Access Control - Tracking User Actions (v2.0 and up)
Access Control provides the AuditTrail database table. The AuditTrail database table provides an audit log that can be used to track user actions. This table resides in the new CxDB schema under 'accesscontrol': [CxDB].[accesscontrol].[AuditTrail].
A typical use case example for using the audit log is if a user is suddenly denied access and can’t log in, you can look at the audit log to see who disabled the user, and when. Another use case example is if a user is moved from one team to another for an unknown reason, you can see who moved the user, and when.
The following user actions are audited in the AuditTrail database table:
Type | Action |
|---|---|
UserCreated | User created |
UserUpdated | User updated (update doesn't include 'roles added or removed') |
UserDeleted | User deleted |
SuccessfulLogin | Successful login |
FailedLogin | Failed login |
TeamMemberAdded | Team member added |
TeamMemberDeleted | Team member deleted |
UserRolesUpdated | User roles updated (update includes 'roles added', 'roles removed' or 'roles added and removed') |
WindowsDomainDeleted | Windows domain deleted |
WindowsDomainUpdated | Windows domain updated |
WindowsDomainCreated | Windows domain created |
LdapServerDeleted | Ldap Server deleted |
LdapServerUpdated | Ldap Server updated |
LdapServerUpdated | Ldap Server created |
SamlServiceProviderUpdated | Saml Service Provider updated |
SamlIdentityProviderCreated | Saml Identity Provider created |
SamlIdentityProviderUpdated | Saml Identity Provider updated |
SamlIdentityProviderDeleted | Saml Identity Provider deleted |
RoleCreated | Role created (creation includes 'with permissions' or 'without permissions') |
RoleUpdated | Role updated (update includes 'no permissions added or removed', 'permissions removed' or 'permissions added') |
RoleDeleted | Role deleted |
The following information for each user action is listed in the AuditTrail database table:
Field | Description |
|---|---|
Id | The event Id |
UserId | The user Id of the one who performed the action. NOTE: In case the UserId is NULL, it means that the action was performed automatically by the system. |
UserName | The user name of the one who performed the action. NOTE: In case the UserId is NULL, the UserName is System, except in case of FailedLogin (UserName doesn’t exist), whereas the UserName is the one provided by the user. |
Type | The type of user action that was performed (see the 'User Actions Type' table, above). |
Details | Details will differ, per user action type. Example 1: For a FailedLogin action, the failed user will be contained in the 'UserName' and the Authentication Provider type will be contained in the 'Details'. Example 2: For a TeamMemberAdded action, the user name & team name are contained in the 'Details'. |
Timestamp | Time/date of the user action. |
OriginIpAddress | The user’s IP address, which is logged for every action. NOTE: This can be especially useful for a FailedLogin – in order to understand how it occurred and where it came from. |