IBM_SECURITY_WORKFLOW events

Edit online

This event type is generated by the authentication service when an authenticator or authenticator method action takes place.

The following table lists the elements that can be shown in the output of an IBM_SECURITY_WORKFLOW event. All elements are included in the output, unless indicated otherwise.
Element Description
action Specifies the operation that is performed. Potential values include:

'getAuthenticators'

'getAuthenticator'

'updateAuthenticator'

'deleteAuthenticator'

'createAuthenticator'

'getAuthMethods'

'getAuthMethod'

'updateAuthMethod'

'deleteAuthMethod'

'createAuthMethod'

The XPath is:
CommonBaseEvent/extendedDataElements
[@name='action']/values
userInfo.appUserName Optionally specifies information about the user who owns the data or the user that is performing the action.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='userInfo']/children
[@name='appUserName']/values
userInfo.registryUserName The authentication service does not utilize this element and appears in the IBM_SECURITY_WORKFLOW event as ‘Not Available’.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='userInfo']/children
[@name='registryUserName']/values
workItemInfo.id Specifies the ID of the work item, that is the source of the event. Potential values include:

'getAuthenticators'

'getAuthenticator'

'updateAuthenticator'

'deleteAuthenticator'

'createAuthenticator'

'getAuthMethods'

'getAuthMethod'

'updateAuthMethod'

'deleteAuthMethod'

'createAuthMethod'

The XPath is:
CommonBaseEvent/extendedDataElements
[@name='workItemInfo']/children
[@name='id']/values
workItemInfo.type Specifies the type of the work item, that is the action that was performed. Potential values include: ‘authenticator', ‘authenticatorMethod
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='workItemInfo']/children
[@name='type']/values
authenticators.authenticator.id Optionally specifies the ID of an authenticator.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='id']/values
authenticators.authenticator.oauthGrant Optionally specifies the OAuth grant of an authenticator.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='oauthGrant']/values
authenticators.authenticator.enabled Optionally specifies whether the authenticator is enabled or disabled.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='enabled']/values
authenticators.authenticator.deviceName Optionally specifies the device name of an authenticator.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='deviceName']/values
authenticators.authenticator.deviceType Optionally specifies the device type of an authenticator.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='deviceType']/values
authenticators.authenticator.osVersion

Optionally specifies the OS version of an authenticator.

The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='osVersion']/values
authenticators.authenticator.applicationId Optionally specifies the application ID of an authenticator.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='applicationId']/values
authenticators.authenticator.authMethods.authMethod.id

or

authMethods.authMethod.id

 Optionally specifies the ID of an authenticator method.
The XPath is:
CommonBaseEvent/extendedDataElements
[@name='authenticators']/children
[@name='authenticator']/children
[@name='authMethods']/children
[@name='authMethod']/children
[@name='id']/values

Or

CommonBaseEvent/extendedDataElements 
[@name='authMethods']/children
[@name='authMethod']/children
[@name='id']/values
authenticators.authenticator.authMethods.authMethod.type

or

authMethods.authMethod.type

 Optionally specifies the type of an authenticator method. Usually ‘fingerprint’ or ‘user_presence’.
The XPath is:
CommonBaseEvent/extendedDataElements 
[@name='authenticators']/children
[@name='authenticator']/children
[@name='authMethods']/children
[@name='authMethod']/children
[@name='type']/values

Or

CommonBaseEvent/extendedDataElements 
[@name='authMethods']/children
[@name='authMethod']/children
[@name='type']/values
authenticators.authenticator.authMethods.authMethod.algorithm

or

authMethods.authMethod.algorithm

 Optionally specifies the algorithm of an authenticator method.
The XPath is:
CommonBaseEvent/extendedDataElements 
[@name='authenticators']/children
[@name='authenticator']/children
[@name='authMethods']/children
[@name='authMethod']/children
[@name='algorithm']/values

Or

CommonBaseEvent/extendedDataElements 
[@name='authMethods']/children
[@name='authMethod']/children
[@name='algorithm']/values
authenticators.authenticator.authMethods.authMethod.enabled

or

authMethods.authMethod.enabled

 Optionally specifies whether the authenticator method is enabled or disabled.
The XPath is:
CommonBaseEvent/extendedDataElements 
[@name='authenticators']/children
[@name='authenticator']/children
[@name='authMethods']/children
[@name='authMethod']/children
[@name='enabled']/values

