Oracle® Identity Manager Audit Report Developer's Guide Release 9.1.0 Part Number E10365-03 |
|
|
View PDF |
User profile audits cover changes to user profile attributes, user membership, resource provisioning, access policies, and resource forms.
This chapter discusses the following topics:
By default, user profile auditing is enabled and the auditing level is set to Resource Form
when you install Oracle Identity Manager with the Audit and Compliance module. This auditing level specifies the minimum level required for attestation of form data.
You configure the audit level in the System Properties page of the Design Console by using the XL.UserProfileAuditDataCollection
keyword.
See Also:
The "Audit Levels" section for more information about audit levels
The "System Properties" section in Oracle Identity Manager Design Console Guide for information about the XL.UserProfileAuditDataCollection
keyword
This section discusses the following topics:
Each time a user profile changes, Oracle Identity Manager takes a snapshot of the user profile and stores the snapshot in an audit table in the database.
A snapshot is also generated when there is a change in a user profile that must be audited, even if an initial snapshot is missing. The current snapshot is treated as the initial snapshot.
The following are the components of a user profile and the tables that store these components:
User Record: USR
table, including all User Defined Fields (UDFs)
User Group Membership: USG
, UGP
, and RUL
tables
User Policy Profile: UPP
and UPD
tables
Note:
When you change a group name by using the Administrative and User Console, the User Profile Audit (UPA) tables in the database are not updated with the change until the next snapshot of the user.User Resource Profile: This component can be divided into the following subcomponents:
User Resource Instance: OIU
, OBI
, OST
, and OBJ
tables
Resource Lifecycle (Provisioning) Process: ORC
, PKG
, TOS
, STA
, OSI
, SCH
, MIL
tables
Resource State (Process) Form: All tables that have names starting with UD_*
(including child tables)
Oracle Identity Manager stores snapshots and changes to snapshots as XML in the UPA
table. The following sections describe the XML representation of snapshots and changes to snapshots of user profiles:
The following elements constitute the XML representation of a user profile snapshot:
This is the topmost element in the XML representation. This element contains a user key and a version for each XML entry.
The remaining elements in this list are child elements of the UserProfileSnapshot
element.
This element contains general information about the user profile.
This element contains information about group membership of the user.
This element contains information about the policy that allowed the provisioning of a specific resource to the user.
This element contains the following elements:
Example 3-1 is the XML representation of a sample user profile snapshot.
Example 3-1 XML Representation of a User Profile Snapshot
<?xml version="1.0" encoding="UTF-8"?> - <UserProfileSnapshot key="202" version="1.0"> - <UserInfo> <Attribute name="Users.First Name">Testing02First</Attribute> <Attribute name="Users.Role">Full-Time</Attribute> <Attribute name="Users.Disable User">0</Attribute> <Attribute name="Users.Email">john.doe@acmetech.com</Attribute> <Attribute name="Users.Status">Active</Attribute> <Attribute name="Users.Update Date">2007-01-05 17:12:25.181</Attribute> <Attribute name="Users.User ID">TESTING02USER9</Attribute> <Attribute name="Users.Xellerate Type">End-User</Attribute> <Attribute name="Users.Last Name">Testing02Last</Attribute> <Attribute name="Users.Provisioned Date">2007-01-05 17:11:56.868</Attribute> <Attribute encrypted="true" name="Users.Password" password="true">8YxO3YSKDXJLmcsKeZhUSw == </Attribute> <Attribute name="Users.Creation Date">2007-01-05 17:11:56.868</Attribute> <Attribute name="Users.Lock User">0</Attribute> <Attribute key="1" name="Users.Updated By Login">XELSYSADM</Attribute> <Attribute name="Users.Password Reset Attempts Counter">0</Attribute> <Attribute key="1" name="Organizations.Organization Name">Xellerate