUP100</Attribute> <Attribute name="Groups.Update Date">2007-04-12 17:27:17.231</Attribute> <Attribute key="1" name="UGP_UPDATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="1" name="UGP_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute name="Groups.Group Status">Active</Attribute> </GroupInfo> - <GroupAdmin> - <Group key="1"> <Attribute name="Groups-Group Ownership.Write">1</Attribute> <Attribute name="Groups-Group Ownership.Creation Date">2007-04-12 17:27:17.356</Attribute> <Attribute name="Groups.Key">311</Attribute> <Attribute name="Groups-Group Ownership.Delete">1</Attribute> <Attribute name="Groups-Group Ownership.Update Date">2007-04-12 17:27:17.356</Attribute> <Attribute key="1" name="GPP_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="1" name="Groups.Group Name">SYSTEM ADMINISTRATORS</Attribute> <Attribute key="1" name="GPP_UPDATEBY_LOGIN">XELSYSADM</Attribute> </Group> - <Group key="312"> <Attribute key="1" name="GPP_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="312" name="Groups.Group Name">ADMINGROUP1</Attribute> <Attribute key="1" name="GPP_UPDATEBY_LOGIN">XELSYSADM</Attribute> <Attribute name="Groups-Group Ownership.Write">1</Attribute> <Attribute name="Groups-Group Ownership.Delete">1</Attribute> </Group> - <Group key="313"> <Attribute key="1" name="GPP_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="313" name="Groups.Group Name">ADMINGROUP2</Attribute> <Attribute key="1" name="GPP_UPDATEBY_LOGIN">XELSYSADM</Attribute> <Attribute name="Groups-Group Ownership.Write">1</Attribute> <Attribute name="Groups-Group Ownership.Delete">0</Attribute> </Group> </GroupAdmin> - <Subgroups> - <Group key="314"> <Attribute name="Groups-User Sub Groups.Creation Date">2007-04-12 17:34:56.746</Attribute> <Attribute name="Groups-User Sub Groups.Update Date">2007-04-12 17:34:56.746</Attribute> <Attribute key="1" name="GPG_UPDATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="1" name="GPG_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="314" name="Groups.Group Name">SUBGROUP100</Attribute> </Group> - <Group key="315"> <Attribute name="Groups-User Sub Groups.Creation Date">2007-04-12 17:34:56.746</Attribute> <Attribute name="Groups-User Sub Groups.Update Date">2007-04-12 17:34:56.746</Attribute> <Attribute key="1" name="GPG_UPDATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="1" name="GPG_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="315" name="Groups.Group Name">SUBGROUP101</Attribute> </Group> - <Group key="316"> <Attribute name="Groups-User Sub Groups.Creation Date">2007-04-12 17:34:56.746</Attribute> <Attribute name="Groups-User Sub Groups.Update Date">2007-04-12 17:34:56.746</Attribute> <Attribute key="1" name="GPG_UPDATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="1" name="GPG_CREATEBY_LOGIN">XELSYSADM</Attribute> <Attribute key="316" name="Groups.Group Name">SUBGROUP102</Attribute> </Group> </Subgroups> </GroupSnapshot>
Changes to the snapshot are stored in XML format in the DELTAS
column of the GPA
table. This XML information describes all changes that affect group profile attributes for a given transaction and the reason those changes were made.
The topmost element in this XML representation is Changes
. Each change made during a particular transaction is described in a Change
element. There may be multiple Change
elements inside a Changes
element. The following are attributes of the Change
element:
reason
This attribute holds the reason for the change in the user profile data.
reasonKey
This attribute holds the key of the entity or the process that brought about the change in the user profile data.
where
This attribute holds the location of the change.
action
This attribute specifies whether the change is because of an insert, update, or a delete. The values are insert
, update
, and delete
, respectively.
order
This attribute specifies the order of the Change
element in the Delta if there are more than one Change
element.
Table 4-1 lists all possible values of the reason
and reasonKey
attributes.
