Audit configuration is composed of one or more publishers and several predefined groups.
An audit group defines a subset of all audit events based on object types, actions, and action results. Each publisher is assigned one or more audit groups. By default, the repository publisher is assigned to all audit groups.
An audit publisher delivers audit events to a particular audit destination. The default repository publisher writes audit records into the repository. Each audit publisher may have implementation specific options. Audit publishers may have a text formatter assigned. (Text formatters provide textual representation of audit events.)
The Audit Configuration (#ID#Configuration:AuditConfiguration) object is defined in the sample/auditconfig.xml file. This configuration object has an extension that is a generic object.
At the top level, this configuration object has the following attributes:
The filterConfiguration attribute lists event groups, which are used to enable one or more events to pass through the event filter. Each group listed in the filterConfiguration attribute contains the attributes listed in Table 10–2.
Table 10–2 filterConfiguration Attributes
Example 10–5 illustrates the default Resource Management group.
<Object name=’Resource Management’> <Attribute name=’enabled’ value=’true’/> <Attribute name=’displayName’ value=’UI_RESOURCE_MGMT_GROUP_DISPLAYNAME’/> <Attribute name=’enabledEvents’> <List> <Object> <Attribute name=’objectType’ value=’Resource’/> <Attribute name=’actions’ value=’ALL’/> <Attribute name=’results’ value=’ALL’/> </Object> <Object> <Attribute name=’objectType’ value=’ResourceObject’/> <Attribute name=’actions’ value=’ALL’/> <Attribute name=’results’ value=’ALL’/> </Object> </List> </Attribute> </Object> |
Identity Manager provides default audit event groups. These groups, and the events they enable, are described in the following sections:
You can configure audit event groups from the Audit Configuration page of the Identity Manager Administrator interface (Configure > Audit). See Configuring Audit Groups and Audit Events for instructions.
You can also configure successful or failed events for each group from the Audit Configuration page. The interface does not support adding or modifying enabled events for groups, but you can do this by using the Identity Manager debug pages (The Identity Manager Debug Page).
Not every action that you can choose for an audit event group results in a log record. Also, selecting the “All Actions” option does not mean that all listed actions are available or possible for all audit event groups.
This group is enabled by default.
Table 10–3 Default Account Management Event Groups
Type |
Actions |
---|---|
Encryption Key |
All Actions |
Identity System Account |
All Actions |
Resource Account |
Approve, Create, Delete, Disable, Enable, Modify, Reject, Rename, Unlock |
Workflow Case |
End Activity, End Process, End Workflow, Start Activity, Start Process, Start Workflow |
User |
Approve, Create, Delete, Disable, Enable, Modify, Reject, Rename |
This group is disabled by default.
Table 10–4 Changes Outside Identity Manager Event Groups and Events
Type |
Actions |
---|---|
ResourceAccount |
NativeChange |
This group is enabled by default.
Table 10–5 Default Compliance Management Group Events
Type |
Actions |
---|---|
Audit Policy |
All Actions |
AccessScan |
All Actions |
ComplianceViolation |
All Actions |
Data Exporter |
All Actions |
UserEntitlement |
Attestor Approved, Attestor Rejected, Remediation Requested, Rescan Requested, Terminate |
Access Review Workflow |
All Actions |
Remediation Workflow |
All Actions |
This group is enabled by default.
Table 10–6 Default Configuration Management Event Groups
Type |
Actions |
---|---|
Configuration |
All Actions |
UserForm |
All Actions |
Rule |
All Actions |
EmailTemplate |
All Actions |
LoginConfig |
All Actions |
Policy |
All Actions |
XmlData |
Import |
Log |
All Actions |
This group is enabled by default.
Table 10–7 Default Event Management Event Groups
Type |
Actions |
---|---|
|
Notify |
TestNotification |
Notify |
This group is enabled by default.
Table 10–8 Default Identity Manager Logins/Logoffs Event Groups
Type |
Actions |
---|---|
User |
Credentials Expired, Lock, Login, Logout, Unlock, Username Recovery |
This group is enabled by default.
Table 10–9 Default Password Management Event Groups and Events
Type |
Actions |
---|---|
Resource Account |
Change Password, Reset Password |
This group is enabled by default.
Table 10–10 Default Resource Management Event Groups and Events
Type |
Actions |
---|---|
Resource |
All Actions |
Resource Object |
All Actions |
ResourceForm |
All Actions |
ResourceAction |
All Actions |
AttrParse |
All Actions |
Workflow Case |
End Activity, End Process, End Workflow, Start Activity, Start Process, Start Workflow |
This group is disabled by default.
Table 10–11 Default Role Management Event Groups and Events
Type |
Actions |
---|---|
Role |
All Actions |
This group is enabled by default.
Table 10–12 Default Security Management Event Groups and Events
Type |
Actions |
---|---|
Capability |
All Actions |
EncryptionKey |
All Actions |
Organization |
All Actions |
Admin Role |
All Actions |
This group is enabled by default.
