Access Control - Tracking User Actions (v6.0 and up)
Access Control includes the AuditTrail database table. The AuditTrail database table presents an audit log that can be used to track access control user actions. This table resides in the new CxDB schema under 'accesscontrol': [CxDB].[accesscontrol].[AuditTrail].
A typical use case for using the audit log is if a user is suddenly denied access and cannot log in, you can look at the audit log to see who disabled the user and when. Another use case is if a user transfers from one team to another for an unknown reason, you can see who transferred the user and when.
The following user actions are audited in the AuditTrail database table:
Event Type | Action |
---|---|
UserCreated | User-created |
UserUpdated | User updated (update doesn't include 'roles added or removed') |
UserDeleted | User deleted |
SuccessfulLogin | Successful login |
FailedLogin | Failed login |
TeamMemberAdded | Team member added |
TeamMemberDeleted | Team member deleted |
UserRolesUpdated | User roles updated (update includes 'roles added,' 'roles removed,' or 'roles added and removed') |
WindowsDomainDeleted | Windows domain deleted |
WindowsDomainUpdated | Windows domain updated |
WindowsDomainCreated | Windows domain created |
LdapServerDeleted | LDAP Server deleted |
LdapServerUpdated | LDAP Server updated |
LdapServerCreated | LDAP Server created |
SamlServiceProviderUpdated | Saml Service Provider updated |
SamlIdentityProviderCreated | Saml Identity Provider created |
SamlIdentityProviderUpdated | Saml Identity Provider updated |
SamlIdentityProviderDeleted | Saml Identity Provider deleted |
RoleCreated | Role created (creation includes 'with permissions' or 'without permissions') |
RoleUpdated | Role updated (update includes 'no permissions added or removed,' 'permissions removed,' or 'permissions added') |
RoleDeleted | Role deleted |
TenantDeleted | Tenant deleted |
ApiAuthExceptionEvent | An exception is thrown when an anonymous user performs a request or when the user session is invalid. |
SignOut | The user signs out. |
TeamDeleted | Team deleted |
TeamCreated | Team created |
SmtpServerCreated | SMTP Server created |
SmtpServerDeleted | SMTP Server deleted |
SmtpServerUpdated | SMTP Server updated |
TenantCreated | New tenant created |
TenantUpdated | Tenant updated |
PasswordChanged | Password changed by the admin, forgotten by the user, or updated by the user. |
The following information for each user action is listed in the AuditTrail database table:
Field | Description |
---|---|
Id | The event Id |
UserId | The user ID of the one who acted. NOTE: If the UserId is NULL, the system acts automatically. |
UserName | The user name of the one who acted. NOTE: In case the UserId is NULL, the UserName is System, except in case of FailedLogin (UserName doesn’t exist), whereas the UserName is the one provided by the user. |
Type | The type of user action performed (see the 'User Actions Type' table above). |
Details | Details will differ per user action type. Example 1: For a FailedLogin action, the failed user will be contained in the 'UserName,' and the Authentication Provider type will be in the 'Details.' Example 2: For a TeamMemberAdded action, the user name & team name are contained in the 'Details.' |
Timestamp | Time/date of the user action. |
OriginIpAddress | The user’s IP address is logged for every action. NOTE: This can be especially useful for a FailedLogin – to understand how it occurred and where it came from. |
Some generic events are also logged into the audit trail table:
Event Type |
---|
OidcApiResourceAddedEvent |
OidcApiResourceDeletedEvent |
OidcApiResourceUpdatedEvent |
EntityCreatedEvent |
EntityDeletedEvent |
EntityUpdatedEvent |
OidcClientAddedEvent |
OidcClientDeletedEvent |
OidcClientUpdatedEvent |
A new data pattern was designed for detailed column information. The column contains a JSON object with the important information collected.
Refer to the table below to understand the detailed column content information.
Key | Description |
---|---|
TenantId | Tenant Id. |
AuthenticationProvider | Authentication Provider content information. |
Username | This is the username of the user account that acted. |
Id | This is the ID of the user account that acted. |
Info | Generic information related to the action. Example: UserUpdate is displayed if the user's status changes and the status is updated. |