Auditing from Mapping Rules

Data that is used in JavaScript Mapping rules can be audited with IDMappingExtUtils.

Data that is used in making an access control decision is audited in JavaScript Mapping Rules. You can use the IDMappingExtUtils.logAuditEvent() function to capture data and make it available in audit logs.

Scenario 1: User completed password reset (USC_PasswordReset_Success)

IDMappingExtUtils.logAuditEvent(username, "Successfully completed password reset", true);
produces the following audit log entry:
<CommonBaseEvent creationTime="2018-09-04T00:23:05.239Z" extensionName="IBM_SECURITY_AUTHN" globalInstanceId="FIMa1f61b1801651c11a034fb3858d13" sequenceNumber="0" version="1.1">
	<contextDataElements name="Security Event Factory" type="eventTrailId">
		<contextId>FIM_a1f61b17016516b19127fb3858d13aff+667021443</contextId>
	</contextDataElements>
	<extendedDataElements name="EventName" type="string">
		<values>JavaScriptEvent</values>
	</extendedDataElements>
	<extendedDataElements name="Username" type="string">
		<values>testuser</values>
	</extendedDataElements>
	<extendedDataElements name="Outcome" type="string">
		<values>SUCCESSFUL</values>
	</extendedDataElements>
	<extendedDataElements name="Message" type="string">
		<values>Successfully completed password reset</values>
	</extendedDataElements>
	<extendedDataElements name="progName" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="authnProvider" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="partner" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="trustRelationship" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="userInfoList" type="noValue">
		<children name="userInfo" type="noValue">
			<children name="registryUserName" type="string">
				<values>Not Available</values>
			</children>
			<children name="appUserName" type="string">
				<values>testuser</values>
			</children>
		</children>
	</extendedDataElements>
	<extendedDataElements name="authnType" type="string">
		<values>authenticationService</values>
	</extendedDataElements>
	<extendedDataElements name="action" type="string">
		<values>validate</values>
	</extendedDataElements>
	<extendedDataElements name="tokenType" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="authnScope" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="outcome" type="noValue">
		<children name="result" type="string">
			<values>SUCCESSFUL</values>
		</children>
		<children name="majorStatus" type="int">
			<values>0</values>
		</children>
	</extendedDataElements>
	<sourceComponentId application="IBM Security Access Manager" component="Authentication and Federated Identity" componentIdType="ProductName" executionEnvironment="Linux[amd64]#3.10.0-693.21.1.el7_1.iss8_1.4.x86_64" location="localhost" locationType="FQHostname" subComponent="com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils" threadId="Default Executor-thread-44" componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
	<situation categoryName="ReportSituation">
		<situationType
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/>
		</situation>
	</CommonBaseEvent>

Scenario 2: OAuth flow is used to enroll Mobile Multi-Factor Authentication (*PostTokenGeneration)

var auditData = {"status":"registering MMFA", "deviceName":device_name, "deviceType":device_type, "osVersion":os_version};
IDMappingExtUtils.logAuditEvent(displayName, JSON.stringify(auditData), true);
produces the following audit log entry:
<CommonBaseEvent creationTime="2018-09-04T00:23:05.241Z" extensionName="IBM_SECURITY_AUTHN" globalInstanceId="FIMa1f61b1901651d24b0adfb3858d13" sequenceNumber="1" version="1.1">
	<contextDataElements name="Security Event Factory" type="eventTrailId">
		<contextId>FIM_a1f61b17016516b19127fb3858d13aff+667021443</contextId>
	</contextDataElements>
	<extendedDataElements name="EventName" type="string">
		<values>JavaScriptEvent</values>
	</extendedDataElements>
	<extendedDataElements name="Username" type="string">
		<values>displayName</values>
	</extendedDataElements>
	<extendedDataElements name="Outcome" type="string">
		<values>SUCCESSFUL</values>
	</extendedDataElements>
	<extendedDataElements name="Message" type="string">
		<values>{"status":"registering MMFA","deviceName":"Jasmine's iPhone","deviceType":"iPhone","osVersion":"11"}</values>
	</extendedDataElements>
	<extendedDataElements name="progName" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="authnProvider" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="partner" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="trustRelationship" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="userInfoList" type="noValue">
		<children name="userInfo" type="noValue">
			<children name="registryUserName" type="string">
				<values>Not Available</values>
			</children>
			<children name="appUserName" type="string">
				<values>displayName</values>
			</children>
		</children>
	</extendedDataElements>
	<extendedDataElements name="authnType" type="string">
		<values>authenticationService</values>
	</extendedDataElements>
	<extendedDataElements name="action" type="string">
		<values>validate</values>
	</extendedDataElements>
	<extendedDataElements name="tokenType" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="authnScope" type="string">
		<values>Not Available</values>
	</extendedDataElements>
	<extendedDataElements name="outcome" type="noValue">
		<children name="result" type="string">
			<values>SUCCESSFUL</values>
		</children>
		<children name="majorStatus" type="int">
			<values>0</values>
		</children>
	</extendedDataElements>
	<sourceComponentId application="IBM Security Access Manager" component="Authentication and Federated Identity" componentIdType="ProductName" executionEnvironment="Linux[amd64]#3.10.0-693.21.1.el7_1.iss8_1.4.x86_64" location="localhost" locationType="FQHostname" subComponent="com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils" threadId="Default Executor-thread-44" componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
	<situation categoryName="ReportSituation">
		<situationType
			xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/>
		</situation>
	</CommonBaseEvent>

