Role Assignment Audit Report for OCI (Gen 2) Environments
Users with a Service Administrator role can use this API to generate a Role Assignment Audit Report of users with their pre-defined and application roles on OCI (Gen 2) Environments. This allows you to automate reporting on users role and application role assignments. The report shows all the changes made to the predefined role and application role assignments within the provided time frame. This report can be generated for the previous 90 days from the current date. You can download the report using the Download REST API.
This is an asynchronous job and uses the job status URI to determine if the operation is complete.
The presence of status -1 in the response indicates that the generation of the report is in progress. Use the job status URI to determine whether the generation of the report is complete. Any non-zero status except -1 indicates failure of generating the report.
The default retention period for audit data is 30 days; however, you can extend the retention period up to a maximum of 90 days from the Identity Console. If you want a longer duration of audit data, download a Role Assignment Audit Report and archive it.
This API is version v1.
Required Roles
Service Administrator or any EPM Cloud user assigned to the Identity Domain Administrator role. This command is applicable to OCI environments only.
Table 11-77 Role Assignment Audit Report for OCI (Gen 2) Environments
| Task | Request | REST Resource |
|---|---|---|
| Role Assignment Audit Report | POST |
|
| Role Assignment Audit Report Status | GET |
|
REST Resource
POST /interop/rest/security/{api_version}/roleassignmentauditreport
Note:
Before using the REST resources, you must understand how to access the REST resources and other important concepts. See Implementation Best Practices for EPM Cloud REST APIs. Using this REST API requires prerequisites. See Prerequisites.
The following table summarizes the request parameters.
Table 11-78 Parameters
| Name | Description | Type | Required | Default |
|---|---|---|---|---|
api_version |
Specific API version | Path | Yes | None |
from_date |
The start date for the report (in YYYY-MM-DD format) | Form | Yes | None |
to_date |
The end date for the report (in YYYY-MM-DD format) | Form | Yes | None |
filename |
CSV file where the report is to be populated, such as roleAssignmentAuditReport.csv | Form | Yes | None |
Response
Supported Media Types:
application/json
Sample Role Assignment Audit report
Information on deleted users who were previously assigned to predefined roles in the environment is listed with the display name (first and last name) of the user in the User Name column. In such cases, the Role column indicates the predefined role that the user had before the user's account was deleted. This change does not apply to application roles, if any, that were assigned to the deleted user; such assignments are shown with the User Login Name of the user. For an example, see the information in the red box in the following illustration.
````-
Table 11-79 Parameters
| Parameters | Description |
|---|---|
details |
In case of errors, details are published with the error string |
status |
See Migration Status Codes |
links |
Detailed information about the link |
href |
Links to API call |
action |
The HTTP call type |
rel |
Can be self and/or Job Status.
If set to Job Status, you can use the
href to get the status
|
data |
Parameters as key value pairs passed in the request |
Examples of Response Body
The following show examples of the response body in JSON format.
Response 1 example when job is in progress:
{
"links": [
{
"rel": "self",
"href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/roleassignmentauditreport",
"data": {
"jobType": "GENERATE_ROLE_ASSIGNMENT_AUDIT_REPORT",
"to_date": "<toDate>",
"filename": "<filename>",
"from_date": "<fromDate>"
},
"action": "POST"
},
{
"rel": "Job Status",
"href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/jobs/3023387588778806",
"data": null,
"action": "GET"
}
],
"details": null,
"status": -1,
"items": null
}
Response 2 example when job completes with errors:
{
"links": [
{
"data": {
"jobType": "GENERATE_ROLE_ASSIGNMENT_AUDIT_REPORT",
"from_date": " ",
"to_date": " ",
"filename": " "
},
"action": "POST",
"href": "https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/{api_version}/roleassignmentauditreport",
"rel": "self"
}
],
"status": 1,
"details": "EPMCSS-20678: Failed to generate Role Assignment Audit Report. Invalid or insufficient parameters specified. Provide all required parameters for the REST API. ",
"items": null
}
Response 3 example when job completes without errors:
{
"links": [
{
"data": null,
"action": "GET",
"href": " https://<SERVICE_NAME>-<TENANT_NAME>.<SERVICE_TYPE>.<dcX>.oraclecloud.com/interop/rest/security/<api_version>/jobs/<jobID>",
"rel": "self"
}
],
"status": 0,
"details": null,
"items": null
}
Example 11-37 Java Sample Code
Prerequisites: json.jar
Common Functions: See CSS Common Helper Functions for Java
public void generateRoleAssignmentAuditReport(String fromDate, String toDate,String fileName) {
try {
String url = this.serverUrl + "/interop/rest/security/" + apiVersion + "/roleassignmentauditreport";
Map<String, String> reqHeaders = new HashMap<String, String>();
reqHeaders.put("Authorization", "Basic " + DatatypeConverter
.printBase64Binary((this.userName + ":" + this.password).getBytes(Charset.defaultCharset())));
Map<String, String> reqParams = new HashMap<String, String>();
reqParams.put("from_date", fromDate);
reqParams.put("to_date", toDate);
reqParams.put("filename", fileName);
Map<String, String> restResult = CSSRESTHelper.callRestApi(new HashMap(), url, reqHeaders, reqParams,
"POST");
String jobStatus = CSSRESTHelper.getCSSRESTJobCompletionStatus(restResult, reqHeaders);
System.out.println(jobStatus);
} catch (Exception e) {
e.printStackTrace();
}
}
Example 11-38 Shell Script Sample code
Prerequisites: jq (http://stedolan.github.io/jq/download/linux64/jq)
Common Functions: See CSS Common Helper Functions for cURL
funcGenerateRoleAssignmentAuditReport() {
url="$SERVER_URL/interop/rest/security/$API_VERSION/roleassignmentauditreport"
params="from_date=$1&to_date=$2&filename=$3"
header="Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
cssRESTAPI="generateRoleAssignmentAuditReport"
statusMessage=$(funcCSSRESTHelper "POST" "$url" "$header" "$USERNAME" "$PASSWORD" "$params" "$cssRESTAPI")
echo $statusMessage
}
Example 11-39 Groovy Sample Code
Common Functions: See CSS Common Helper Functions for Groovy
def generateRoleAssignmentAuditReport(from_date,to_date,fileName) {
String scenario = "Generating Role assignment audit report in " + fileName;
String params = "jobtype=GENERATE_ROLE_ASSIGNMENT_AUDIT_REPORT&from_date="+from_date+"&to_date="+to_date+"&filename="+ fileName;
def url = null;
def response = null;
try {
url = new URL(serverUrl + "/interop/rest/security/" + apiVersion + "/roleassignmentauditreport");
} catch (MalformedURLException e) {
println "Please enter a valid URL"
System.exit(0);
}
response = executeRequest(url, "POST", params, "application/x-www-form-urlencoded");
if (response != null) {
getJobStatus(getUrlFromResponse(scenario, response, "Job Status"), "GET");
}
}