3 User Profile Auditing

User profile audits cover changes to user profile attributes, user membership, resource provisioning, access policies, and resource forms.

This chapter discusses the following topics:

Data Collected for Audits
Post-Processor Used for User Profile Auditing
Tables Used for User Profile Auditing

3.1 Data Collected for Audits

By default, user profile auditing is enabled and the auditing level is set to Resource Form when you install Oracle Identity Manager with the Audit and Compliance module. This auditing level specifies the minimum level required for attestation of form data.

You configure the audit level in the System Properties page of the Design Console by using the XL.UserProfileAuditDataCollection keyword.

3.1.1 Capture and Archiving of User Profile Audit Data

Each time a user profile changes, Oracle Identity Manager takes a snapshot of the user profile and stores the snapshot in an audit table in the database.

A snapshot is also generated when there is a change in a user profile that must be audited, even if an initial snapshot is missing. The current snapshot is treated as the initial snapshot.

The following are the components of a user profile and the tables that store these components:

User Record: USR table, including all User Defined Fields (UDFs)
User Group Membership: USG, UGP, and RUL tables
User Policy Profile: UPP and UPD tables

Note:
When you change a group name by using the Administrative and User Console, the User Profile Audit (UPA) tables in the database are not updated with the change until the next snapshot of the user.
User Resource Profile: This component can be divided into the following subcomponents:
- User Resource Instance: OIU, OBI , OST, and OBJ tables
- Resource Lifecycle (Provisioning) Process: ORC, PKG, TOS, STA, OSI, SCH, MIL tables
- Resource State (Process) Form: All tables that have names starting with UD_* (including child tables)

3.1.2 XML Representation of Snapshots and Changes to Snapshots

Oracle Identity Manager stores snapshots and changes to snapshots as XML in the UPA table. The following sections describe the XML representation of snapshots and changes to snapshots of user profiles:

XML Representation of User Profile Snapshots
XML Representation of Changes to User Profile Snapshots

3.1.2.1 XML Representation of User Profile Snapshots

The following elements constitute the XML representation of a user profile snapshot:

UserProfileSnapshot

This is the topmost element in the XML representation. This element contains a user key and a version for each XML entry.

The remaining elements in this list are child elements of the UserProfileSnapshot element.
UserInfo

This element contains general information about the user profile.
GroupMembership

This element contains information about group membership of the user.
PolicyProfile

This element contains information about the policy that allowed the provisioning of a specific resource to the user.
ResourceProfile

This element contains the following elements:
- ResourceInstance: This element contains information about each resource that is provisioned to the user.
- ProcessData: This element contains information about the process form data stored in the UDFs.
- ObjectData: This element contains information about the object form data stored in the UDFs.

Example 3-1 is the XML representation of a sample user profile snapshot.

