Tracking User, Authority, and Password Updates

Overview: Order Administration tracks updates to users, and user classes, and external payment service settings in the User Audit table, and tracks user password changes in the Password Audit table.

User Audit table: The User Audit table tracks activity that has taken place in creating or changing user records, user classes, and user authority. The table also tracks changes to external payment services. The activities that trigger updates to the User Audit table include:

Creating, changing, or deleting a user in Work with Users (WUSR), including updates to:
- Company authority
- Menu option authority
- Secured features
- Tickler group assignment
Creating, changing, or deleting a user classes in Work with User Classes (WUCL), including updates to:
- Company authority
- Menu option authority
- Secured feature authority
- Vendor authority
Changes to user or user class authority for order hold reasons (WOHR)
Changes to user or user class authority for return disposition value codes (WRDV)
Creating, changing, copying, or deleting a secured feature (WSYS or NSEC)
Updating a user’s email address (MUEE)
Updating a user’s default menu (pressing F17 at a menu screen)
Creating or changing information at the Work with External Service screen (WASV)
Deleting an active procedure (MACX)
Creating, changing, or deleting an inbound or outbound web service user or client ID, and password or client secret in Work with Web Service Authentication (WWSA)
Generating a client, updating access, updating a client secret, or refreshing the applications displayed at the Manage External Application Access page in Modern View (MEAA)

Reporting: Use the Print User Security Audit Reports (PUSA) menu option to generate reports of the activity tracked in the User Audit and Password Audit tables. Note that not all activity tracked in the User Audit table is included in these reports.

Purging the audit tables: The PURGEUA periodic function (Program name = PFR0215) purges User Audit and Password Audit records based on date.

Use the Parameter field for the periodic function to specify the number of days old a User Audit or Password Audit record must be to be eligible for purge. If the Parameter is blank or 0, records must be 365 days old to be eligible for purge.

In this topic:

User Audit Table Updates

The updates to the User Audit table, based on updates to users, user classes, and secured features, are described below. See the Fields Used by Updated Table (User Audit) for a listing of the fields updated in the User Audit table for each updated source table.