Or

CommonBaseEvent/extendedDataElements 
[@name='authMethods']/children
[@name='authMethod']/children
[@name='enabled']/values
authenticators.authenticator.authMethods.authMethod.keyHandle

or

authMethods.authMethod.keyHandle

 Optionally specifies the key handle of an authenticator method.
The XPath is:
CommonBaseEvent/extendedDataElements 
[@name='authenticators']/children
[@name='authenticator']/children
[@name='authMethods']/children
[@name='authMethod']/children
[@name='keyHandle]/values

Or

CommonBaseEvent/extendedDataElements 
[@name='authMethods']/children
[@name='authMethod']/children
[@name='keyHandle']/values
authenticators.authenticator.authMethods.authMethod.publicKey

or

authMethods.authMethod.publicKey

 Optionally specifies the public key of an authenticator method.
The XPath is:
CommonBaseEvent/extendedDataElements 
[@name='authenticators']/children
[@name='authenticator']/children
[@name='authMethods']/children
[@name='authMethod']/children
[@name='publicKey']/values

Or

CommonBaseEvent/extendedDataElements 
[@name='authMethods']/children
[@name='authMethod']/children
[@name='publicKey']/values

Sample of an IBM_SECURITY_WORKFLOW event

The following example shows one event generated when a list of all authenticators was requested:

<CommonBaseEvent creationTime="2020-05-20T03:04:55.136Z" extensionName="IBM_SECURITY_WORKFLOW" globalInstanceId="FIM300a846101721f3ea4caa20cec6d4" sequenceNumber="34" version="1.1">
  <extendedDataElements name="EventName" type="string">
    <values>MMFAAuditEvent</values>
  </extendedDataElements>
  <extendedDataElements name="authenticators" type="noValue">
    <children name="authenticator" type="noValue">
      <children name="id" type="string">
        <values>uuid59694905-9dd6-427f-b5a4-0b45209914d4</values>
      </children>
      <children name="oauthGrant" type="string">
        <values>uuid2fb6fa34-0172-18e2-aec0-f9773093af33</values>
      </children>
      <children name="enabled" type="boolean">
        <values>true</values>
      </children>
      <children name="deviceName" type="string">
        <values>JessicasIphone</values>
      </children>
      <children name="deviceType" type="string">
        <values>iphone</values>
      </children>
      <children name="osVersion" type="string">
        <values>10</values>
      </children>
      <children name="authMethods" type="noValue">
        <children name="authMethod" type="noValue">
          <children name="id" type="string">
            <values>uuid21b9cc7e-7dd0-4288-bf0f-2c2f98e45698</values>
          </children>
          <children name="enabled" type="boolean">
            <values>true</values>
          </children>
        </children>
        <children name="authMethod" type="noValue">
          <children name="id" type="string">
            <values>uuidea5e94e3-ae48-44b1-8859-bf2a9e0f69d3</values>
          </children>
          <children name="enabled" type="boolean">
            <values>true</values>
          </children>
        </children>
      </children>
    </children>
  </extendedDataElements>
  <extendedDataElements name="userInfo" type="noValue">
    <children name="registryUserName" type="string">
      <values>Not Available</values>
    </children>
    <children name="appUserName" type="string">
      <values>testuser</values>
    </children>
  </extendedDataElements>
  <extendedDataElements name="workItemInfo" type="noValue">
    <children name="id" type="string">
      <values>authenticator</values>
    </children>
    <children name="type" type="string">
      <values>getAuthenticators</values>
    </children>
  </extendedDataElements>
  <extendedDataElements name="action" type="string">
    <values>getAuthenticators</values>
  </extendedDataElements>
  <extendedDataElements name="outcome" type="noValue">
    <children name="result" type="string">
      <values>SUCCESSFUL</values>
    </children>
    <children name="majorStatus" type="int">
      <values>0</values>
    </children>
  </extendedDataElements>
  <sourceComponentId application="IBM® Verify Identity Access" component="Authentication and Federated Identity" componentIdType="ProductName" executionEnvironment="Linux[amd64]#3.10.0-862.14.4.el7_1.iss8_1.28.x86_64" location="dev" locationType="FQHostname" subComponent="UserAuthenticatorHandler" threadId="Default Executor-thread-1546" componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
  <situation categoryName="ReportSituation">
    <situationType
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/>
    </situation>
  </CommonBaseEvent>