Example 3-1 XML Representation of a User Profile Snapshot

<?xml version="1.0" encoding="UTF-8"?>
- <UserProfileSnapshot key="202" version="1.0">
- <UserInfo>
    <Attribute name="Users.First Name">Testing02First</Attribute> 
    <Attribute name="Users.Role">Full-Time</Attribute> 
    <Attribute name="Users.Disable User">0</Attribute> 
    <Attribute name="Users.Email">john.doe@acmetech.com</Attribute> 
    <Attribute name="Users.Status">Active</Attribute> 
    <Attribute name="Users.Update Date">2007-01-05 17:12:25.181</Attribute> 
    <Attribute name="Users.User ID">TESTING02USER9</Attribute> 
    <Attribute name="Users.Xellerate Type">End-User</Attribute> 
    <Attribute name="Users.Last Name">Testing02Last</Attribute> 
    <Attribute name="Users.Provisioned Date">2007-01-05 17:11:56.868</Attribute> 
    <Attribute encrypted="true" name="Users.Password"
                password="true">8YxO3YSKDXJLmcsKeZhUSw == </Attribute> 
    <Attribute name="Users.Creation Date">2007-01-05 17:11:56.868</Attribute> 
    <Attribute name="Users.Lock User">0</Attribute> 
    <Attribute key="1" name="Users.Updated By Login">XELSYSADM</Attribute> 
    <Attribute name="Users.Password Reset Attempts Counter">0</Attribute> 
    <Attribute key="1" name="Organizations.Organization Name">Xellerate Users  
    </Attribute> 
    <Attribute name="Users.Login Attempts Counter">0</Attribute> 
    <Attribute key="1" name="Users.Created By Login">XELSYSADM</Attribute> 
  </UserInfo>
- <GroupMembership>
-   <Group key="3">
      <Attribute name="Groups-Users.Creation Date">2007-01-05 17:12:30.299 
      </Attribute> 
      <Attribute name="Groups-Users.Update Date">2007-01-05 17:12:30.299  
      </Attribute> 
      <Attribute name="Groups-Users.Membership Status">Active</Attribute> 
      <Attribute key="1" name="Groups-Users.Updated By Login">XELSYSADM 
      </Attribute> 
      <Attribute name="Groups-Users.Membership Type">Direct</Attribute> 
      <Attribute key="3" name="Groups.Group Name">ALL USERS</Attribute> 
      <Attribute key="1" name="Groups-Users.Created By Login">XELSYSADM 
      </Attribute> 
    </Group>
  </GroupMembership>
- <PolicyProfile>
-   <Policy key="1">
      <Attribute name="UPD_ALLOW_LIST">Res2</Attribute> 
      <Attribute name="Access Policies.Key">1</Attribute> 
      <Attribute name="Access Policies.Name">AP2</Attribute> 
    </Policy>
  </PolicyProfile>
- <ResourceProfile>
-   <ResourceInstance key="57">
      <Attribute name="Users-Object Instance For User.Creation Date">2007-01-05 
                  17:12:36.599 </Attribute> 
      <Attribute key="45" name="Objects.Object Status.Status">Enabled</Attribute> 
      <Attribute key="1" name="Access Policies.Name">AP2</Attribute> 
      <Attribute key="6" name="Objects.Name">Res2</Attribute> 
      <Attribute name="Users-Object Instance For User.Provisioned By Method"> 
                  Access Policy</Attribute> 
      <Attribute key="1" 
                  name="Users-Object Instance For User.Provisioned By Login"> 
            XELSYSADM</Attribute> 
      <Attribute name="Users-Object Instance For User.Provisioned By ID">1 
      </Attribute> 
      <Attribute key="AP2" name="Access Policies.Key">1</Attribute> 
<ObjectData>
- <Parent key="7">
- <FormInfo>
<Attribute key="7" name="Structure Utility.Table Name">UD_PRC_PP</Attribute>
<Attribute key="0" name="Structure Utility.Structure Utility Version Label.Version Label">Initial Version</Attribute>
</FormInfo>
- <Data key="162">
<Attribute name="UD_PRC_PP_A">xxxxxxxxxx</Attribute>
</Data>
</Parent>
- <Children>
- <Child key="10">
- <FormInfo><Attribute key="10" name="Structure Utility.Table Name">UD_PRC_CF</Attribute>
<Attribute key="0" name="Structure Utility.Structure Utility Version Label.Version Label">Initial Version</Attribute>
</FormInfo>
- <Data key="162">
<Attribute name="UD_PRC_CF_B">yyyyyyyyyy</Attribute>
</Data>
</Child>
</Children>
</ObjectData>
-     <ProcessData>
-       <Parent key="8">
-         <FormInfo>
            <Attribute key="8" name="Structure Utility.Table Name">UD_RES2_PP 
             </Attribute> 
             <Attribute key="0" name="Structure Utility.Structure Utility Version 
                          Label.Version Label">Initial Version</Attribute> 
          </FormInfo>
-         <Data key="54">
            <Attribute name="UD_RES2_PP_B">some_value1</Attribute> 
            <Attribute name="UD_RES2_PP_A">some_value2</Attribute> 
            <Attribute key="1" name="Access Policies.Name">AP2</Attribute> 
          </Data>
        </Parent>
-       <Children>
-         <Child key="9">
-           <FormInfo>
             <Attribute key="9" name="Structure Utility.Table Name">UD_RES2_CP 
              </Attribute> 
             <Attribute key="0" name="Structure Utility.Structure Utility Version 
                                Label.Version Label">Initial Version</Attribute> 
            </FormInfo>
-           <Data key="63">
              <Attribute name="UD_RES2_CP_C">Entry1C</Attribute> 
              <Attribute name="UD_RES2_CP_D">Entry1D</Attribute> 
              <Attribute key="1" name="Access Policies.Name">AP2</Attribute> 
            </Data>
          </Child>
        </Children>
      </ProcessData>
    </ResourceInstance>
-   <ResourceInstance key="74">
      <Attribute name="Users-Object Instance For User.Creation Date">2007-01-05 
                   17:22:37.597</Attribute> 
      <Attribute key="33" name="Objects.Object Status.Status">Provisioning 
      </Attribute> 
      <Attribute key="5" name="Objects.Name">Res1</Attribute> 
      <Attribute name="Users-Object Instance For User.Provisioned By Method"> 
                  Direct Provision</Attribute> 
      <Attribute key="1" name="Users-Object Instance For User.Provisioned By 
                  Login">XELSYSADM</Attribute> 
      <Attribute name="Users-Object Instance For User.Provisioned By ID"> 
                  XELSYSADM</Attribute> 
      </ResourceInstance>
    </ResourceProfile>
  </UserProfileSnapshot>