Field	Attributes	Description
Common Fields		The following fields are populated for all records in the User Audit table.
Change date	Numeric, 7 positions (CYY/MM/DD format)	The date when the change occurred. Always populated.
Change time	Numeric, 6 positions (HHMMSS format)	The time when the change occurred. Always populated.
B/A	Alphanumeric, 1 position	Indicates whether the record reflects: A = The record after the activity. B = The record before the activity. Change: A change to an existing record creates both an A and a B audit record. Addition: Creation of a new record creates just an A audit record. Deletion: Deletion of an existing record creates just a B audit record. Always populated.
Action	Alphanumeric, 1 position	The type of action that took place: A = add C = change D = delete E = edit access (used when you add or delete access through the Manage External Application Access option in Modern View (MEAA)) R = refresh (used when you select the Refresh option at the Manage External Application Access page in Modern View (MEAA)) S = regenerate secret (used when you regenerate a client secret through the Manage External Application Access option in Modern View (MEAA)) Always populated. Note: Creating a new user results in audit records for the User and Users tables, as well as the User Extended table if you specify an email address. Additional table updates take place as you work with different types of user authorization, such as assigning authority to a company and then setting that company as the user’s default.
Updated table	Alphanumeric, 25 positions	The table updated by the activity. See the Fields Used by Updated Table (User Audit) for a listing, including the activities that create each type of audit record and the included fields. All fields populated: All fields that are populated in the updated table are populated in the audit record. For example, a user record includes a default company and a default output queue. If you make any change to the user record, the default company and default output queue are included in the before and after records, even if these settings have not changed. However, the User Authority Change Report includes fields only if they have been updated. Also, the report does not include all types of updates. Certain activities update multiple tables: For example, deleting a user also deletes the User Extended record, the Auth User Company record, and other dependent records. Always populated.
Updated by user	Alphanumeric, 10 positions	The ID of the user who performed the activity. Always populated.
Updated by user name	Alphanumeric, 30 positions	The name of the user who performed the activity at the time of the update. From the User record. Always populated.
Authority changed	Alphanumeric, 10 positions	The record affected by the activity. Possible authority entries: a user ID when the user is created, changed, or deleted, or when an external payment service is changed a user class when the user class is created, changed, or deleted a secured feature code when the company-level secured feature is created, changed, or deleted Always populated except for records created when the updated table is Webservice Users, Webserviceout, and INT Cloud App Client.
Auth type	Alphanumeric, 1 position	The authority type affected by the activity. Possible types: U = user ID (this code is also used for external auth service updates) C = user class F = secured feature Always populated except for records created when the updated table is Webservice Users, Webserviceout, and INT Cloud App Client.
Name/ description	Alphanumeric, 30 positions	The name of the user, user class, or secured feature related to the activity. Always populated except for records created when the updated table is Webservice Users, Webserviceout, and INT Cloud App Client. User name: Populated with a user name by a change related to the user, when the Updated Table is User, Users, User Extended, Auth User Company, Auth User Feature, Auth User Menu Option, User Field Authority, or User Tickler Group. In the case of an External Payment Service update, this is the user who performs the update. From: the User name set up through the User Control screen available through Advance Commands if the activity updates the Users table, even if the update took place through the Work with Users option. Fields in the Users table but also accessible through the Work with Users option include: Advanced commands All jobs authority Status Rank the Name set up through Work with Users for any other activity related to the user. User class: Populated with the user class name by a change related to the user class, when the Updated Table is User Class, Auth User Class Company, Auth User Class Feature, Auth User Class Option, User Class Field Auth, or User Class Vend Auth. In this case, the Name/description is the same as the User class description. Secured feature: Populated with the secured feature description, when the Updated Table is Secured Feature. In this case, the Name/description is the same as the Secured feature description.
Before/after changes	Alphanumeric, 512 positions	Lists the settings of any changed fields: Before record: Lists the affected field settings before the activity. After record: Lists the affected field settings after the activity. Example: You changed the default company for a user from 12: After: Default Company: 3 Before: Default Company: 12 This information is listed on the User Authority Change Report or on the generated spreadsheet file if the information’s length exceeds the available space on the report. A Before record is not created as the result of a Refresh in Manage External Application Access (MEAA). Instead, there is just an After record, such as After: IDCS Refresh Applications job is executed by: FIRST.LAST. Note that the user name may be truncated.
