SCIM Runtime Auditing

Edit online

The SCIM Runtime Audit component is managed differently from other audit components. This is primarily due to its frequent usage and the sensitive nature of some of the data it handles.

Table 1. Names and description of SCIM runtime audit event fields
Name Inclusion Description
schema-name Optional The SCIM schema that is generating the event.
input-json-string Optional A string representation of the JSON data that was passed to the SCIM method. Ensure that private fields are masked.
output-json-string Optional A string representation of the JSON data returned from the SCIM method. For search requests, this field contains only a summary of the response. Ensure that private fields are masked.
target Required The relative URL including the query string that was called.
EventName Required SCIMEvent. Indicates that the audit event was for a SCIM runtime event.
Username Required The name of the user that invoked the SCIM method.
Outcome Required Indicates the success of the SCIM method. Valid values are SUCCESSFUL or FAILURE.
Message Required Indicates the SCIM method that was called.
The fields in the input-json-string and output-json-string are masked based upon the following:
  1. If the SCIM schema marks the attributes as either never returned or write only.
  2. If the advanced configuration parameter audit.maskAttributes includes the field. For more information, see Advanced configuration properties.
  3. If the SCIM operation is patch with path the value will always be masked.
  4. If the field is one of the following mandatory masked fields:
    • urn:ietf:params:scim:schemas:extension:isam:1.0:User.password
    • urn:ietf:params:scim:schemas:core:2.0:User.password
    • urn:ietf:params:scim:schemas:core:2.0:User.passwordNoPolicy
    • urn:ietf:params:scim:schemas:extension:isam:1.0:Password.currentPassword
    • urn:ietf:params:scim:schemas:extension:isam:1.0:Password.newPassword
    • urn:ietf:params:scim:schemas:extension:isam:1.0:UserKnowledgeQuestions.questions.answer
      Note: All of these fields are added to the advanced configuration parameter audit.maskAttributes by default but will still be masked even if they are removed from that list.

Enabling auditing for SCIM runtime events may impact performance due to the high frequency of SCIM calls. To help mitigate this, you can use an advanced tuning parameter to disable auditing for selected SCIM actions. GET operations are disabled by default but can be re-enabled if required. For more information, see Advanced configuration properties.