6 Auditing

Oracle Identity Manager provides a powerful audit engine to collect extensive data for audit and compliance purposes. You can use the audit functionality together to capture, archive, and view entity and transactional data for compliance monitoring and IT-centric processes and forensic auditing. Therefore, with the audit and compliance modules, Oracle Identity Manager provides profile auditing, reporting, and attestation features. You can capture, transport, store, retrieve, and remove historical data over its life cycle. Security is maintained at every stage of the data life cycle. For information about attestation processes, see "Managing Attestation Processes".

This chapter consists of the following topics:

6.1 Overview

This section provides an overview of auditing in the following sections:

6.1.1 Auditing Design Components

Figure 6-1 shows the design components for Oracle Identity Manager auditing process.

Figure 6-1 Design Components of the Auditing Process

Description of Figure 6-1 follows
Description of "Figure 6-1 Design Components of the Auditing Process"

Any action that a user performs in Oracle Identity Manager translates into an Application Programming Interface (API) call or into a Message Driven Bean (MDB) picking up a message to process an action.One action can cause multiple changes. All changes are combined into an audit transaction. Each API method that can modify data objects calls the startTransaction method in the audit engine at the beginning of the API call and the endTransaction method at the end of the API call. This defines boundaries for the audit transaction. The audit engine generates a transaction ID to identify the changes made in the transaction.

6.1.2 Profile Auditing

Oracle Identity Manager provides auditing and historical archiving of profile information. It takes a snapshot of a profile, stores the snapshot in an audit table in the database, and updates the snapshot each time the profile data changes. In the context of profile auditing, the term snapshot means a copy taken of the entire profile data at any instant when the data is modified.

6.1.3 Standard and Customized Reports

The BI Publisher provides standard reports for viewing archived data. You can also create customized reports.

For information about reporting, refer to the following:

6.2 Audit Engine

User profile audits cover changes to user profile attributes, user membership, resource provisioning, access policies, and resource forms.

The audit engine collects auditing information in Oracle Identity Manager. Whenever a profile is modified, the audit engine captures the changes (the delta) and updates (or generates, if missing) the snapshots of the user and role profiles and stores these snapshots and deltas in XML format. The audit engine also contains post-processors, which, based on the generated XML, populate the reporting tables with relevant data. To maintain high performance, by default the audit engine performs these tasks in an asynchronous and offline manner by using the underlying Java Messaging Service (JMS) provided by the application server.

This section discusses the following topics:

6.2.1 Audit Levels

As mentioned earlier in this chapter, When you install Oracle Identity Manager user profile auditing is enabled by default and the auditing level is set to Resource Form. If you change the auditing level, then you must run the GenerateSnapshot.sh script (on UNIX) or the GenerateSnapshot.bat script (on Microsoft Windows). This script is in the IDM_HOME/server/bin directory. The script examines all users in Oracle Identity Manager database and generates new snapshots based on the new auditing level.

Note:

If you change the auditing level, then you must run the GenerateSnapshot script before allowing users to access the system.

You can configure the "level of detail for auditing" aspect of the auditing engine and specify the audit level as the value of the XL.UserProfileAuditDataCollection system property in the Advanced Administration.

See Also:

"System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware System Administrators Guide for Oracle Identity Manager for information about this system property

The supported audit levels are:

  • Process Task: Audits the entire user profile snapshot together with the resource lifecycle process.

  • Resource Form: Audits user record, role membership, resource provisioned, and any form data associated to the resource.

  • Resource: Audits the user record, role membership, and resource provisioning.

  • Membership: Only audits the user record and role membership.

  • Core: Only audits the user record.

  • None: No audit is stored.

Note:

When you specify a particular audit level, all audit levels that are at a lower priority level are automatically enabled. For example, if you specify the Membership audit level, then the Core audit level is automatically enabled.

Audit level specifications are case-sensitive. When you specify an audit level, ensure that you do not change the case (uppercase and lowercase) of the audit level.

6.2.2 Tables Used for Storing Information About Auditors

Information about auditors is stored in the following tables of the database:

  • AUD: This table stores information about all the auditors defined in Oracle Identity Manager.

  • aud_jms: This table stores information about the changes made for an auditor.

    The key in this table is sent to the JMS. Oracle Identity Manager uses this table to control the order of the changes when multiple changes are made to the same user. You can use the Issue Audit Messages Task scheduled task to automate the reissue of messages that are not processed. This scheduled task is discussed in the "Issuing Audit Messages".

