GitHubContribute in GitHub: Open doc issue|Edit online

Auditing scope

Only those events can be considered for auditing which pass the listed criteria.

The IBM® Security Verify Directory Integrator audit capability follows only what people do, and does not follow Server events in general. There is a difference between a user being authorized to perform a task (stop an AL) and the task actually being performed (AL is terminated). Being authorized is an authorization event and the performing of a legal action, like stopping an AL, is a Server event. When a user instructs an AL to stop and the AL terminates, an authorization event is paired with a Server event. At other times, a Server event occurs by itself, as when an AL completes naturally. Only events which involve direct user interaction are audited. This limits the default audit points to authentication and authorization events inside the Server API. Almost every method exposed by the Server API is protected by its own piece of authorization code. The Audit component does not try to send notifications for all authorization events, but selects a reasonable subset of authorization-guarded Server API methods. The principles for the selection are to audit all events that:

  • Delete logs or tombstones
  • Start or stop IBM® Security Verify Directory Integrator entities such as configs, ALs, and the Server
  • Replace the config instance configuration: replace the config instance configuration or the check-in configuration
  • Allow the user to change vital IBM® Security Verify Directory Integrator data: set external property, post a message in the System Queue, call custom Java™ code inside the IBM® Security Verify Directory Integrator JVM