3.1.2.2 XML Representation of Changes to User Profile Snapshots

Changes to the snapshot are stored in XML format. This XML information describes all changes that affect user profile attributes for a given transaction and the reason those changes were made.

The topmost element in this XML representation is Changes. Each change made during a particular transaction is described in a Change element. There may be multiple Change tags inside a Changes element. The following are attributes of the Change element:

reason

This attribute holds the reason for the change in the user profile data.
reasonKey

This attribute holds the key of the entity or the process that brought about the change in the user profile data.
where

This attribute holds the location of the change.
action

This attribute specifies whether the change is because of an insert, update, or a delete. The values are insert, update, and delete, respectively.
order

This attribute specifies the order of the Change element in the Delta if there are more than one Change element.

Table 3-1 lists all possible values of the reason and reasonKey attributes.

Table 3-1 Values of the reason and reasonKey Attributes for User Profile Auditing

reason Attribute Value	reasonKey Attribute Value	Description
`Reconciliation`	Key of the reconciliation event (`RCE_KEY` value)	Change carried out through reconciliation
`Access Policy`	Key of the access policy (`POL_KEY` value)	Change carried out through a change in access policy
`Request`	Key of the request (`REQ_KEY` value)	Change carried out through a request
`Direct Provision`	Key of the user who performs direct provisioning (`USR_KEY` value)	Change carried out through direct provisioning
`Manual`	Key of the user who manually performs the change (`USR_KEY` value)	Change carried out manually by a user
`Auto Group Membership`	Key of the Auto Group Membership rule (`RUL_KEY` value)	Change carried out because of an update to the Auto Group Membership rule
`Adapter`	Key of the adapter (`ADP_KEY` value)	Change carried out when an adapter was run
`API`	Key of the user who performs the action that uses the API (`USR_KEY` value)	Change carried out through an API
`Data Object`	Key of the user who performs the action that carries out the data object change (`USR_KEY` value)	Change carried out at the data object level
`Offline Processing`	Key of the user who performs the offline processing action (`USR_KEY` value)	Change carried out during offline processing
`Event Handler`	Key of the event handler (`EVT_KEY` value)	Change carried out by the event handler
`Attestation`	Key of the attestation request (`ATR_KEY` value)	Change carried out through attestation
`Unknown`	`0`	Change that is not covered by any of the reason attribute values listed in this table
`Regeneration`	`0`	`0` will be the value whenever the delta is created because of the execution of the GenerateSnapshot script. The value of `changeReasonKey` will always be `0` in this case.

Example 3-2 is the XML representation of changes to a sample user profile snapshot.

Example 3-2 XML Representation of Changes to a Sample User Profile Snapshot

<?xml version="1.0" encoding="UTF-8"?> 
- <Changes>
-   <Change action="insert" order="1" reason="Manual" reasonKey="1"
    where="/UserProfileSnapshot/ResourceProfile/ResourceInstance[@key='74']">
-     <Attribute name="Users-Object Instance For User.Creation Date">
        <OldValue /> 
        <NewValue>2007-01-05 17:22:37.597</NewValue> 
      </Attribute>
-     <Attribute name="Objects.Object Status.Status">
        <OldValue key="" /> 
        <NewValue key="35">Ready</NewValue> 
      </Attribute>
-     <Attribute name="Objects.Name">
        <OldValue key="" /> 
        <NewValue key="5">Res1</NewValue> 
      </Attribute>
-     <Attribute name="Users-Object Instance For User.Provisioned By Method">
        <OldValue /> 
        <NewValue>Direct Provision</NewValue> 
      </Attribute>
-     <Attribute name="Users-Object Instance For User.Provisioned By Login">
        <OldValue key="" /> 
        <NewValue key="1">XELSYSADM</NewValue> 
      </Attribute>
-     <Attribute name="Users-Object Instance For User.Provisioned By ID">
        <OldValue /> 
        <NewValue>XELSYSADM</NewValue> 
      </Attribute>
     </Change>
-   <Change action="update" order="2" reason="Manual" reasonKey="1"
     where="/UserProfileSnapshot/ResourceProfile/ResourceInstance[@key='74']">
-     <Attribute name="Objects.Object Status.Status">
        <OldValue key="35">Ready</OldValue> 
        <NewValue key="33">Provisioning</NewValue> 
      </Attribute>
    </Change>
  </Changes>