Additional Fields		Each remaining field in the User Audit table is populated only if the corresponding source table includes the same field, and it is populated in the source table. For example, only the User table includes the CTI user type field, so this field can be populated in the User Audit table only for an audit record of a User record that has a CTI user type specified.
Company	Numeric, 3 positions	The Company related to the update. Populated for the following tables by: User: Changing or deleting a user if a Default company was assigned. Not populated by adding a user, because you first need to assign company authority for a user before setting the default company. Auth User Company: Changing a user’s company authority, or deleting a user who had company authority. When you delete a user with authority to multiple companies, a separate audit record is created for each authorized company. Auth User Feature: Adding or changing secured feature authority for a user. User Class: Adding, deleting, or changing the default company for a user class. Auth User Class Company: Adding or deleting company authority for a user class. Auth User Class Feature: Adding, changing, or deleting secured feature authority for a user class. Auth User Class Vendor Auth: Deleting authority to a vendor for a user class. Secure Feature: Creating, changing, or deleting a secured feature at the company level. User Field Authority: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user. User Class Field Auth: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user class. External Auth Service: Updating any settings at the Work with External Authorization Service screen. Updates that are not specific to a company, such as creating or updating web service users, have the company set to 0.
The following fields are populated only for User table updates, not for web service user updates.
CTI user	Alphanumeric, 1 position	The CTI user setting for the created, changed, or deleted user. Possible settings: Y = CTI user N = User does not have fast path authority Populated only for User table updates.
CTI user type	Alphanumeric, 1 position	The CTI user type setting for the created, changed, or deleted user. Optional field. Possible types: 1 = Receive inbound only 2 = Initiate outbound only 3 = Inbound and outbound Populated only for User table updates.
CTI default screen	Alphanumeric, 1 position	The CTI default screen setting for the created, changed, or deleted user. Optional field. Possible settings: 1 = Always display CTI screen 2 = Display CTI screen with call Populated only for User table updates.
CTI default phone ext	Alphanumeric, 4 positions	The CTI telephone extension setting for the created, changed, or deleted user. Optional field. Populated only for User table updates.
User class	Alphanumeric, 10 positions	Populated for the following tables by: User: Creating, updating, or deleting a user with a User class assigned. Optional field. User Class: Creating, updating, or deleting a user class. Auth User Class Company: Changing the company authority for a user class, or deleting a user class. Auth User Class Feature: Deleting or changing the feature authority for a user class. Auth User Class Option: Changing user class menu option authority, or deleting a user class. User Class Vendor Auth: Deleting vendor authority for a user class. User Class Field Auth: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user class.
User class description	Alphanumeric, 30 positions	The Description of the created, changed, or deleted user class. Populated only for User Class table updates.
Default authority	Alphanumeric, 8 positions	Possible settings are: ALLOW EXCLUDE *DISPLAY (menu option authority only) Populated for the following tables by: User: Creating, changing, or deleting a user. User Field Authority: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user. Auth User Feature: Adding or changing secured feature authority for a user. Auth User Menu Option: Adding, changing, or deleting menu option authority for a user. User Class Field Authority: Adding, changing, or deleting authority to a hold reason code or a return disposition value for a user class. Auth User Class Option: Adding, changing, or deleting menu option authority for a user class. Auth User Class Feature: Adding or changing secured feature authority for a user class. Secure Feature: Changing the default authority for a secured feature at the company level.
Log use	Alphanumeric, 1 position	The Log use setting for the created, changed, or deleted user. Optional field. Possible settings: Y = Log use N or blank = Do not log use Populated only for User table updates.
Security adm	Alphanumeric, 1 position	The Security administrator setting for the created, changed, or deleted user. Optional field. Possible settings: Y = Security administrator N or blank = Not a security administrator Populated only for User table updates.
Allow fast path	Alphanumeric, 1 position	The Fast path setting for the created, changed, or deleted user. Optional field. Possible settings: Y = User has fast path authority N or blank = User does not have fast path authority Populated only for User table updates.
Output queue	Alphanumeric, 10 positions	The default Output queue for the created, changed, or deleted user. Optional field. Populated only for User table updates.
Menu	Alphanumeric, 10 positions	The Default menu setting for the created, changed, or deleted user. Optional field. Populated only for User or User Class table updates.
Language	Alphanumeric, 3 positions	The Language for the created, changed, or deleted user. Optional field. Populated only for User table updates.
E-mail address	Alphanumeric, 50 positions	The user’s Email address. Populated only for User Extended table updates.
Secured feature	Alphanumeric, 3 positions	The code identifying the secured feature. Populated for the following tables by: Auth User Feature: Adding or changing secured feature authority for a user. Auth User Class Feature: Adding or changing secured feature authority for a user class. Secured Feature: Adding, changing, or deleting a secured feature at the company level.