Users </Attribute> <Attribute name="Users.Login Attempts Counter">0</Attribute> <Attribute key="1" name="Users.Created By Login">XELSYSADM</Attribute> </UserInfo> - <GroupMembership> - <Group key="3"> <Attribute name="Groups-Users.Creation Date">2007-01-05 17:12:30.299 </Attribute> <Attribute name="Groups-Users.Update Date">2007-01-05 17:12:30.299 </Attribute> <Attribute name="Groups-Users.Membership Status">Active</Attribute> <Attribute key="1" name="Groups-Users.Updated By Login">XELSYSADM </Attribute> <Attribute name="Groups-Users.Membership Type">Direct</Attribute> <Attribute key="3" name="Groups.Group Name">ALL USERS</Attribute> <Attribute key="1" name="Groups-Users.Created By Login">XELSYSADM </Attribute> </Group> </GroupMembership> - <PolicyProfile> - <Policy key="1"> <Attribute name="UPD_ALLOW_LIST">Res2</Attribute> <Attribute name="Access Policies.Key">1</Attribute> <Attribute name="Access Policies.Name">AP2</Attribute> </Policy> </PolicyProfile> - <ResourceProfile> - <ResourceInstance key="57"> <Attribute name="Users-Object Instance For User.Creation Date">2007-01-05 17:12:36.599 </Attribute> <Attribute key="45" name="Objects.Object Status.Status">Enabled</Attribute> <Attribute key="1" name="Access Policies.Name">AP2</Attribute> <Attribute key="6" name="Objects.Name">Res2</Attribute> <Attribute name="Users-Object Instance For User.Provisioned By Method"> Access Policy</Attribute> <Attribute key="1" name="Users-Object Instance For User.Provisioned By Login"> XELSYSADM</Attribute> <Attribute name="Users-Object Instance For User.Provisioned By ID">1 </Attribute> <Attribute key="AP2" name="Access Policies.Key">1</Attribute> <ObjectData> - <Parent key="7"> - <FormInfo> <Attribute key="7" name="Structure Utility.Table Name">UD_PRC_PP</Attribute> <Attribute key="0" name="Structure Utility.Structure Utility Version Label.Version Label">Initial Version</Attribute> </FormInfo> - <Data key="162"> <Attribute name="UD_PRC_PP_A">xxxxxxxxxx</Attribute> </Data> </Parent> - <Children> - <Child key="10"> - <FormInfo><Attribute key="10" name="Structure Utility.Table Name">UD_PRC_CF</Attribute> <Attribute key="0" name="Structure Utility.Structure Utility Version Label.Version Label">Initial Version</Attribute> </FormInfo> - <Data key="162"> <Attribute name="UD_PRC_CF_B">yyyyyyyyyy</Attribute> </Data> </Child> </Children> </ObjectData> - <ProcessData> - <Parent key="8"> - <FormInfo> <Attribute key="8" name="Structure Utility.Table Name">UD_RES2_PP </Attribute> <Attribute key="0" name="Structure Utility.Structure Utility Version Label.Version Label">Initial Version</Attribute> </FormInfo> - <Data key="54"> <Attribute name="UD_RES2_PP_B">some_value1</Attribute> <Attribute name="UD_RES2_PP_A">some_value2</Attribute> <Attribute key="1" name="Access Policies.Name">AP2</Attribute> </Data> </Parent> - <Children> - <Child key="9"> - <FormInfo> <Attribute key="9" name="Structure Utility.Table Name">UD_RES2_CP </Attribute> <Attribute key="0" name="Structure Utility.Structure Utility Version Label.Version Label">Initial Version</Attribute> </FormInfo> - <Data key="63"> <Attribute name="UD_RES2_CP_C">Entry1C</Attribute> <Attribute name="UD_RES2_CP_D">Entry1D</Attribute> <Attribute key="1" name="Access Policies.Name">AP2</Attribute> </Data> </Child> </Children> </ProcessData> </ResourceInstance> - <ResourceInstance key="74"> <Attribute name="Users-Object Instance For User.Creation Date">2007-01-05 17:22:37.597</Attribute> <Attribute key="33" name="Objects.Object Status.Status">Provisioning </Attribute> <Attribute key="5" name="Objects.Name">Res1</Attribute> <Attribute name="Users-Object Instance For User.Provisioned By Method"> Direct Provision</Attribute> <Attribute key="1" name="Users-Object Instance For User.Provisioned By Login">XELSYSADM</Attribute> <Attribute name="Users-Object Instance For User.Provisioned By ID"> XELSYSADM</Attribute> </ResourceInstance> </ResourceProfile> </UserProfileSnapshot>
Changes to the snapshot are stored in XML format. This XML information describes all changes that affect user profile attributes for a given transaction and the reason those changes were made.
