Changes to Consent Service resources are tracked by one of two types of audit logs. For examples of configuring either type of log, see the <server-root>/resource/consent-service-cfg.dsconfig script bundled with the server or Logging. This example uses the Consent Trace Logger. It represents Consent Service change events using the same field names used by the Consent API.

Log publisher Log publisher type Description
Consent Trace Logger file-based-trace Records Consent Service events at the Consent API level. Change events are recorded using messages of type audit.
Consent LDAP Audit Logger file-based-audit Records data changes at the LDAP level. In combination with a Request Criteria configuration object, an LDAP audit logger can be configured to record changes to Consent Service resources only.

Trace logger keys for auditing

Trace logger audit messages consist of a timestamp, the message type (CONSENT AUDIT), and a set of key/value pairs. A subset of important keys are described in the following table.

Note: The keys used in trace log audit messages vary depending on the type of resource.
Trace logger key Description
requestID A server-specific HTTP request ID. This value can be correlated with messages produced by other loggers.
resourceType The type of Consent Service resource that was changed. Possible values are definition, localization, or consent.
changeType The type of change recorded by this message. Possible values are create, update, or delete.
attrsAdded A comma-delimited list of the attributes that were added to the resource.
attrsUpdated A comma-delimited list of the attributes that were modified on the resource.
attrsDeleted A comma-delimited list of the attributes that were removed from the resource.
requestDN The DN of the requester, which is available only when the resource type is consent.
definitionID The consent definition ID. If the resource type is definition, this identifies the definition that was changed. If the resource type is localization, this identifies the parent definition. If the resource type is consent, this identifies the consent record's related definition.
locale The locale. If the resource type is localization, this identifies the localization (in combination with the definition ID). If the resource type is consent, this identifies the related localization (combined with the definition ID).
consentID The consent record ID, available only when the resource type is consent.
subject The subject value, available only when the resource type is consent.
subjectDN The subject's mapped LDAP DN, available only when the resource type is consent.
actor The actor value, available only when the resource type is consent.
actorDN The actor's mapped LDAP DN, available only when the resource type is consent.
audience The audience value, available only when the resource type is consent.
status The consent status. Possible values are pending, accepted, denied, revoked, and restricted. Only available when the resource type is consent.
previousStatus The previous consent status, if applicable. Only available when the resource type is consent.
msg A multiline value that includes the complete body of the changed resource. If the action is an update or a delete, the resource's body before the change will be included.

Perform an audit

Consent resource changes for particular entities (such as a specific user, or a specific consent definition) can be audited by searching the trace log using a combination of one of the message keys and the desired value. For example, if an individual's LDAP DN is known, then the subjectDN key can be used to construct a text search for any audit log messages containing that DN. Any matching log messages would constitute a history of that individual's consent activity.

Example new consent record

The following is a sample record. this audit log message provides important values in a parseable key/value format, but also includes the entirety of the new consent record.

[22/May/2018:18:02:42.584 -0500] CONSENT AUDIT requestID=57 requestDN="uid=user.0,ou=people,
  dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,
  ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" 
  definitionID="cats" locale="en-US" status="accepted" attrsAdded="actor,audience,createdDate,dataText,subject,
  purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="create" resourceType="consent" msg="
New Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0,
  ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com','audience':
  'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your 
  cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion',
  'createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}"

Example updated consent record

This example shows the complete consent record before and after it was updated. With the attrsUpdated, status, and previousStatus keys, one can determine that the status changed from accepted to revoked.

[22/May/2018:18:05:08.660 -0500] CONSENT AUDIT requestID=59 requestDN="uid=user.0,ou=people,
   dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,
   ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" 
   audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="accepted" 
   attrsUpdated="status" changeType="update" resourceType="consent" msg="
Previous Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0,
  ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com',
  'audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect 
  data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your 
  feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}
Updated Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN':
  'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,
  dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':
  'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and 
  delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:05:08.655Z'}"

Example deleted consent record

This example shows that a consent record has been deleted, and the complete representation of the consent record prior to its deletion is provided.

[22/May/2018:18:06:35.071 -0500] CONSENT AUDIT requestID=61 requestDN="cn=directory manager" 
   consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,ou=People,
   dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1" 
   definitionID="cats" locale="en-US" status="revoked" previousStatus="revoked" attrsDeleted="actor,audience,
   createdDate,dataText,subject,purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="delete" 
   resourceType="consent" msg="
Deleted Consent Record:
    {'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN':
   'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,
   dc=example,dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','currentVersion':
   '1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food 
   flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z',
   'updatedDate':'2018-05-22T23:05:08.655Z'}"