Scenario 3: OTP retry limit is reached (OTPVerify)

IDMappingExtUtils.logAuditEvent("", "Retry limit exceeded.", false);
produces the following audit log entry:
<CommonBaseEvent creationTime="2018-09-04T00:50:24.603Z" extensionName="IBM_SECURITY_AUTHN" globalInstanceId="FIMa20f1edb01651a4c8c61fb3858d13" sequenceNumber="2" version="1.1">
    <contextDataElements name="Security Event Factory" type="eventTrailId">
        <contextId>FIM_a20f1ed2016510a09325fb3858d13aff+1389200945</contextId>
    </contextDataElements>
    <extendedDataElements name="EventName" type="string">
        <values>JavaScriptEvent</values>
    </extendedDataElements>
    <extendedDataElements name="Username" type="string">
        <values></values>
    </extendedDataElements>
    <extendedDataElements name="Outcome" type="string">
        <values>UNSUCCESSFUL</values>
    </extendedDataElements>
    <extendedDataElements name="Message" type="string">
        <values>Retry limit exceeded.</values>
    </extendedDataElements>
    <extendedDataElements name="progName" type="string">
        <values>Not Available</values>
    </extendedDataElements>
    <extendedDataElements name="authnProvider" type="string">
        <values>Not Available</values>
    </extendedDataElements>
    <extendedDataElements name="partner" type="string">
        <values>Not Available</values>
    </extendedDataElements>
    <extendedDataElements name="trustRelationship" type="string">
        <values>Not Available</values>
    </extendedDataElements>
    <extendedDataElements name="userInfoList" type="noValue">
        <children name="userInfo" type="noValue">
            <children name="registryUserName" type="string">
                <values>Not Available</values>
            </children>
            <children name="appUserName" type="string">
                <values></values>
            </children>
        </children>
    </extendedDataElements>
    <extendedDataElements name="authnType" type="string">
        <values>authenticationService</values>
    </extendedDataElements>
    <extendedDataElements name="action" type="string">
        <values>validate</values>
    </extendedDataElements>
    <extendedDataElements name="tokenType" type="string">
        <values>Not Available</values>
    </extendedDataElements>
    <extendedDataElements name="authnScope" type="string">
        <values>Not Available</values>
    </extendedDataElements>
    <extendedDataElements name="outcome" type="noValue">
        <children name="result" type="string">
            <values>UNSUCCESSFUL</values>
        </children>
        <children name="failureReason" type="string">
            <values>Retry limit exceeded.</values>
        </children>
        <children name="majorStatus" type="int">
            <values>1</values>
        </children>
    </extendedDataElements>
    <sourceComponentId application="IBM Security Access Manager" component="Authentication and Federated Identity" componentIdType="ProductName" executionEnvironment="Linux[amd64]#3.10.0-693.21.1.el7_1.iss8_1.4.x86_64" location="localhost" locationType="FQHostname" subComponent="com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils" threadId="Default Executor-thread-692" componentType="http://www.ibm.com/namespaces/autonomic/Tivoli_componentTypes"/>
    <situation categoryName="ReportSituation">
        <situationType
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ReportSituation" reasoningScope="INTERNAL" reportCategory="SECURITY"/>
        </situation>
    </CommonBaseEvent>