The Logging Service enables you to plug in a class that will determine whether a LogRecord is logged or discarded. The determination is based on the authorization of the owner of the session token performing the event.
The IAuthorizer interface accepts an SSOToken and the log record being written.
There are several ways to accomplish this. The following procedure is one example.
Get the applicable role or DN of the user from the SSOToken and check it against a pre-configured (or hardcoded) list of roles or users that are allowed access.
The administrator must configure a role and assign all policy agents and entities such as applications that can possibly log into Access Manager and into this role.
Instantiate a PolicyEvaluator and call PolicyEvaluator.isAllowed(ssotoken, logname);.
This entails defining a policy XML to model log access and registering it with Access Manager.