Secured feature desc	Alphanumeric, 40 positions	The description of the secured feature. Populated only for Secured Feature updates.
Tickler grp ID	Alphanumeric, 10 positions	The code identifying the tickler group added to or deleted from the user. Populated only for User Tickler Group updates for a user.
Vendor#	Numeric, 7 positions	The vendor whose authority was changed for the user class. Populated only for User Class/Vendor Auth updates.
CPG program	Alphanumeric, 10 positions	Not currently implemented.
Hold reason	Alphanumeric, 2 positions	The code identifying a: hold reason code if the User field auth type is HR, or return disposition value if the User field auth type is RD Populated for the following tables by: User Field Authority: Creating, changing, or deleting user authority to a hold reason code or a return disposition value. User Class Field Authority: Creating, changing, or deleting user class authority a hold reason code or a return disposition value.
User field auth type	Alphanumeric, 2 positions	The code identifying the type of user field changed. Possible values: HR = hold reason code RD = return disposition value Populated for the following tables by: User Field Authority: Creating, changing, or deleting user authority to a hold reason code or a return disposition value. User Class Field Authority: Creating, changing, or deleting user class authority a hold reason code or a return disposition value.
Menu option	Alphanumeric, 4 positions	The Fast path identifying a menu option. Populated for the following tables by: Auth User Menu Option: Adding, changing, or deleting menu option authority for a user. Auth User Class Option: Adding, changing, or deleting menu option authority for a user class.
UDF seq#	Numeric, 5 positions	Not currently implemented.
Use LDAP	Alphanumeric, 1 position	Indicates if the user is flagged for LDAP authentication. This setting is always set to N since LDAP authentication is not currently implemented. Populated only for User table updates.
Domain	Alphanumeric, 10 positions	The domain to use for LDAP authentication. Populated only for User table updates. Not currently implemented.
LDAP name	Alphanumeric, 50 positions	The user name that matches the network user ID for network authentication. Used only for LDAP authentication, which is not currently implemented. Populated only for User table updates.
Locale	Alphanumeric, 2 positions	The two-position code identifying the user’s locale. Possible locales: de = German en = English es = Spanish fr = French it = Italian
Date Format	Alphanumeric, 3 positions	The three-position code identifying the date format for the user. Possible date formats: DMY = DDMMYY format MDY = MMDDYY format YMD = YYMMDD format Note: The current date format at the time of the change is included in the Before and After entries for each user change.
Rank	Numeric, 1 position	The user’s authority rank. Set to: `1` = the user can see and edit all other users through the User Control option (admin-level user authority). If the All jobs flag is selected, the user also has access to other users’ documents and forms at the Document Management and Form Management screens. Note: Assign this authority only to those users whose responsibilities require it. any value from `2` to `9` = the user can use the User Control screen only to change his or her own password if IDCS or OCI IAM is not in use, and has access to the documents and forms of other users (through the My Docs and My Forms options) only if those users share the same rank assignment and the All jobs flag is selected. For example, a user assigned to rank 5 has access to the forms of other users who are also assigned to rank 5. Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands.
Advanced command	Alphanumeric, 1 position	Set to: Y = user should has authority to the Advanced Commands option through My Docs, My Forms, or My Jobs N = the user does not have authority to the Advanced Commands option through My Docs, My Forms, or My Jobs Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands.
Password expired	Alphanumeric, 10 positions	Indicates when the password for a user expires when IDCS or OCI IAM is not enabled. Valid values are: *NO = the password does not expire; for security reasons, this setting is not recommended. expiration date in MM/DD/YYYY format = If the expiration date is on or earlier than the current date, then the next time the user logs in Order Administration advances directly to the Password Expired screen. The user will need to change the password before it is possible to advance to another screen. Populated only for Users table updates through either the Work with Users option or the User Control screen available through Advanced Commands.
All jobs authority	Alphanumeric, 1 position	Indicates the user’s authority to other users’ submitted jobs: Y = the user can see and has authority to all other users’ jobs. Note: Assign this authority only to those users whose responsibilities require it. If this flag is selected and the User rank is: 1: the user has access to all other users’ documents and forms. 2 through 9: the user has access to the documents and forms of other users of the same rank. N = the user can see and has authority only to the jobs, documents, and forms associated with the user’s own user ID. Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands.
Status	Alphanumeric, 10 positions	Indicates if the user has access to Order Administration. Possible settings: ENABLED = the user can use Order Administration. DISABLED = the user cannot use Order Administration. Populated only for Users table updates made either through the Work with Users option, or the User Control screen available through Advanced Commands.
Job Name	Alphanumeric, 200 positions	The code identifying the job whose active procedure was deleted. Used only when the updated table is Active Procedure.
Job Number	Numeric, 19 positions	The number identifying the active procedure that was deleted. Used only when the updated table is Active Procedure.