The topmost element in this XML representation is Changes
. Each change made during a particular transaction is described in a Change
element. There may be multiple Change
tags inside a Changes
element. The following are attributes of the Change
element:
reason
This attribute holds the reason for the change in the user profile data.
reasonKey
This attribute holds the key of the entity or the process that brought about the change in the user profile data.
where
This attribute holds the location of the change.
action
This attribute specifies whether the change is because of an insert, update, or a delete. The values are insert
, update
, and delete
, respectively.
order
This attribute specifies the order of the Change
element in the Delta if there are more than one Change
element.
Table 3-1 lists all possible values of the reason
and reasonKey
attributes.
Table 3-1 Values of the reason and reasonKey Attributes for User Profile Auditing
reason Attribute Value | reasonKey Attribute Value | Description |
---|---|---|
|
Key of the reconciliation event ( |
Change carried out through reconciliation |
|
Key of the access policy ( |
Change carried out through a change in access policy |
|
Key of the request ( |
Change carried out through a request |
|
Key of the user who performs direct provisioning ( |
Change carried out through direct provisioning |
|
Key of the user who manually performs the change ( |
Change carried out manually by a user |
|
Key of the Auto Group Membership rule ( |
Change carried out because of an update to the Auto Group Membership rule |
|
Key of the adapter ( |
Change carried out when an adapter was run |
|
Key of the user who performs the action that uses the API ( |
Change carried out through an API |
|
Key of the user who performs the action that carries out the data object change ( |
Change carried out at the data object level |
|
Key of the user who performs the offline processing action ( |
Change carried out during offline processing |
|
Key of the event handler ( |
Change carried out by the event handler |
|
Key of the attestation request ( |
Change carried out through attestation |
|
|
Change that is not covered by any of the reason attribute values listed in this table |
|
|
|
Example 3-2 is the XML representation of changes to a sample user profile snapshot.
Example 3-2 XML Representation of Changes to a Sample User Profile Snapshot
<?xml version="1.0" encoding="UTF-8"?> - <Changes> - <Change action="insert" order="1" reason="Manual" reasonKey="1" where="/UserProfileSnapshot/ResourceProfile/ResourceInstance[@key='74']"> - <Attribute name="Users-Object Instance For User.Creation Date"> <OldValue /> <NewValue>2007-01-05 17:22:37.597</NewValue> </Attribute> - <Attribute name="Objects.Object Status.Status"> <OldValue key="" /> <NewValue key="35">Ready</NewValue> </Attribute> - <Attribute name="Objects.Name"> <OldValue key="" /> <NewValue key="5">Res1</NewValue> </Attribute> - <Attribute name="Users-Object Instance For User.Provisioned By Method"> <OldValue /> <NewValue>Direct Provision</NewValue> </Attribute> - <Attribute name="Users-Object Instance For User.Provisioned By Login"> <OldValue key="" /> <NewValue key="1">XELSYSADM</NewValue> </Attribute> - <Attribute name="Users-Object Instance For User.Provisioned By ID"> <OldValue /> <NewValue>XELSYSADM</NewValue> </Attribute> </Change> - <Change action="update" order="2" reason="Manual" reasonKey="1" where="/UserProfileSnapshot/ResourceProfile/ResourceInstance[@key='74']"> - <Attribute name="Objects.Object Status.Status"> <OldValue key="35">Ready</OldValue> <NewValue key="33">Provisioning</NewValue> </Attribute> </Change> </Changes>
Information in this XML form is first stored in the UPA
table and then stored in normalized form in the UPA_USR
, UPA_FIELDS
, UPA_RESOURCE
, UPA_GRP_MEMBERSHIP
, UPA_UD_FORMS
, and UPA_UD_FORMFIELDS
tables. Normalizing this data across multiple tables facilitates the retrieval of information for reporting purposes.