6.2.3 Issuing Audit Messages

Oracle Identity Manager provides a scheduled task named Issue Audit Messages Task. This scheduled task retrieves audit message details from the aud_jms table and sends a single JMS message for a particular identifier and auditor entry in the aud_jms table. An MDB processes the corresponding audit message.

The following is the attribute of this task:

Max Records

Use the Max Records attribute to specify the maximum number of audit messages to be processed for a specified scheduled task run. The default value of this attribute is 400.

If there is a backlog of audit messages in the aud_jms table, then you can increase the value of the Max Records attribute. The value that you set depends on how many messages the JMS engine can process during the default scheduled task execution interval. This, in turn, depends on the performance of the application server and database. Before increasing the Max Records value, you must determine how much time is taken to process the number of audit messages in the JMS destination (oimAuditQueue) by, for example, using the administrative console of the application server. If the time taken is less than the scheduled task interval, then you can make a corresponding increase in the value of the Max Records attribute.

6.3 User Profile Auditing

User profile audits cover changes to user profile attributes, user membership, resource provisioning, access policies, and resource forms.

This section discusses the following topics:

6.3.1 Data Collected for Audits

By default, user profile auditing is enabled and the auditing level is set to Resource Form when you install Oracle Identity Manager. This auditing level specifies the minimum level required for attestation of form data.

You configure the audit level in the System Configuration part of the Advanced Administration by using the XL.UserProfileAuditDataCollection system property.

See Also:

"Audit Levels" for more information about audit levels

"System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for information about the XL.UserProfileAuditDataCollection system property

This section discusses the following topics:

6.3.1.1 Capture and Archiving of User Profile Audit Data

Each time a user profile changes, Oracle Identity Manager takes a snapshot of the user profile and stores the snapshot in an audit table in the database.

A snapshot is also generated when there is a change in a user profile that must be audited, even if an initial snapshot is missing. The current snapshot is treated as the initial snapshot.

The following are the components of a user profile and the tables that store these components:

  • User Record: USR table, including all User Defined Fields (UDFs)

  • User Role Membership: USG, UGP, and RUL tables

  • User Policy Profile: UPP and UPD tables

    Note:

    When you change a role name by using the Administrative and User Console, the User Profile Audit (UPA) tables in the database are not updated with the change until the next snapshot of the user.
  • User Resource Profile: This component can be divided into the following subcomponents:

    • User Resource Instance: OIU, OBI , OST, and OBJ tables

    • Resource Lifecycle (Provisioning) Process: ORC, PKG, TOS, STA, OSI, SCH , MIL tables

    • Resource State (Process) Form: All tables that have names starting with UD_* (including child tables)

6.3.1.2 Storage of Snapshots

When Oracle Identity Manager takes a snapshot of a user profile, it stores the snapshot in the UPA table. The structure of the UPA table is described in Table 6-1.

Table 6-1 Definition of the UPA Table

Column Data Type Description

UPA_KEY

NUMBER (19,0)

Key for the audit record

USR_KEY

NUMBER (19,0)

Key for the user whose snapshot is recorded in this entry

EFF_FROM_DATE

TIMESTAMP (6)

Date and time at which the snapshot entry became effective

EFF_TO_DATE

TIMESTAMP (6)

Date and time at which the snapshot entry was no longer effective

In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to NULL.

SRC

VARCHAR2 (4000)

User ID of the user responsible for the change, and the API used to carry out the change

SNAPSHOT

CLOB

XML representation of the snapshot

DELTAS

CLOB

XML representation of old and new values corresponding to a change made to the snapshot

SIGNATURE

CLOB

Can be used to store a digital signature for the snapshot (for nonrepudiation purposes)


6.3.1.3 Trigger for Taking Snapshots

When any data element in a user profile changes, Oracle Identity Manager creates a snapshot.

