Object-level auditing provides detailed information about attempts to access any object in the security system. The objects that you can audit are known collectively as AssetTypes. The actions you can perform on these objects are called AccessTypes.
If auditing is enabled, the information below can be logged for all audit records:
Session primary key
Domain primary key
Caller ID
Caller DN
Time
Action
Action decision (permit or deny)
Object type
Object DN (except if the object is a domain, or if action is Create)
Domains do not have a DN so the domain name is logged instead.
The following tables describe the AccessTypes and interface methods that trigger auditable events for each AssetType.
AccessType |
Interface method |
|---|---|
DELETE |
AccessTypeManagement.remove |
SYSTEM.Create |
AccessTypeManagementHome.create |
UPDATE |
AccessTypeManagement.set* methods, all |
AccessType |
Interface method |
|---|---|
SYSTEM.AuthorizationLock |
PortalSession.checkAccess PortalSession.checkAuthorization PortalSession.isAuthorized SubjectManagement.lockAccount In addition, any of the SMAPI interface methods that check access can trigger this event, if a user attempts to perform an action for which he or she does not have permission, a specified number of times. To define authorization lock parameters, see “Configuring lock manager properties for a security domain”. |
SYSTEM.AuthorizationUnlock |
SubjectManagement.unlockAccount |
SYSTEM.LoginLock |
SubjectManagement.lockAccount In addition, a specified number of failed attempts either calling PortalSession.authenticate, or performing implicit authentication to EAServer. For information about implicit authentication, see “Implicit role mapping”. |
SYSTEM.LoginUnlock |
SubjectManagement.unlockAccount |
AccessType |
Interface method |
|---|---|
DELETE |
delete |
READ |
getData |
SYSTEM.Authorization |
PortalSession.checkAccess PortalSession.checkAuthorization PortalSession.isAuthorized In addition, any SMAPI interface methods that check access permissions, such as create, remove*, and set* methods. |
SYSTEM.Create |
create |
SYSTEM.GrantAccess |
grantAccess |
SYSTEM.RemoveAssetACE |
removeAssetAccessCtrlInfo |
SYSTEM.RemoveRoleACE |
removeAccessCtrlInfoForRole |
SYSTEM.RevokeAccess |
revokeAccess |
SYSTEM.SetRoleProxyAuthInfoPriorities |
setRoleProxyAuthInfoPriorities |
UPDATE |
setData |
UPDATE |
setDescription |
UPDATE |
setDN |
UPDATE |
setInfo |
UPDATE |
setName |
UPDATE |
setType |
UPDATE |
setOrganization |
AccessType |
Interface method |
|---|---|
DELETE |
AssetTypeManagement.remove |
SYSTEM.Create |
AssetTypeManagementHome.create |
UPDATE |
AssetTypeManagement.set* methods, all |
AccessType |
SMAPI method |
|---|---|
DELETE |
delete |
SYSTEM.Create |
create |
SYSTEM.SetDefaultRules |
setDefaultRules |
UPDATE |
removeRules |
UPDATE |
setDescription |
UPDATE |
setInfo |
UPDATE |
setName |
UPDATE |
setPolicy |
UPDATE |
setRules |
AccessType |
SMAPI method |
|---|---|
DELETE |
delete |
SYSTEM.AddMember |
addMember |
SYSTEM.Create |
create |
SYSTEM.RemoveMember |
removeMember |
UPDATE |
setDescription |
UPDATE |
setDN |
UPDATE |
setInfo |
UPDATE |
setName |
UPDATE |
setOrganization |
AccessType |
SMAPI method |
|---|---|
DELETE |
delete |
SYSTEM.Create |
create |
UPDATE |
setDescription |
UPDATE |
setDN |
UPDATE |
setInfo |
UPDATE |
setName |
UPDATE |
setParentOrganization |
UPDATE |
setSecurityDomain |
AccessType |
SMAPI method |
|---|---|
DELETE |
delete (asset-level) |
DELETE |
delete (role-level) |
DELETE |
delete (subject-level) |
READ |
getInfo |
READ |
getPassword |
READ |
getUrl |
READ |
getUsername |
SYSTEM.Create |
create (asset-level) |
SYSTEM.Create |
create (role-level) |
SYSTEM.Create |
create (subject-level) |
UPDATE |
setInfo |
UPDATE |
setPassword |
UPDATE |
setUrl |
UPDATE |
setUsername |
AccessType |
SMAPI method |
|---|---|
DELETE |
delete |
SYSTEM.AddRoleInheritance |
addInheritanceRelationship |
SYSTEM.Create |
create |
SYSTEM.GrantRole |
grantToGroup |
SYSTEM.GrantRole |
grantToSubject |
SYSTEM.RemoveRoleInheritance |
removeInteritanceRelationship |
SYSTEM.RevokeRole |
revokeFromGroup |
SYSTEM.RevokeRole |
revokeFromSubject |
UPDATE |
setDescription |
UPDATE |
setDN |
UPDATE |
setInfo |
UPDATE |
setName |
UPDATE |
setOrganization |
AccessType |
Interface method |
|---|---|
SYSTEM.Login |
PortalSession.authenticate In addition, attempts to authenticate implicitly to EAServer—see “Implicit role mapping”. |
SYSTEM.Logout |
PortalSession.disconnect PortalSession.remove In addition, this event is triggered when a portal session expires. |
AccessType |
Interface method |
|---|---|
DELETE |
delete |
SYSTEM.Create |
create |
SYSTEM.DeleteCertificate |
removeCertificate |
SYSTEM.LockAccount |
lockAccount |
SYSTEM.RegisterCertificate |
registerCertificate |
SYSTEM.UnlockAccount |
unlockAccount |
UPDATE |
resetLastLoginDate |
UPDATE |
setAccountDisabled |
UPDATE |
setDescription |
UPDATE |
setDN |
UPDATE |
setEmail |
UPDATE |
setExemptFromInactivityExpiration |
UPDATE |
setExemptFromPasswordExpiration |
UPDATE |
setExpirationDate |
UPDATE |
setExtraInfo |
UPDATE |
setFirstName |
UPDATE |
setInfo |
UPDATE |
setLastName |
UPDATE |
setName |
UPDATE |
setOrganization |
UPDATE |
setPassword |
UPDATE |
setPhone |
UPDATE |
setTemporaryPassword |
