4 Group Profile Auditing

Group profile audits cover changes to group profile attributes, group administrators, and direct subgroups.

This chapter discusses the following topics:

• Data Collected for Audits

• Tables Used for Group Profile Auditing

Data Collected for Audits

Unlike user auditing, an independent audit level is not defined for group profile auditing. Instead, the audit levels defined for user profile auditing are used for group profile auditing. Group profile auditing takes place only if the audit level defined for user profile audit level is Membership or a level higher than that. By default, user profile auditing is enabled and the audit level is set to Resource Form when you install Oracle Identity Manager. As a result, group profile auditing is also enabled by default because the default audit level for user profile audit is Resource Form, which is higher than Membership.

This section discusses the following topics:

• Capture and Archiving of Group Profile Audit Data

• XML Representation of Snapshots and Changes to Snapshots

• Storage of Snapshots

• Trigger for Taking Snapshots

Capture and Archiving of Group Profile Audit Data

Each time a group profile changes, Oracle Identity Manager takes a snapshot of the group profile and stores the snapshot in an audit table in the database.

Oracle Identity Manager generates a snapshot when an audit is created for a group, even if an initial snapshot is missing. The current snapshot is treated as the initial snapshot.

The following are the components of a group profile and the tables that constitute these components:

• User Group Record: UGP table, including all UDFs for groups

• User group administrators: GPP table

• Subgroup information: GPG table

XML Representation of Snapshots and Changes to Snapshots

Oracle Identity Manager stores group snapshot data as XML in the Group Profile Audit (GPA) tables. The following sections describe the XML representation of snapshots and changes to snapshots:

• XML Representation of Group Profile Snapshots

• XML Representation of Changes to Group Profile Snapshots

XML Representation of Group Profile Snapshots

The following elements constitute the XML representation of a group profile snapshot:

• GroupSnapshot

  This is the topmost element in the XML representation. This element contains a group key and a version for each XML entry. For a particular group profile, the value of the group key is fixed and the version number assigned to the snapshot is incremented by 1 for each new snapshot created for the group profile.

  The remaining elements in this list are child elements of the GroupSnapshot element.

• GroupInfo

  This element contains general group profile information.

• GroupAdmin

  This element contains information about group administrators.

• Subgroups

  This element contains information about subgroups.

Example 4-1 is the XML representation of a sample group profile snapshot.

Example 4-1 XML Representation of a Group Profile Snapshot

<?xml version="1.0" encoding="UTF-8" ?> 
- <GroupSnapshot key="311" version="1.0">
-   <GroupInfo>
        <Attribute name="Groups.Creation Date">2007-04-12 17:27:17.231</Attribute> 
              <Attribute key="311" name="Groups.Group Name">TESTGROUP100</Attribute> 
        <Attribute name="Groups.Update Date">2007-04-12 17:27:17.231</Attribute> 
        <Attribute key="1" name="UGP_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="1" name="UGP_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute name="Groups.Group Status">Active</Attribute> 
    </GroupInfo>
-   <GroupAdmin>
-   <Group key="1">
        <Attribute name="Groups-Group Ownership.Write">1</Attribute> 
        <Attribute name="Groups-Group Ownership.Creation Date">2007-04-12 17:27:17.356</Attribute> 
        <Attribute name="Groups.Key">311</Attribute> 
        <Attribute name="Groups-Group Ownership.Delete">1</Attribute> 
        <Attribute name="Groups-Group Ownership.Update Date">2007-04-12 17:27:17.356</Attribute> 
        <Attribute key="1" name="GPP_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="1" name="Groups.Group Name">SYSTEM ADMINISTRATORS</Attribute> 
        <Attribute key="1" name="GPP_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
  </Group>
- <Group key="312">
        <Attribute key="1" name="GPP_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="312" name="Groups.Group Name">ADMINGROUP1</Attribute> 
        <Attribute key="1" name="GPP_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute name="Groups-Group Ownership.Write">1</Attribute> 
        <Attribute name="Groups-Group Ownership.Delete">1</Attribute> 
  </Group>
- <Group key="313">
        <Attribute key="1" name="GPP_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="313" name="Groups.Group Name">ADMINGROUP2</Attribute> 
        <Attribute key="1" name="GPP_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute name="Groups-Group Ownership.Write">1</Attribute> 
        <Attribute name="Groups-Group Ownership.Delete">0</Attribute> 
  </Group>
  </GroupAdmin>
- <Subgroups>
- <Group key="314">
        <Attribute name="Groups-User Sub Groups.Creation Date">2007-04-12 17:34:56.746</Attribute> 
        <Attribute name="Groups-User Sub Groups.Update Date">2007-04-12 17:34:56.746</Attribute> 
        <Attribute key="1" name="GPG_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="1" name="GPG_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="314" name="Groups.Group Name">SUBGROUP100</Attribute> 
  </Group>
- <Group key="315">
        <Attribute name="Groups-User Sub Groups.Creation Date">2007-04-12 17:34:56.746</Attribute> 
        <Attribute name="Groups-User Sub Groups.Update Date">2007-04-12 17:34:56.746</Attribute> 
        <Attribute key="1" name="GPG_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="1" name="GPG_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="315" name="Groups.Group Name">SUBGROUP101</Attribute> 
  </Group>
- <Group key="316">
        <Attribute name="Groups-User Sub Groups.Creation Date">2007-04-12 17:34:56.746</Attribute> 
        <Attribute name="Groups-User Sub Groups.Update Date">2007-04-12 17:34:56.746</Attribute> 
        <Attribute key="1" name="GPG_UPDATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="1" name="GPG_CREATEBY_LOGIN">XELSYSADM</Attribute> 
        <Attribute key="316" name="Groups.Group Name">SUBGROUP102</Attribute> 
  </Group>
  </Subgroups>
  </GroupSnapshot>

