PingDirectory

Perform an audit on consents

The Consent Service offers two types of audit logs to track changes and to perform audits on Consent Service resources.

For examples of configuring either type of log, see the <server-root>/resource/consent-service-cfg.dsconfig script bundled with the server or Logging.

This example uses the Consent Trace Logger, which represents Consent Service change events using the same field names used by the Consent API.

Log Publishers
Log publisher Log publisher type Description

collaborators

Trace logger key

The collaborators value, available only when the resource type is consent.

Consent Trace Logger

file-based-trace

Records Consent Service events at the Consent API level.

Change events are recorded using messages of type audit.

Consent LDAP Audit Logger

file-based-audit

Records data changes at the LDAP level.

In combination with a Request Criteria configuration object, an LDAP audit logger can be configured to record changes to Consent Service resources only.

Trace logger keys for auditing

Trace logger audit messages consist of a timestamp, the CONSENT AUDIT message type, and a set of key/value pairs.

The keys used in trace log audit messages vary depending on the type of resource.

The following table describes a subset of important keys.

Trace logger key Description

requestID

A server-specific HTTP request ID.

This value can be correlated with messages produced by other loggers.

resourceType

The type of Consent Service resource that was changed.

Possible values are definition, localization, or consent.

changeType

The type of change recorded by this message.

Possible values are create, update, or delete.

attrsAdded

A comma-delimited list of the attributes that were added to the resource.

attrsUpdated

A comma-delimited list of the attributes that were modified on the resource.

attrsDeleted

A comma-delimited list of the attributes that were removed from the resource.

requestDN

The distinguished name (DN) of the requester, which is available only when the resource type is consent.

definitionID

The consent definition ID.

The following list identifies the possible resource types and their definitions:

definition

Identifies the definition that was changed.

localization

Identifies the parent definition.

consent

Identifies the consent record’s related definition.

locale

The locale.

The following list identifies the possible resource types and their definitions:

localization

Identifies the localization in combination with the definition ID.

consent

Identifies the related localization combined with the definition ID.

consentID

The consent record ID, available only when the resource type is consent.

subject

The subject value, available only when the resource type is consent.

subjectDN

The subject’s mapped LDAP DN.

This is available only when the resource type is consent.

actor

The actor value.

This is available only when the resource type is consent.

actorDN

The actor’s mapped LDAP DN.

This is available only when the resource type is consent.

audience

The audience value.

This is available only when the resource type is consent.

status

The consent status.

This is only available when the resource type is consent.

Possible values are pending, accepted, denied, revoked, and restricted.

previousStatus

The previous consent status, if applicable.

This is only available when the resource type is consent.

msg

A multiline value that includes the complete body of the changed resource.

If the action is an update or a delete, the resource’s body before the change is included.

Perform an audit

Consent resource changes for particular entities, such as a specific user or a specific consent definition, can be audited by searching the trace log using a combination of one of the message keys and the desired value.

For example, if an individual’s LDAP distinguished name (DN) is known, the subjectDN key can be used to construct a text search for any audit log messages containing that DN. Any matching log messages constitute a history of that individual’s consent activity.

This example shows an audit log message that provides important values in a parseable key/value format and includes a complete new consent record.

[22/May/2018:18:02:42.584 -0500] CONSENT AUDIT requestID=57 requestDN="uid=user.0,ou=people,
  dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,
  ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1"
  definitionID="cats" locale="en-US" status="accepted" attrsAdded="actor,audience,createdDate,dataText,subject,
  purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="create" resourceType="consent" msg="
New Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0,
  ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com','audience':
  'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your
  cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion',
  'createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}"

This example provides a complete consent record before and after it was updated. By reviewing the attrsUpdated, status, and previousStatus keys, you can determine that the status changed from accepted to revoked.

[22/May/2018:18:05:08.660 -0500] CONSENT AUDIT requestID=59 requestDN="uid=user.0,ou=people,
   dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,
   ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com"
   audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="accepted"
   attrsUpdated="status" changeType="update" resourceType="consent" msg="
Previous Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0,
  ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com',
  'audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect
  data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your
  feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}
Updated Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN':
  'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,
  dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':
  'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and
  delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:05:08.655Z'}"

This example shows that a consent record has been deleted and provides a complete representation of the consent record before it was deleted.

[22/May/2018:18:06:35.071 -0500] CONSENT AUDIT requestID=61 requestDN="cn=directory manager"
   consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,ou=People,
   dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1"
   definitionID="cats" locale="en-US" status="revoked" previousStatus="revoked" attrsDeleted="actor,audience,
   createdDate,dataText,subject,purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="delete"
   resourceType="consent" msg="
Deleted Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN':
   'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,
   dc=example,dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','currentVersion':
   '1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food
   flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z',
   'updatedDate':'2018-05-22T23:05:08.655Z'}"