Information in this XML form is first stored in the UPA table and then stored in normalized form in the UPA_USR, UPA_FIELDS, UPA_RESOURCE, UPA_GRP_MEMBERSHIP, UPA_UD_FORMS, and UPA_UD_FORMFIELDS tables. Normalizing this data across multiple tables facilitates the retrieval of information for reporting purposes.

3.1.3 Storage of Snapshots

When Oracle Identity Manager takes a snapshot of a user profile, it stores the snapshot in the UPA table. The structure of the UPA table is described in Table 3-2.

Table 3-2 Definition of the UPA Table

Column	Data Type	Description
`UPA_KEY`	NUMBER (19,0)	Key for the audit record
`USR_KEY`	NUMBER (19,0)	Key for the user whose snapshot is recorded in this entry
`EFF_FROM_DATE`	TIMESTAMP (6)	Date and time at which the snapshot entry became effective
`EFF_TO_DATE`	TIMESTAMP (6)	Date and time at which the snapshot entry was no longer effective In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to `NULL`.
`SNAPSHOT`	CLOB	XML representation of the snapshot
`DELTAS`	CLOB	XML representation of old and new values corresponding to a change made to the snapshot
`SRC`	VARCHAR2 (4000)	User ID of the user responsible for the change, and the API used to carry out the change
`SIGNATURE`	CLOB	Can be used by customers to store a digital signature for the snapshot (for nonrepudiation purposes)

3.1.4 Trigger for Taking Snapshots

When any data element in a user profile changes, Oracle Identity Manager creates a snapshot.

The following events trigger the creation of a user profile snapshot:

Modification of any kind to the user record (for example, through reconciliation and direct provisioning)
Group membership change for the user
Changes in the policies that apply to the user
Provisioning a resource to the user
Deprovisioning of a resource for the user
Any provisioning-related event for a provisioned resource:
- Resource status change
- Addition of provisioning tasks to the provisioning process
- Updates to provisioning tasks in the provisioning process, for example, status changes, escalations, and so on
- Creation of or updates to Process Form data
- Creation of or updates to Object Form data

3.2 Post-Processor Used for User Profile Auditing

The user profile auditor has an internal post-processor that normalizes the snapshot XML into the reporting tables: UPA_USR, UPA_FIELDS, UPA_GRP_MEMBERSHIP, UPA_RESOURCE, UPA_UD_FORMS, and UPA_UD_FORMFIELDS. These tables are used by the reporting module to generate the appropriate reports.

3.3 Tables Used for User Profile Auditing

User profile audits use the following tables in the database:

The UPA table is the main table and stores all the snapshots and changes made to the user profiles. The audit engine reads data from the UPA table and normalizes it across the following reporting tables:

UPA_USR: This table stores user profile information.
UPA_FIELDS: This table stores user profile information in a vertical format.

This table has more information than the UPA_USR table. For instance, UD fields are stored in this table as well as other fields that are not available in UPA_USR.
UPA_GRP_MEMBERSHIP: This table contains group membership for all the users in the system.

The information includes when a user was added and removed from a group.
UPA_RESOURCE: The information in this table includes provisioned resources and changes in status for each of the resources.

This table does not include any form table information.
UPA_UD_FORMS: Along with the UPA_UD_FORMFIELDS table, this table contains information about changes to the resource and process forms. It contains information about the corresponding tables that are being changed. The actual field changes are stored in the UPA_UD_FORMFIELDS table.
UPA_UD_FORMFIELDS: This table stores the names of form fields that are changed and the old and new values of the changed form fields. Whenever a form field is changed, a new row is inserted in this table to reflect the change.

Note:

The UPA_UD_FORMS and UPA_UD_FORMFIELDS tables will be populated only if the XL.EnableExceptionReports system configuration property is set to TRUE. For more information about this property, see "Exception Reports".