XML Representation of Changes to Group Profile Snapshots

Changes to the snapshot are stored in XML format in the DELTAS column of the GPA table. This XML information describes all changes that affect group profile attributes for a given transaction and the reason those changes were made.

The topmost element in this XML representation is Changes. Each change made during a particular transaction is described in a Change element. There may be multiple Change elements inside a Changes element. The following are attributes of the Change element:

• reason

  This attribute holds the reason for the change in the user profile data.

• reasonKey

  This attribute holds the key of the entity or the process that brought about the change in the user profile data.

• where

  This attribute holds the location of the change.

• action

  This attribute specifies whether the change is because of an insert, update, or a delete. The values are insert, update, and delete, respectively.

• order

  This attribute specifies the order of the Change element in the Delta if there are more than one Change element.

Table 4-1 lists all possible values of the reason and reasonKey attributes.

Table 4-1 Values of the reason and reasonKey Attributes for Group Profile Auditing

reason Attribute Value	reasonKey Attribute Value	Description
Reconciliation	Key of the reconciliation event (RCE_KEY value)	Change carried out through reconciliation
Access Policy	Key of the access policy (POL_KEY value)	Change carried out through a change in access policy
Request	Key of the request (REQ_KEY value)	Change carried out through a request
Direct Provision	Key of the user who performs direct provisioning (USR_KEY value)	Change carried out through direct provisioning
Manual	Key of the user who manually performs the change (USR_KEY value)	Change carried out manually by a user
Auto Group Membership	Key of the Auto Group Membership rule (RUL_KEY value)	Change carried out because of an update to the Auto Group Membership rule
Adapter	Key of the adapter (ADP_KEY value)	Change carried out when an adapter was run
API	Key of the user who performs the action that uses the API (USR_KEY value)	Change carried out through an API
Data Object	Key of the user who performs the action that carries out the data object change (USR_KEY value)	Change carried out at the data object level
Offline Processing	Key of the user who performs the offline processing action (USR_KEY value)	Change carried out during offline processing
Event Handler	Key of the event handler (EVT_KEY value)	Change carried out by the event handler
Attestation	Key of the attestation request (ATR_KEY value)	Change carried out through attestation
Unknown	0	Change that is not covered by any of the reason attribute values listed in this table
Regeneration	0	0 will be the value whenever the delta is created because of the execution of the GenerateSnapshot script. The value of changeReasonKey will always be 0 in this case.

Example 4-2 is the XML representation of changes to a sample group profile snapshot.

