Access Control - Tracking User Actions (v2.0 and up)
Access Control includes the AuditTrail database table. The AuditTrail database table presents an audit log that can be used to track access control user actions. This table resides in the new CxDB schema under 'accesscontrol': [CxDB].[accesscontrol].[AuditTrail].
A typical use case for using the audit log is if a user is suddenly denied access and cannot log in, you can look at the audit log to see who disabled the user and when. Another use case is if a user transfers from one team to another for an unknown reason, you can see who transferred the user and when.
The following user actions are audited in the AuditTrail database table:
Type | Action |
|---|---|
UserCreated | User-created |
UserUpdated | User updated (update doesn't include 'roles added or removed') |
UserDeleted | User deleted |
SuccessfulLogin | Successful login |
FailedLogin | Failed login |
TeamMemberAdded | Team member added |
TeamMemberDeleted | Team member deleted |
UserRolesUpdated | User roles updated (update includes 'roles added,' 'roles removed,' or 'roles added and removed') |
WindowsDomainDeleted | Windows domain deleted |
WindowsDomainUpdated | Windows domain updated |
WindowsDomainCreated | Windows domain created |
LdapServerDeleted | LDAP Server deleted |
LdapServerUpdated | LDAP Server updated |
LdapServerCreated | LDAP Server created |
SamlServiceProviderUpdated | Saml Service Provider updated |
SamlIdentityProviderCreated | Saml Identity Provider created |
SamlIdentityProviderUpdated | Saml Identity Provider updated |
SamlIdentityProviderDeleted | Saml Identity Provider deleted |
RoleCreated | Role created (creation includes 'with permissions' or 'without permissions') |
RoleUpdated | Role updated (update includes 'no permissions added or removed,' 'permissions removed,' or 'permissions added') |
RoleDeleted | Role deleted |
TenantDeleted | Tenant deleted |
The following information for each user action is listed in the AuditTrail database table:
Field | Description |
|---|---|
Id | The event Id |
UserId | The user ID of the one who acted. NOTE: If the UserId is NULL, it means that the system performed the action automatically. |
UserName | The user name of the one who acted. NOTE: In case the UserId is NULL, the UserName is System, except in case of FailedLogin (UserName doesn’t exist), whereas the UserName is the one provided by the user. |
Type | The type of user action performed (see the 'User Actions Type' table above). |
Details | Details will differ per user action type. Example 1: For a FailedLogin action, the failed user will be contained in the 'UserName,' and the Authentication Provider type will be in the 'Details.' Example 2: For a TeamMemberAdded action, the user name & team name are contained in the 'Details.' |
Timestamp | Time/date of the user action. |
OriginIpAddress | The user’s IP address is logged for every action. NOTE: This can be especially useful for a FailedLogin – to understand how it occurred and where it came from. |