Fields Used by Updated Table (User Audit)

Fields for all audit records: All records in the User Audit table use the following fields:

Additional fields for different types of audit records: Additional fields used for the different possible updated tables are listed below:

Table	Fields	Ways to Update/Sample Report Entries
User	Authority changed Auth type Company CTI user CTI user type CTI default screen CTI default phone ext User class Default authority Log use Security adm Allow fast path Menu Language Name/ description Use LDAP Domain LDAP name Locale Date Format Note: Optional fields, such as the Output queue, CTI settings, and User class, may be blank for the audit record.	Work with Users (WUSR): Create Change Note: The User Audit table is updated only if a change is made Delete Press F17 from a menu screen to make the current menu the default Sample entries on the User Authority Change Report: Before: Menu: HOME2 After: Menu: HOME
Users	Authority changed Auth type Name/ description from Users table Rank Advanced command Password expired All jobs authority Status	Work with Users (WUSR): Create Change Note: The User Audit table is updated only if a change is made Delete The User Control screen available through Advance Commands Sample entries on the User Authority Change Report: Before: Rank: 9 After: Rank: 1
User Extended	Authority changed Auth type E-mail address Name/ description from User table	Work with Users (WUSR): Create Change ( Note: The User Audit table is updated only if a change is made Delete Update Email Address Domain (MUEE) Sample entries on the User Authority Change Report: Before: Email Address: After: Email Address: <EMAIL_ADD>
Auth User Company	Authority changed Auth type Company Name/ description from User table	WUSR: Company auth (any change) Delete Sample entry on the User Authority Change Report: After: User: USER_ID Company Authority: <CMP_NO>
Auth User Feature	Authority changed Auth type Company Note: This is the company that was active when you changed the function authority, even if the user does not have authority to the company. Default authority Secured feature Name/ description from User table	WUSR: Feature auth (any change) Delete Sample entry on the User Authority Change Report: After: User: USER_ID Feature: A01 Default Company: <CMP_NO> Default Authority: *ALLOW, where A01 identifies the secured feature, and the Default Company is the company where the feature authority was set
Auth User Menu Option	Authority changed Auth type Default authority Menu option Name/ description from User table	WUSR: Menu option auth (any change) Delete Sample entry on the User Authority Change Report: After: User: USER_ID Menu Option: DABJ Default Authority: *ALLOW
User Field Authority	Authority changed Auth type Company This is the company that was active when you changed the function authority, even if the user does not have authority to the company. Default authority Hold reason User field auth type Name/ description from User table	Work with Order Hold Reasons (WOHR): User release auth (any change) Work with Return Disposition Values (WRDV): User authority (any change) WUSR: Delete Sample entry on the User Authority Change Report: After: User: <USER_ID> Hold Reason: AT Type: HR Default Authority: *ALLOW
User Tickler Group	Authority changed Auth type Tickler grp ID Name/ description from User table	WUSR: Tickler group (assigning or deleting) Sample entry on the User Authority Change Report: After: User: <USER_ID> Tickler Group: BASIC
User Class	Authority changed Auth type Company User class Menu User class description Name/ description of the user class (same as the User class description) Note: Optional fields (the Output queue and Menu may be blank for the audit record.	Work with User Classes (WUCL): Create Change Note: The User Audit table is updated only if a change is made Delete Sample entries on the User Authority Change Report: Before: Default Company: 0 After: Default Company: 6
Auth User Class Company	Authority changed Auth type Company User class Name/ description of the user class	WUCL: Company auth (adding or removing) Sample entry on the User Authority Change Report: After: User Class: OE Company Authority: <CMP_NO>
Auth User Class Feature	Authority changed Auth type Company User class Default authority Secured feature Name/ description of the user class	WUCL: Feature auth (any change) Sample entry on the User Authority Change Report: After: User Class: CS2 Feature: A05 Default Company: <CMP_NO> Default Authority: *EXCLUDE, where A05 is the secured feature, and Company <CMP_NO> is the company where the feature was set