Example 4-2 XML Representation of Changes to a Sample Group Profile Snapshot

<?xml version="1.0" encoding="UTF-8" ?> 
- <Changes>
- <Change action="insert" order="1" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='314']">
- <Attribute name="GPG_CREATEBY_LOGIN">
    <OldValue key="" /> 
    <NewValue key="1">XELSYSADM</NewValue> 
  </Attribute>
- <Attribute name="GPG_UPDATEBY_LOGIN">
    <OldValue key="" /> 
    <NewValue key="1">XELSYSADM</NewValue> 
  </Attribute>
- <Attribute name="Groups-User Sub Groups.Creation Date">
    <OldValue /> 
    <NewValue>2007-04-12 17:34:56.746</NewValue> 
  </Attribute>
- <Attribute name="Groups.Key">
    <OldValue /> 
    <NewValue>311</NewValue> 
  </Attribute>
- <Attribute name="Groups-User Sub Groups.Update Date">
    <OldValue /> 
    <NewValue>2007-04-12 17:34:56.746</NewValue> 
  </Attribute>
- <Attribute name="Groups.Group Name">
    <OldValue key="" /> 
    <NewValue key="314">SUBGROUP100</NewValue> 
  </Attribute>
  </Change>
- <Change action="insert" order="2" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='314']">
- <Attribute name="Groups-User Sub Groups.Creation Date">
    <OldValue /> 
    <NewValue>2007-04-12 17:34:56.809</NewValue> 
  </Attribute>
- <Attribute name="Groups.Key">
    <OldValue /> 
    <NewValue>311</NewValue> 
  </Attribute>
- <Attribute name="Groups-User Sub Groups.Update Date">
    <OldValue /> 
    <NewValue>2007-04-12 17:34:56.809</NewValue> 
  </Attribute>
  </Change>
- <Change action="insert" order="3" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='315']">
- <Attribute name="GPG_UPDATEBY_LOGIN">
    <OldValue key="" /> 
    <NewValue key="1">XELSYSADM</NewValue> 
  </Attribute>
- <Attribute name="GPG_CREATEBY_LOGIN">
    <OldValue key="" /> 
    <NewValue key="1">XELSYSADM</NewValue> 
  </Attribute>
- <Attribute name="Groups.Group Name">
    <OldValue key="" /> 
    <NewValue key="315">SUBGROUP101</NewValue> 
  </Attribute>
  </Change>
- <Change action="insert" order="4" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='314']">
- <Attribute name="Groups-User Sub Groups.Creation Date">
    <OldValue /> 
    <NewValue>2007-04-12 17:34:56.871</NewValue> 
  </Attribute>
- <Attribute name="Groups.Key">
    <OldValue /> 
    <NewValue>311</NewValue> 
  </Attribute>
- <Attribute name="Groups-User Sub Groups.Update Date">
    <OldValue /> 
    <NewValue>2007-04-12 17:34:56.871</NewValue> 
  </Attribute>
  </Change>
- <Change action="insert" order="5" reason="Manual" reasonKey="1" where="/GroupSnapshot/Subgroups/Group[@key='316']">
- <Attribute name="GPG_UPDATEBY_LOGIN">
    <OldValue key="" /> 
    <NewValue key="1">XELSYSADM</NewValue> 
  </Attribute>
- <Attribute name="GPG_CREATEBY_LOGIN">
    <OldValue key="" /> 
    <NewValue key="1">XELSYSADM</NewValue> 
  </Attribute>
- <Attribute name="Groups.Group Name">
    <OldValue key="" /> 
    <NewValue key="316">SUBGROUP102</NewValue> 
  </Attribute>
  </Change>
  </Changes>

Storage of Snapshots

When Oracle Identity Manager takes a snapshot of a group profile, it stores the snapshot in a GPA table. The structure of this table is as described in Table 4-2.

Table 4-2 Definition of the GPA Table

Column	Data Type	Description
GPA_KEY	NUMBER (19,0)	Key for the audit record
UGP_KEY	NUMBER (19,0)	Key for the group whose group snapshot is recorded
EFF_FROM_DATE	TIMESTAMP (6)	Date and time at which the snapshot entry became effective
EFF_TO_DATE	TIMESTAMP (6)	Date and time at which the snapshot entry was no longer effective In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to NULL.
SRC	VARCHAR2 (4000)	Source of the entry, which is the group name and the API used
SNAPSHOT	CLOB	XML representation of the snapshot
DELTAS	CLOB	XML representation of old and new values corresponding to a change made to the snapshot
SIGNATURE	CLOB	Can be used by customers to store a digital signature for the snapshot (for nonrepudiation purposes)

Trigger for Taking Snapshots

When any data element in the group profile snapshot changes, Oracle Identity Manager creates a snapshot.

The creation of group profile snapshots is triggered by events that result in changes in any of the following:

• Group profile data

• Subgroup information

• Group administrators

Tables Used for Group Profile Auditing

The GPA table stores all the snapshots and changes made to the group profiles.