Table 10–13 Service Provider Event Groups and Events
Type |
Actions |
---|---|
Directory User |
Challenge Response, Create, Delete, Modify, Post-Operation Callout, Pre-Operation Callout, Update Authentication Answers, Username Recovery |
This group is disabled by default.
Table 10–14 Task Management Event Groups and Events
Type |
Actions |
---|---|
TaskInstance |
All Actions |
TaskDefinition |
All Actions |
TaskSchedule |
All Actions |
TaskResult |
All Actions |
ProvisioningTask |
All Actions |
Each new Type that you add to the com.waveset.object.Type class can be audited. A new Type must be assigned a unique two-character database key, which is stored in the database. All new Types are added to the various audit reporting interfaces. Each new Type to be logged to the database without being filtered must be added to an audit event groups enabledEvents attribute (as described with the enabledEvents attribute).
There may be situations in which you want to audit something that does not have an associated com.waveset.object.Type, or where you want to represent an existing type with more granularity.
For example, the WSUser object stores all of the user’s account information in the repository. Instead of marking each event as a USER type, the auditing process splits the WSUser object into two different audit types (Resource Account and Identity Manager Account). Splitting the object in this way makes it easier to find specific account information in the audit log.
Add extended audit types by adding to the extendedObjects attribute. Each extended object must have the attributes listed in the following table.
Table 10–15 Extended Object Attributes
Argument |
Type |
Description |
---|---|---|
name |
String |
The name of the type, which is used when constructing AuditEvents and during event filtering. |
displayName |
String |
A message catalog key that represents the name of the type. |
logDbKey |
String |
Two-character database key to use when storing this object in the Log table. See Audit Log Database Mappings for reserved values. |
supportedActions |
List |
Actions supported by the object type. This attribute will be used when creating audit queries from the user interface. If this value is null, all actions will be displayed as possible values to be queried for this object type. |
mapsToType |
String |
(Optional) The name of the com.waveset.object.Type that maps to this type, if applicable. This attribute is used when attempting to resolve an object organizational membership if not already specified on the event. |
organizationalMembership |
List |
(Optional) A default list of organization IDs where events of this type should be placed, if they do not already have assigned organizational membership. |
All customer-specific keys should start with the # symbol to prevent duplicate keys when new internal keys are added.
Example 10–6 illustrates the extended-type Identity Manager Account.
<Object name=’LighthouseAccount’> <Attribute name=’displayName’ value=’LG_LIGHTHOUSE_ACCOUNT’/> <Attribute name=’logDbKey’ value=’LA’/> <Attribute name=’mapsToType’ value=’User’/> <Attribute name=’supportedActions’> <List> <String>Disable</String> <String>Enable</String> <String>Create</String> <String>Modify</String> <String>Delete</String> <String>Rename</String> </List> </Attribute> </Object> |
Audit actions typically map to com.waveset.security.Right objects. When adding new Right objects, you must specify a unique two-character logDbKey, which will be stored in the database. You may encounter situations where there is no right to correspond to a particular action that must be audited. You can extend actions by adding them to the list of objects in the extendedActions attribute.
Each extendedActions object must include the attributes listed in Table 10–16.
Table 10–16 extendedAction Attributes
Attribute |
Type |
Description |
---|---|---|
name |
String |
The name of the action, which is used when constructing AuditEvents and during event filtering. |
displayName |
String |
A message catalog key that represents the name of the action. |
logDbKey |
String |
Two-character database key to use when storing this action in the Log table. See Audit Log Database Mappings for reserved values. |
All customer-specific keys should start with the # symbol to prevent duplicate keys when new internal keys are added.
Table 10–16 illustrates adding an action for Logout.
<Object name=’Logout’> <Attribute name=’displayName’ value=’LG_LOGOUT’/> <Attribute name=’logDbKey’ value=’LO’/> </Object> |
In addition to extending audit types and actions, you can add results. By default, there are two results: Success and Failure. You can extend results by adding them to the list of objects in the extendedResults attribute.
Each extendedResults object must include the attributes described in Table 10–17.
Table 10–17 extendedResults Attributes
Attribute |
Type |
Description |
---|---|---|
name |
String |
The name of the result, which is used when setting the status on AuditEvents and during event filtering. |
displayName |
String |
A message catalog key that represents the name of a result. |
logDbKey |
String |
One-character database key to use when storing this result in the Log table. See the section titled Database Keys for reserved values. |
All customer-specific keys should use the range 0–9 to prevent duplicate keys when new internal keys are added.
Each item in the publishers list is a generic object. Each publishers object has the following attributes.
Table 10–18 publishers Attributes
Attribute |
Type |
Description |
---|---|---|
class |
String |
The name of the publisher class. |
displayName |
String |
A message catalog key that represents the name of the publisher. |
description |
String |
A description of the publisher. |
filters |
List |
A list of audit groups assigned to this publisher. |
formatter |
String |
The name of the text formatter (if any). |
options |
List |
A list of publisher options. These options are publisher specific; each item in the list is a map representation of PublisherOption. See sample/auditconfig.xml for examples. |