The following events trigger the creation of a user profile snapshot:

  • Modification of any kind to the user record (for example, through reconciliation and direct provisioning)

  • Role membership change for the user

  • Changes in the policies that apply to the user

  • Provisioning a resource to the user

  • Deprovisioning of a resource for the user

  • Any provisioning-related event for a provisioned resource:

    • Resource status change

    • Addition of provisioning tasks to the provisioning process

    • Updates to provisioning tasks in the provisioning process, for example, status changes, escalations, and so on

    • Creation of or updates to Process Form data

6.3.2 Post-Processor Used for User Profile Auditing

The user profile auditor has an internal post-processor that normalizes the snapshot XML into the reporting tables: UPA_USR, UPA_FIELDS, UPA_GRP_MEMBERSHIP, UPA_RESOURCE, UPA_UD_FORMS, and UPA_UD_FORMFIELDS. These tables are used by the reporting module to generate the appropriate reports.

6.3.3 Tables Used for User Profile Auditing

User profile audits use the following tables in the database:

The UPA table is the main table and stores all the snapshots and changes made to the user profiles. The audit engine reads data from the UPA table and normalizes it across the following reporting tables:

  • UPA_USR: This table stores user profile information.

  • UPA_FIELDS: This table stores user profile information in a vertical format.

    This table has more information than the UPA_USR table. For instance, UD fields are stored in this table as well as other fields that are not available in UPA_USR.

  • UPA_GRP_MEMBERSHIP: This table contains role membership for all the users in the system.

    The information includes when a user was added and removed from a role.

  • UPA_RESOURCE: The information in this table includes provisioned resources and changes in status for each of the resources.

    This table does not include any form table information.

  • UPA_UD_FORMS: Along with the UPA_UD_FORMFIELDS table, this table contains information about changes to the process form. It contains information about the corresponding tables that are being changed. The actual field changes are stored in the UPA_UD_FORMFIELDS table.

  • UPA_UD_FORMFIELDS: This table stores the names of form fields that are changed and the old and new values of the changed form fields. Whenever a form field is changed, a new row is inserted in this table to reflect the change.

Note:

The UPA_UD_FORMS and UPA_UD_FORMFIELDS tables will be populated only if the XL.EnableExceptionReports system property is set to TRUE. For more information about this property, see "System Properties in Oracle Identity Manager" in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.

6.4 Role Profile Auditing

Role profile audits cover changes to role profile attributes, role administrators, and direct subroles.

This section discusses the following topic:

6.4.1 Data Collected for Audits

Unlike user auditing, an independent audit level is not defined for role profile auditing. Instead, the audit levels defined for user profile auditing are used for role profile auditing. Role profile auditing takes place only if the audit level defined for user profile audit level is Membership or a level higher than that. By default, user profile auditing is enabled and the audit level is set to Resource Form when you install Oracle Identity Manager. As a result, role profile auditing is also enabled by default because the default audit level for user profile audit is Resource Form, which is higher than Membership.

This section discusses the following topics:

6.4.1.1 Capture and Archiving of Role Profile Audit Data

Each time a role profile changes, Oracle Identity Manager takes a snapshot of the role profile and stores the snapshot in an audit table in the database.

Oracle Identity Manager generates a snapshot when an audit is created for a role, even if an initial snapshot is missing. The current snapshot is treated as the initial snapshot.

The following are the components of a role profile and the tables that constitute these components:

  • User role record: UGP table, including all UDFs for roles

  • Subrole information: GPG table

6.4.1.2 Storage of Snapshots

When Oracle Identity Manager takes a snapshot of a role profile, it stores the snapshot in a GPA table. The structure of this table is as described in Table 6-2.

Table 6-2 Definition of the GPA Table

Column Data Type Description

GPA_KEY

NUMBER (19,0)

Key for the audit record

UGP_KEY

NUMBER (19,0)

Key for the role whose role snapshot is recorded

EFF_FROM_DATE

TIMESTAMP (6)

Date and time at which the snapshot entry became effective

EFF_TO_DATE

TIMESTAMP (6)

Date and time at which the snapshot entry was no longer effective

In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to NULL

SRC

VARCHAR2 (4000)

Source of the entry, User ID of the user responsible for the change, and the API used to carry out the change

SNAPSHOT

CLOB

XML representation of the snapshot

DELTAS

CLOB

XML representation of old and new values corresponding to a change made to the snapshot

SIGNATURE

CLOB

Can be used to store a digital signature for the snapshot (for nonrepudiation purposes)


6.4.1.3 Trigger for Taking Snapshots

When any data element in the role profile snapshot changes, Oracle Identity Manager creates a snapshot.

The creation of role profile snapshots is triggered by events that result in changes in any of the following:

  • Role profile data

  • Subrole information