Skip to main content

Access Control - Tracking User Actions (v2.0 and up)

Access Control includes the AuditTrail database table. The AuditTrail database table presents an audit log that can be used to track access control user actions. This table resides in the new CxDB schema under 'accesscontrol': [CxDB].[accesscontrol].[AuditTrail].

6436227786.jpg

A typical use case for using the audit log is if a user is suddenly denied access and cannot log in, you can look at the audit log to see who disabled the user and when. Another use case is if a user transfers from one team to another for an unknown reason, you can see who transferred the user and when.

The following user actions are audited in the AuditTrail database table:

Type

Action

UserCreated

User-created

UserUpdated

User updated (update doesn't include 'roles added or removed')

UserDeleted

User deleted

SuccessfulLogin

Successful login

FailedLogin

Failed login

TeamMemberAdded

Team member added

TeamMemberDeleted

Team member deleted

UserRolesUpdated

User roles updated (update includes 'roles added,' 'roles removed,' or 'roles added and removed')

WindowsDomainDeleted

Windows domain deleted

WindowsDomainUpdated

Windows domain updated

WindowsDomainCreated

Windows domain created

LdapServerDeleted

LDAP Server deleted

LdapServerUpdated

LDAP Server updated

LdapServerCreated

LDAP Server created

SamlServiceProviderUpdated

Saml Service Provider updated

SamlIdentityProviderCreated

Saml Identity Provider created

SamlIdentityProviderUpdated

Saml Identity Provider updated

SamlIdentityProviderDeleted

Saml Identity Provider deleted

RoleCreated

Role created (creation includes 'with permissions' or 'without permissions')

RoleUpdated

Role updated (update includes 'no permissions added or removed,' 'permissions removed,' or 'permissions added')

RoleDeleted

Role deleted

TenantDeleted

Tenant deleted

The following information for each user action is listed in the AuditTrail database table:

Field

Description

Id

The event Id

UserId

The user ID of the one who acted.

NOTE: If the UserId is NULL, it means that the system performed the action automatically.

UserName

The user name of the one who acted.

NOTE: In case the UserId is NULL, the UserName is System, except in case of FailedLogin (UserName doesn’t exist), whereas the UserName is the one provided by the user.

Type

The type of user action performed (see the 'User Actions Type' table above).

Details

Details will differ per user action type.

Example 1: For a FailedLogin action, the failed user will be contained in the 'UserName,' and the Authentication Provider type will be in the 'Details.'

Example 2: For a TeamMemberAdded action, the user name & team name are contained in the 'Details.'

Timestamp

Time/date of the user action.

OriginIpAddress

The user’s IP address is logged for every action.

NOTE: This can be especially useful for a FailedLogin – to understand how it occurred and where it came from.