Audit Settings File

The audit settings file is an XML file that you create by exporting audit settings. The file has the following schema:
cim142
The audit settings file is an XML file that you create by exporting audit settings. The file has the following schema:
<Audit enabled="" auditlevel="" datasource=""> <AuditEvent name="" enabled="" auditlevel=""> <AuditProfile objecttype="" auditlevel=""> <AuditProfileAttribute name="" auditlevel="" /> </AuditProfile> <EventState name="" severity=""/> </AuditEvent> </Audit>
The schema contains the following elements:
 
 
Audit Element
Audit elements define general audit settings. The Audit element contains one or more AuditEvent elements.
An Audit element includes the following parameters:
  • enabled -- Determines the status of auditing in the current environment. The valid values are as follows:
    • True -- Auditing is enabled for this environment.
    • False -- There is no auditing for this environment.
     Use lowercase letters when you specify true or false.
  • auditlevel -- Indicates the type of information that is recorded for attributes involved in the task or event.
    The audit level that you specify for the Audit element applies to all attributes, unless a different audit level is defined in the AuditEvent, AuditProfile, or AuditProfileAttribute elements. Audit levels set in these elements override the audit levels defined in an Audit element.
  • datasource -- Specifies the name of the datasource for the audit database. It must be one of the following:
    JBoss or WildFly:
     java:/iam/im/jdbc/auditDbDataSource
    WebLogic and WebSphere:
     iam/im/jdbc/auditDbDataSource 
AuditLevel Values
The valid values for AuditLevel are as follows:
  • NONE -- No attribute information is recorded.
  • OLD -- For modification events, 
    Identity Manager
     records the value of an attribute before the modification event occurs. 
    Identity Manager
     audits the attribute whether or not the value is directly affected by the event.
    For other types of events, such as CreateUserEvent, no information is recorded.
  • OLDCHANGED -- For modification events, 
    Identity Manager
     records the value for an attribute before the modification event only when the value changes to a new value.
    For other types of events, such as CreateUserEvent, no information is recorded.
  • NEW -- For modification events, 
    Identity Manager
     records the value of an attribute 
    after
     the modification event occurs. 
    Identity Manager
     audits the attribute whether or not the value is directly affected by the event.
    For other types of events, 
    Identity Manager
     records existing values.
  • NEWCHANGED -- For modification events, 
    Identity Manager
     records the value for an attribute after the modification event only when the value changes to a new value.
    For example, during a ModifyUserEvent event, the title of a user changes from Assistant Manager to Manager. 
    Identity Manager
     audits the value Manager, but does not audit the user’s name and address, which did not change.
  • BOTH -- For modification events, 
    Identity Manager
     records the value of an attribute before and after a modification event, whether or not that value is affected by the modification event.
  • BOTHCHANGED -- For modification events, 
    Identity Manager
     records the old and new value for an attribute after the modification event only when the value changes to a new value.
  • datasource -- The JNDI name for the data source configured in the application server that points to the audit database.
    Specify the following JNDI name:
    JBoss or WildFly:
     java:/iam/im/jdbc/auditDbDataSource
    WebLogic and WebSphere:iam/im/jdbc/auditDbDataSource
     
     Modify and save the audit-settings.xml file for the changes to take effect.
AuditEvent Element
Audit Event elements specify events to audit. For a list of 
Identity Manager
 events per task, use View Task in the User Console.
The AuditEvent element contains multiple AuditProfile and AuditProfileAttribute elements. The database stores member, administrator, and owner policies in compiled XML format. This format is different from the user interface where each policy appears as an expression element.
The AuditEvent element includes the following parameters:
  •  
    name
    Defines the name of the event to audit.
    To audit or exclude an attribute for all events, specify ALL for the event name. For example, to prevent passwords from being audited, regardless of the event, specify the following code:
    <AuditEvent name="ALL" auditlevel=""> <AuditProfile objecttype="User" auditlevel=""> <AuditProfileAttribute name="%PASSWORD%" auditlevel="NONE"/> </AuditProfile> </AuditEvent>
  •  
    enabled
    Determines whether the event is audited. The valid values are as follows:
    • True indicates that 
      Identity Manager
       audits this event.
    • False indicates that 
      Identity Manager
       does not audit this event.
     Use lowercase letters when you specify true or false.
  •  
    auditlevel
    Indicates the type of information that is recorded for an attribute in the audit event.
    AuditLevel Values lists the valid values for the AuditLevel element.
     Settings in the AuditProfile and AuditProfileAttribute elements take precedence over global settings in the AuditEvent element.
AuditProfile Element
AuditProfile elements indicate the type of objects involved in the events to audit. For example, if you enable auditing for the PARENTORG object in a CreateUserEvent event, 
Identity Manager
 logs information about the organization of the created user.
The AuditProfile element can contain multiple AuditProfileAttribute elements.
The AuditProfile element includes the following parameters:
  •  
    objecttype
    Defines the type of object for which to record audit information. Object types are as follows:
    • ACCESS ROLE
    • ACCESS TASK
    • ADMINISTRATIVE ROLE
    • ADMINISTRATIVE TASK
    • GROUP
    • ORGANIZATION
    • PARENTORG
    • RELATIONSHIP
      The RELATIONSHIP object describes container relationships, when an object includes one or more objects. Examples of container relationships include nested groups, group and role membership, and hierarchical organizations.
      In the RELATIONSHIP object, the parent object and the objects contained in the parent object are represented.
    • USER
    • NONE
  •  
    auditlevel
    Indicates the type of information that is recorded for an attribute in the profile of an object.
    The audit level that you specify for the AuditProfile element applies to all attributes in the profile of an object unless a different audit level is defined in an AuditProfileAttribute element. Audit levels set in these elements override the audit levels defined in an AuditProfile element.
    AuditLevel Values lists the valid values for the AuditLevel element.
AuditProfileAttribute Element
AuditProfileAttribute elements indicate the attributes that 
Identity Manager
 audits. The attributes apply to the object specified in the AuditProfile element.
 If there are no audit profile attributes specified, all the attributes for the object specified in the AuditProfile element are logged.
The AuditProfileAttribute element includes the following parameters:
  •  
    name
    Defines the name of the attribute to audit.
    Specify a profile attribute for the object in the corresponding AuditProfile element. For example, if the AuditProfile element specifies the Organization object, specify the name of an organization attribute as the value for the name parameter.
     Make sure that you define the profile attribute in the directory configuration file for the 
    Identity Manager
     directory.
  •  
    auditlevel
    Indicates the type of information that is recorded for an attribute.
    AuditLevel Values lists the valid values for the AuditLevel element.
The following table shows the valid attributes for 
Identity Manager
 object types:
 