When Oracle Identity Manager takes a snapshot of a user profile, it stores the snapshot in the UPA
table. The structure of the UPA
table is described in Table 3-2.
Table 3-2 Definition of the UPA Table
Column | Data Type | Description |
---|---|---|
|
NUMBER (19,0) |
Key for the audit record |
|
NUMBER (19,0) |
Key for the user whose snapshot is recorded in this entry |
|
TIMESTAMP (6) |
Date and time at which the snapshot entry became effective |
|
TIMESTAMP (6) |
Date and time at which the snapshot entry was no longer effective In other words, this is the date and time at which the next snapshot entry was created. For the entry representing the latest user profile, the To Date column value is set to |
|
CLOB |
XML representation of the snapshot |
|
CLOB |
XML representation of old and new values corresponding to a change made to the snapshot |
|
VARCHAR2 (4000) |
User ID of the user responsible for the change, and the API used to carry out the change |
|
CLOB |
Can be used by customers to store a digital signature for the snapshot (for nonrepudiation purposes) |
When any data element in a user profile changes, Oracle Identity Manager creates a snapshot.
The following events trigger the creation of a user profile snapshot:
Modification of any kind to the user record (for example, through reconciliation and direct provisioning)
Group membership change for the user
Changes in the policies that apply to the user
Provisioning a resource to the user
Deprovisioning of a resource for the user
Any provisioning-related event for a provisioned resource:
Resource status change
Addition of provisioning tasks to the provisioning process
Updates to provisioning tasks in the provisioning process, for example, status changes, escalations, and so on
Creation of or updates to Process Form data
Creation of or updates to Object Form data
The user profile auditor has an internal post-processor that normalizes the snapshot XML into the reporting tables: UPA_USR
, UPA_FIELDS
, UPA_GRP_MEMBERSHIP
, UPA_RESOURCE
, UPA_UD_FORMS
, and UPA_UD_FORMFIELDS
. These tables are used by the reporting module to generate the appropriate reports.
User profile audits use the following tables in the database:
The UPA
table is the main table and stores all the snapshots and changes made to the user profiles. The audit engine reads data from the UPA
table and normalizes it across the following reporting tables:
UPA_FIELDS:
This table stores user profile information in a vertical format.
This table has more information than the UPA_USR
table. For instance, UD fields are stored in this table as well as other fields that are not available in UPA_USR
.
UPA_GRP_MEMBERSHIP:
This table contains group membership for all the users in the system.
The information includes when a user was added and removed from a group.
UPA_RESOURCE:
The information in this table includes provisioned resources and changes in status for each of the resources.
This table does not include any form table information.
UPA_UD_FORMS:
Along with the UPA_UD_FORMFIELDS
table, this table contains information about changes to the resource and process forms. It contains information about the corresponding tables that are being changed. The actual field changes are stored in the UPA_UD_FORMFIELDS
table.
UPA_UD_FORMFIELDS:
This table stores the names of form fields that are changed and the old and new values of the changed form fields. Whenever a form field is changed, a new row is inserted in this table to reflect the change.
Note:
TheUPA_UD_FORMS
and UPA_UD_FORMFIELDS
tables will be populated only if the XL.EnableExceptionReports
system configuration property is set to TRUE
. For more information about this property, see "Exception Reports".