action element

Edit online

Reference information about the action element.

Description

The action that is performed.

Values

String

  • For the AUDIT_AUTHN event type, the following strings are suggested values:
    authentication
    An authentication operation. Multiple authentications can occur as part of a single login.
    credsRefresh
    Refresh of a credential. For example, in the case of Kerberos.
    login
    A login operation.
    reauthentication
    Reauthentication operation.
    stepUp
    Step-up authentication.
    tokenIssue
    Used when the Trust Service issues a token on behalf of an identity.
    tokenReceipt
    Used when an incoming security token is validated by the Trust Service.
    switchUser
    A switch user operation.
  • For the AUDIT_AUTHN_CREDS_MODIFY event type, the following strings are suggested values:
    credsCombine
    Caller is adding a user to a credential chain.
    credsModify
    Caller is creating a modified copy of existing user credentials.
    getCreds
    Caller is getting credentials based on user information.
    getCredsFromPAC
    Resolve credentials from transferable object (privilege attribute certificate [PAC]).
    getEntitlements
    Add to credentials by using an entitlements service.
    getPAC
    Convert credentials to a transferable object (privilege attribute certificate [PAC]).
  • For the AUDIT_AUTHN_TERMINATE event type, the following strings are suggested values:
    logout
    A logout operation.
    switchUserTerminate
    Used when the switch user session is ended.
  • For the AUDIT_DATA_SYNC event type, the following strings are suggested values:
    reconcile
    Reconcile accounts. For example, the Identity Manager server might send a request to the remote provisioning resource to synchronize account data into the Identity Manager repository.
    unsolicitedNotification
    Notify of operations. For example, the remote provisioning resource might send a notification to the Identity Manager server to notify changes on the account data.
  • For the AUDIT_MGMT_CONFIG, AUDIT_MGMT_POLICY, AUDIT_MGMT_REGISTRY, and AUDIT_MGMT_RESOURCE event types, the following strings are suggested values:
    associate
    Associate entities. For example, the user who is associated with groups, group associated with users, and policy associated with objects.
    challengeResponse
    Change the challenge and response configurations.
    changePolicyEnforcementAction
    Change the policy enforcement action of the management object. The following list shows the allowable actions:
    • Correct
    • Suspend
    • Mark
    • Non-Compliant
    checkAccess
    An authorization decision was made.
    create
    Create a management object.
    delegate
    Delegate authorities the user has to another user for a specified amount of time.
    delete
    Delete a management object. For example, delete a file from the Trusted Computing Base.
    disable
    Disable an account for login activity.
    disassociate
    Disassociate entities. For example, disassociate a user from groups, disassociate a group from users, and disassociate a policy from objects.
    enable
    Enable an account for login activity.
    markTrusted
    Mark as trusted. For example, mark a file as trusted in the Trusted Computing Base.
    markUntrusted
    Mark as untrusted. For example, mark a file as untrusted in the Trusted Computing Base.
    modify
    Modify a management object.
    passthru
    Indicates that request is passed to another server.
    passwordChange
    Indicates a password change operation initiated by the administrator.
    passwordPickup
    Pick up password for account.
    register
    To register. For example, register a daemon with the kernel.
    restore
    To restore. For example, to restore a suspended user or account.
    retire
    To retire. For example, a federation is retired when it is no longer used. This information is archived for future reference.
    retrieve
    A credential was retrieved.
    show
    Show a management object.
    suspend
    To suspend. For example, suspend a partner in a federation.
    transfer
    Transfer a user between different organization containers.
    validate
    To validate. For example, verify a security token that represents a user.

  • For the AUDIT_MGMT_PROVISIONING event type, the following strings are suggested values:

    add
    Provision a new account on the target resource identified by provisioningTargetInfo.
    adopt
    Adopt an orphan account identified by provisioningTargetInfo.
    changePassword
    Change password for an account identified by provisioningTargetInfo.
    delete
    Delete an account identified by provisioningTargetInfo.
    modify
    Modify an existing account identified by provisioningTargetInfo.
    passwordPickup
    Pick up password for an account identified by provisioningTargetInfo.
    restore
    Restore a suspended account identified by provisioningTargetInfo.
    suspend
    Suspend an existing account identified by provisioningTargetInfo.
  • For the AUDIT_RESOURCE_ACCESS event type, the following strings are suggested values:
    fileExec
    A program execution occurred.
    fileTrace
    A file access occurred.
    httpRequest
    A request was made to access a resource by using HTTP.
  • For the AUDIT_RUNTIME event type, the following strings are suggested values:
    auditLevelChange
    An audit or warning level change request is sent to the server.
    auditStart
    Auditing started for a server component.
    auditStop
    Auditing stopped for a server component.
    contactRestored
    Restored contact. For example, the server regained contact with the Verify Identity Access user registry.
    heartbeatDown
    Heartbeat information that a server or API is down.
    heartbeatUp
    Heartbeat information that a server or API is up.
    lostContact
    Lost contact. For example, the server currently has no contact with the Verify Identity Access user registry.
    monitor
    A process was adopted in to the set of monitored processes.
    start
    A server successfully started.
    statistic
    Statistical information for a server for capacity planning purposes.
    stop
    A server successfully stopped.
  • For the AUDIT_RUNTIME_KEY event type, the following strings are suggested values:
    keyRetire
    The key is retired.
    keyCRLInvalidated
    The CRL in the key is not valid.
    keyCertExpired
    The certificate in the key expired.
    keySetInvalid
    The key is set as not valid.
    keyCertExpirationCheck
    The expiration of the certificate is checked.
  • For the AUDIT_WORKFLOW event type, the following strings are suggested values:
    assign
    A work item is assigned and routed to a user.
    complete
    A work item is completed by the user.
    defer
    More time is given for the completion of the work item.
    delegate
    A work item is being delegated to another user.
    escalate
    A work item is being escalated as a result of timeout.
    lock
    A work item is being locked by a user. After a work item is locked, no other potential work item owner can perform the operation on the work item.
    unlock
    A work item is unlocked by a user.

XPath

CommonBaseEvent/extendedDataElements[@name='action']/values