Modify Audit Settings File

CA Identity Manager Configuration Guide › Auditing › How to Configure and Generate Audit Data Report › Modify Audit Settings File

Modify Audit Settings File

Configure audit settings in the audit settings file to define the type of information that CA Identity Manager must audit. You can configure an audit settings file to perform the following tasks:

Audit some or all of the admin tasks generated events.
Record event information at specific states, such as when an event completes or is canceled.
Log information about attributes that are involved in an event. For example, you can log attributes that change during a ModifyUserEvent event.
Set the audit level for attribute logging.

The audit settings file is an XML file that you create by exporting audit settings. The file has the following schema:

<Audit enabled="" auditlevel="" datasource="">
  <AuditEvent name="" enabled="" auditlevel="">
    <AuditProfile objecttype="" auditlevel="">
      <AuditProfileAttribute name="" auditlevel="" />
    </AuditProfile>
    <EventState name="" severity=""/>
  </AuditEvent>
</Audit>

For more information about the Audit elements and schema, see the comments in the Audit Settings file.

The AuditProfileAttribute elements indicate the attributes that CA Identity Manager audits. The attributes apply to the object specified in the AuditProfile element.

Note: If there are no audit profile attributes specified, all the attributes for the object that are specified in the AuditProfile element are logged.

The following table shows the valid attributes for CA Identity Manager object types:

Valid Attributes for CA Identity Manager Object Types

Object Type	Valid Attributes
ACCESS ROLE	name—User-visible name for the role description—An optional comment about the purpose of the role. members—The users who can use the role. administrators—The users who can assign role member or administrators. owners—The users who can modify the role. enabled—Indicates whether the role is enabled or not. assignable—Indicates whether the role assignable by an administrator or not. tasks—The access tasks that are associated with the role.
ACCESS TASK	name—User-visible name for the task description—An optional comment about the purpose of the task application—The application that is associated with the task. tag—The unique identifier for the task reserved1, reserved2, reserved3, reserved4—The values of the reserved fields for the task
ADMINISTRATIVE ROLE	name—User-visible name for the role description—An optional comment about the purpose of the role members—The users who can use the role. administrators—The users who can assign role member or administrators. owners—The users who can modify the role. enabled—Indicates whether the role is enabled or not. assignable—Indicates whether the role assignable by an administrator or not. tasks—The tasks that are associated with the role.
ADMINISTRATIVE TASK	name—User-visible name for the task description—An optional comment about the purpose of the task tag—The unique identifier for the task category—The category in the CA Identity Manager user interface where the task appears primary_object—The object on which the task operates action—The operation that is performed on the object. hidden—Indicates whether the task does not appear in menus. public—Indicates whether the task is available to users who have not logged in to CA Identity Manager. auditing—Indicates whether the task enables the recording of auditing information. external—Indicates whether the task is an external task. url—The URL where CA Identity Manager redirects the user when an external task executes. workflow—Indicates whether the CA Identity Manager events associated with the task trigger workflow webservice—Indicates whether the task is one for which Web Services Description Language (WSDL) output can be generated from the CA Identity Manager Management Console.
GROUP	Any valid attribute that is defined for the GROUP object in the directory configuration file (directory.xml).
ORGANIZATION	Any valid attribute that is defined for the Organization object in the directory configuration file (directory.xml).
PARENTORG
RELATIONSHIP	%CONTAINER%—Unique identifier of the parent object. For example, if the RELATIONSHIP object describes role membership, the container would be the role. %CONTAINER_NAME%—User-visible name of the parent group %ITEM%—Unique identifier of the object that is contained in the parent object. For example, if the RELATIONSHIP object describes role membership, the items would be the role members. %ITEM_NAME%—User-visible name for the nested group
USER	Any valid attribute that is defined for the USER object in the directory configuration file (directory.xml)
NONE	No attributes

Note: The following points apply to the preceding table:

Enabled, assignable, auditable, workflow, hidden, webservice, and public are logged as true or false.
When auditing tasks for roles, the user visible name is logged.
The database stores member, administrator, and owner policies in compiled XML format. This format is different from the user interface where each policy appears as an expression.

Follow these steps:

Log in to the Management Console, select the environment, Advanced Settings, and click Auditing.
Click Export.
The system exports the current audit settings to an audit settings XML file.
Modify the audit settings in the XML file that you exported in the previous step. Do the following tasks:
1. Set the value for Audit enabled ="true" and provide the JNDI Name value of "iam_im_<auditdb>.xml" for the element Data source.
2. Specify the following JNDI name:
```
java:/auditDbDataSource
```
  Note: The datasource is located in the following location:
```
iam/im/jdbc/auditDbDataSource
```
3. Add, modify, or delete elements in the file.
4. Modify the level of information that is recorded for each event.
Repeat steps 1 and 2. Click Import and upload the modified audit settings XML file.
Restart the environment.

The Audit settings file is now updated.