Auth User Class Option	Authority changed Auth type User class Default authority Menu option Name/ description of the user class	WUCL: Menu option auth (any change) Sample entry on the User Authority Change Report: After: User Class: CS2 Menu Option: DABJ Default Authority: *ALLOW
External Auth Service	Authority changed Company Name/ description of the user who performed the update	WASV: Enter or change any information at the Work with External Authorization Service Screen The Authentication User and encrypted Authentication Password are included if they were changed. The Auth Service code is always included. Sample entry on the User Authority Change Report: After: Auth Service: EXT Url: https://server.<HOSTNAME>.com:<PORT>/CC-REST/cc/Test User: authUser Password: <ENCRYPTED_PASSWORD>
User Class Field Auth	Authority changed Auth type Company This is the company that was active when you changed the function authority, even if the user does not have authority to the company. User class Default authority Hold reason User field auth type Name/ description of the user class	Work with Order Hold Reasons (WOHR): User release auth (any change) Work with Return Disposition Values (WRDV): User authority (any change) Sample entry on the User Authority Change Report: After: User Class: CS2 Hold Reason: DH Type: HR Default Authority: *ALLOW
User Class Vend Auth	Authority changed Auth type Company User class Vendor# Name/ description of the user class	WUCL: Vendor auth (*EXCLUDE, deletion only) Sample entry on the User Authority Change Report: Before: User Class: CS2 Company: <CMP_NO> Vendor: <VENDOR_NO>
Secured Feature	Authority changed Auth type Company Default authority Secured feature Secured feature desc Name/ description of the secured feature	Work with System Values/Features (WSYS): Secured features: Create Copy Change Note: The User Audit table is updated only if a change is made Delete Process New Secure Feature Values (NSEC) Sample entries on the User Authority Change Report: Before: Default Authority: ALLOW After: Default Authority: EXCLUDE
Active Procedure	Company Job Name Job Number	Purge Active Procedures Across Users (MACX): Select Delete for an active procedure. Note: You cannot delete an active procedure that is actually running on a server. Active Procedure records are not included in the User Authority Change Report (PUSA).
INT Cloud App Client	No additional fields updated.	Manage External Application Access (MEAA) in Modern View creates records for the following Action types: A: Generate a client R: Refresh S: Regenerate a client secret Sample Before/after changes entry: IDCS Refresh Applications job is executed by: FIRST.LAST.
Webservice Users	No additional fields updated.	Work with Web Service Authentication (WWSA) creates records for the following Action types: A: Add an inbound web service user D: Delete an inbound web service user Manage External Application Access (MEAA) in Modern View creates records for the following Action types: E: Edit web service access for a client S: Regenerate a client secret Sample Before/after changes entry: After: Webservice: CWPickOut User: FIRST.LAST
Webserviceout	No additional fields updated.	Work with Web Service Authentication (WWSA) creates records for the following Action types: A: Add an outbound web service user and password, or client ID and secret C: Change authentication type, password, or client secret for an outbound web service Sample Before/after changes entry: After: Webservice: Job Notification Only Client Secret is changed

Table

Fields

Ways to Update/Sample Report Entries

User

Field	Attributes	Description
Change date	Numeric, 7 positions (CYY/MM/DD format)	The date when the change occurred.
Change time	Numeric, 6 positions (HHMMSS format)	The time when the change occurred.
User ID of password	Alphanumeric, 10 positions	The user ID whose password was updated.
User name	Alphanumeric, 30 positions	The name of the user. From the Name set up through Work with Users.
Updated by user	Alphanumeric, 10 positions	The ID of the user who performed the activity.
Updated by user name	Alphanumeric, 30 positions	The name of the user who performed the activity at the time of the update. From the User record.