Perform an audit on consents
The Consent Service offers two types of audit logs to track changes and to perform audits on Consent Service resources.
For examples of configuring either type of log, see the <server-root>/resource/consent-service-cfg.dsconfig
script bundled with the server or Logging.
This example uses the Consent Trace Logger, which represents Consent Service change events using the same field names used by the Consent API.
Log publisher | Log publisher type | Description |
---|---|---|
collaborators |
Trace logger key |
The collaborators value, available only when the resource type is |
Consent Trace Logger |
file-based-trace |
Records Consent Service events at the Consent API level. Change events are recorded using messages of type |
Consent LDAP Audit Logger |
file-based-audit |
Records data changes at the LDAP level. In combination with a Request Criteria configuration object, an LDAP audit logger can be configured to record changes to Consent Service resources only. |
Trace logger keys for auditing
Trace logger audit messages consist of a timestamp, the CONSENT AUDIT
message type, and a set of key/value pairs.
The keys used in trace log audit messages vary depending on the type of resource. |
The following table describes a subset of important keys.
Trace logger key | Description |
---|---|
|
A server-specific HTTP request ID. This value can be correlated with messages produced by other loggers. |
|
The type of Consent Service resource that was changed. Possible values are |
|
The type of change recorded by this message. Possible values are |
|
A comma-delimited list of the attributes that were added to the resource. |
|
A comma-delimited list of the attributes that were modified on the resource. |
|
A comma-delimited list of the attributes that were removed from the resource. |
|
The distinguished name (DN) of the requester, which is available only when the resource type is |
|
The consent definition ID. The following list identifies the possible resource types and their definitions:
|
|
The locale. The following list identifies the possible resource types and their definitions:
|
|
The consent record ID, available only when the resource type is |
|
The subject value, available only when the resource type is |
|
The subject’s mapped LDAP DN. This is available only when the resource type is |
|
The actor value. This is available only when the resource type is |
|
The actor’s mapped LDAP DN. This is available only when the resource type is |
|
The audience value. This is available only when the resource type is |
|
The consent status. This is only available when the resource type is Possible values are |
|
The previous consent status, if applicable. This is only available when the resource type is |
|
A multiline value that includes the complete body of the changed resource. If the action is an |
Perform an audit
Consent resource changes for particular entities, such as a specific user or a specific consent definition, can be audited by searching the trace log using a combination of one of the message keys and the desired value.
For example, if an individual’s LDAP distinguished name (DN) is known, the subjectDN
key can be used to construct a text search for any audit log messages containing that DN. Any matching log messages constitute a history of that individual’s consent activity.
New consent record example
This example shows an audit log message that provides important values in a parseable key/value format and includes a complete new consent record.
[22/May/2018:18:02:42.584 -0500] CONSENT AUDIT requestID=57 requestDN="uid=user.0,ou=people, dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0, ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" definitionID="cats" locale="en-US" status="accepted" attrsAdded="actor,audience,createdDate,dataText,subject, purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="create" resourceType="consent" msg=" New Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0, ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com','audience': 'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion', 'createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}"
Updated consent record example
This example provides a complete consent record before and after it was updated. By reviewing the attrsUpdated
, status
, and previousStatus
keys, you can determine that the status
changed from accepted
to revoked
.
[22/May/2018:18:05:08.660 -0500] CONSENT AUDIT requestID=59 requestDN="uid=user.0,ou=people, dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0, ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="accepted" attrsUpdated="status" changeType="update" resourceType="consent" msg=" Previous Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0, ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com', 'audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'} Updated Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN': 'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example, dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText': 'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:05:08.655Z'}"
Deleted consent record example
This example shows that a consent record has been deleted and provides a complete representation of the consent record before it was deleted.
[22/May/2018:18:06:35.071 -0500] CONSENT AUDIT requestID=61 requestDN="cn=directory manager" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,ou=People, dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="revoked" attrsDeleted="actor,audience, createdDate,dataText,subject,purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="delete" resourceType="consent" msg=" Deleted Consent Record: {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN': 'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People, dc=example,dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','currentVersion': '1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z', 'updatedDate':'2018-05-22T23:05:08.655Z'}"