PingIDM

Monitor specific activity log changes

For the activity log only, you can specify fields whose values are considered particularly important in terms of logging.

Fields to watch

The watchedFields property (in conf/audit.json) lets you define a list of properties to monitor for changes. When a monitored property changes, IDM records it in the activity log under changedFields. Field names in changedFields are JSON pointers with a leading slash. For example: /mail and /telephoneNumber.

watchedFields defaults to [] (empty, no fields watched). To watch specific fields, list their names as values of the property:

"watchedFields": [ "email", "address" ]

To watch changes to all fields without listing them individually, use the wildcard "*":

"watchedFields": [ "*" ]

To enable wildcard field watching, update the eventTopics.activity block in conf/audit.json:

"eventTopics": {
  "activity": {
    "filter": {
      "actions": ["create", "update", "delete", "patch", "action"]
    },
    "passwordFields": ["password"],
    "watchedFields": ["*"]
  }
}

The following example shows an activity log entry when watchedFields is ["*"] and a single update changes telephoneNumber, description, accountStatus, and password:

{
  "_id": "68ed96ce-48ea-4b82-adc0-6585eae3acb0-1318",
  "timestamp": "2024-02-28T17:48:32.417Z",
  "eventName": "activity",
  "transactionId": "68ed96ce-48ea-4b82-adc0-6585eae3acb0-1242",
  "userId": "openidm-admin",
  "runAs": "openidm-admin",
  "objectId": "managed/user/ricksutter",
  "operation": "UPDATE",
  "changedFields": [
    "/telephoneNumber",
    "/description",
    "/accountStatus",
    "/password"
  ],
  "revision": "d9e0929b-46b8-4fcf-8606-f0870a63e082-102",
  "status": "SUCCESS",
  "message": "update",
  "passwordChanged": true
}

To configure watched fields in the admin UI, select Configure > System Preferences > Audit. Scroll down to Event Topics, and click the pencil icon next to the activity event.

Password fields to watch

You can set a list of passwordFields that functions much like the watchedFields property. Changes to these property values are logged in the activity log under changedFields. In addition, when a password property changes, the boolean passwordChanged flag is set to true in the activity log. List properties that should be treated as passwords as values of the passwordFields parameter, separated by commas. For example:

"passwordFields" : [ "password", "userPassword" ]

To configure password fields in the admin UI, select Configure > System Preferences > Audit. Scroll down to Event Topics, and click the pencil icon next to the activity event.