Table 4-1 Values of the reason and reasonKey Attributes for Group Profile Auditing
reason Attribute Value | reasonKey Attribute Value | Description |
---|---|---|
|
Key of the reconciliation event ( |
Change carried out through reconciliation |
|
Key of the access policy ( |
Change carried out through a change in access policy |
|
Key of the request ( |
Change carried out through a request |
|
Key of the user who performs direct provisioning ( |
Change carried out through direct provisioning |
|
Key of the user who manually performs the change ( |
Change carried out manually by a user |
|
Key of the Auto Group Membership rule ( |
Change carried out because of an update to the Auto Group Membership rule |
|
Key of the adapter ( |
Change carried out when an adapter was run |
|
Key of the user who performs the action that uses the API ( |
Change carried out through an API |
|
Key of the user who performs the action that carries out the data object change ( |
Change carried out at the data object level |
|
Key of the user who performs the offline processing action ( |
Change carried out during offline processing |
|
Key of the event handler ( |
Change carried out by the event handler |
|
Key of the attestation request ( |
Change carried out through attestation |
|
|
Change that is not covered by any of the reason attribute values listed in this table |
|
|
|
Example 4-2 is the XML representation of changes to a sample group profile snapshot.
Example 4-2 XML Representation of Changes to a Sample Group Profile Snapshot
<?xml version="1.0" encoding="UTF-8" ?> - <Changes> - <Change action="insert" order="1" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='314']"> - <Attribute name="GPG_CREATEBY_LOGIN"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="GPG_UPDATEBY_LOGIN"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="Groups-User Sub Groups.Creation Date"> <OldValue /> <NewValue>2007-04-12 17:34:56.746</NewValue> </Attribute> - <Attribute name="Groups.Key"> <OldValue /> <NewValue>311</NewValue> </Attribute> - <Attribute name="Groups-User Sub Groups.Update Date"> <OldValue /> <NewValue>2007-04-12 17:34:56.746</NewValue> </Attribute> - <Attribute name="Groups.Group Name"> <OldValue key="" /> <NewValue key="314">SUBGROUP100</NewValue> </Attribute> </Change> - <Change action="insert" order="2" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='314']"> - <Attribute name="Groups-User Sub Groups.Creation Date"> <OldValue /> <NewValue>2007-04-12 17:34:56.809</NewValue> </Attribute> - <Attribute name="Groups.Key"> <OldValue /> <NewValue>311</NewValue> </Attribute> - <Attribute name="Groups-User Sub Groups.Update Date"> <OldValue /> <NewValue>2007-04-12 17:34:56.809</NewValue> </Attribute> </Change> - <Change action="insert" order="3" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='315']"> - <Attribute name="GPG_UPDATEBY_LOGIN"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="GPG_CREATEBY_LOGIN"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="Groups.Group Name"> <OldValue key="" /> <NewValue key="315">SUBGROUP101</NewValue> </Attribute> </Change> - <Change action="insert" order="4" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='314']"> - <Attribute name="Groups-User Sub Groups.Creation Date"> <OldValue /> <NewValue>2007-04-12 17:34:56.871</NewValue> </Attribute> - <Attribute name="Groups.Key"> <OldValue /> <NewValue>311</NewValue> </Attribute> - <Attribute name="Groups-User Sub Groups.Update Date"> <OldValue /> <NewValue>2007-04-12 17:34:56.871</NewValue> </Attribute> </Change> - <Change action="insert" order="5" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='316']"> - <Attribute name="GPG_UPDATEBY_LOGIN"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="GPG_CREATEBY_LOGIN"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="Groups.Group Name"> <OldValue key="" /> <NewValue key="316">SUBGROUP102</NewValue> </Attribute> </Change> </Changes>
When Oracle Identity Manager takes a snapshot of a group profile, it stores the snapshot in a GPA
table. The structure of this table is as described in Table 4-2.
Table 4-2 Definition of the GPA Table
Column | Data Type | Description |
---|---|---|
|
NUMBER (19,0) |
Key for the audit record |
|
NUMBER (19,0) |
Key for the group whose group snapshot is recorded |
|
TIMESTAMP (6) |
Date and time at which the snapshot entry became effective |
|
TIMESTAMP (6) |
Date and time at which the snapshot entry was no longer effective In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to |
|
VARCHAR2 (4000) |
Source of the entry, which is the group name and the API used |
|
CLOB |
XML representation of the snapshot |
|
CLOB |
XML representation of old and new values corresponding to a change made to the snapshot |
|
CLOB |
Can be used by customers to store a digital signature for the snapshot (for nonrepudiation purposes) |
When any data element in the group profile snapshot changes, Oracle Identity Manager creates a snapshot.
The creation of group profile snapshots is triggered by events that result in changes in any of the following:
Group profile data
Subgroup information
Group administrators