Valid Attributes for 
Identity Manager
 Object Types
 
 
Object Type
 
 
Valid Attributes
 
ACCESS ROLE
name -- User-visible name for the role
description -- An optional comment about the purpose of the role.
members -- The users who can use the role.
administrators -- The users who can assign role member or administrators.
owners -- The users who can modify the role.
enabled -- Indicates whether the role is enabled or not.
assignable -- Indicates whether the role assignable by an administrator or not.
tasks -- The access tasks that are associated with the role.
ACCESS TASK
name -- User-visible name for the task
description -- An optional comment about the purpose of the task
application -- The application that is associated with the task.
tag -- The unique identifier for the task
reserved1, reserved2, reserved3, reserved4 -- The values of the reserved fields for the task
ADMINISTRATIVE ROLE
name -- User-visible name for the role
description -- An optional comment about the purpose of the role
members -- The users who can use the role.
administrators -- The users who can assign role member or administrators.
owners -- The users who can modify the role.
enabled -- Indicates whether the role is enabled or not.
assignable -- Indicates whether the role assignable by an administrator or not.
tasks -- The tasks that are associated with the role.
ADMINISTRATIVE TASK
name -- User-visible name for the task
description -- An optional comment about the purpose of the task
tag -- The unique identifier for the task
category -- The category in the 
Identity Manager
 user interface where the task appears
primary_object -- The object on which the task operates
action -- The operation that is performed on the object.
hidden -- Indicates whether the task does 
not
 appear in menus.
public -- Indicates whether the task is available to users who have not logged in to 
Identity Manager
.
auditing -- Indicates whether the task enables the recording of auditing information.
external -- Indicates whether the task is an external task.
url -- The URL where 
Identity Manager
 redirects the user when an external task executes.
workflow -- Indicates whether the 
Identity Manager
 events associated with the task trigger workflow
webservice -- Indicates whether the task is one for which Web Services Description Language (WSDL) output can be generated from the 
Identity Manager
 Management Console.
GROUP
Any valid attribute that is defined for the GROUP object in the directory configuration file (directory.xml).
ORGANIZATION
Any valid attribute that is defined for the Organization object in the directory configuration file (directory.xml).
PARENTORG
RELATIONSHIP
%CONTAINER% -- Unique identifier of the parent object.
For example, if the RELATIONSHIP object describes role membership, the container would be the role.
%CONTAINER_NAME% -- User-visible name of the parent group
%ITEM% -- Unique identifier of the object that is contained in the parent object.
For example, if the RELATIONSHIP object describes role membership, the items would be the role members.
%ITEM_NAME% -- User-visible name for the nested group
USER
Any valid attribute that is defined for the USER object in the directory configuration file (directory.xml)
NONE
No attributes
 Following list are the points to apply to the preceding table:
  • Enabled, assignable, auditable, workflow, hidden, webservice, and public are logged as true or false.
  • When auditing tasks for roles, the user visible name is logged.
  • The database stores member, administrator, and owner policies in compiled XML format. This format is different from the user interface where each policy appears as an expression.
EventState Element
EventState elements indicate when to record information about events. 
Identity Manager
 can log information at several points, or 
states,
 during an event’s life cycle.
The EventState element includes the following parameters:
  •  
    name
    Defines the name of the event state to audit. The event states that you can specify are:
    •  
      AUDIT
      Records special events that exist only to audit information. These events only go to the AUDIT state and do not execute.
    •  
      BEGIN
      Audits the set of attributes that are populated from the user interface and the custom handlers including business logic task handlers, logical attribute handlers and attribute validation implementations.
      This state also audits attributes populated by TEWS.
    •  
      PRE
      Audits attributes that are affected by event listeners that execute during the BEGIN state.
    •  
      APPROVED
      Audits changes to attributes during the approval process.
    •  
      REJECTED
      Records status information when an event under workflow control is rejected.
      Note:
       After an event is rejected, it proceeds to the Canceled state.
    •  
      EXECUTE
      Records information when an event executes.
    •  
      POST
      Audits any changes that an event listener makes to an attribute in the POST state.
    •  
      INVALID
      Records status information when 
      Identity Manager
       encounters an invalid event.
    •  
      PENDING
      Records status information when an event is in a pending state.
    •  
      COMPLETE
      Records status information when an event completes.
    •  
      CANCELLED
      Records status information when an event is canceled.
     Specify the value of the name parameter using capital letters only.