Changes to Consent Service resources are tracked by one of two types of audit logs. For examples of configuring either type of log, see the <server-root>/resource/consent-service-cfg.dsconfig script bundled with the server or Logging. This example uses the Consent Trace Logger. It represents Consent Service change events using the same field names used by the Consent API.
Log publisher | Log publisher type | Description |
---|---|---|
Consent Trace Logger | file-based-trace | Records Consent Service events at the Consent API level. Change events are recorded using messages of type audit. |
Consent LDAP Audit Logger | file-based-audit | Records data changes at the LDAP level. In combination with a Request Criteria configuration object, an LDAP audit logger can be configured to record changes to Consent Service resources only. |
Trace logger keys for auditing
Trace logger audit messages consist of a timestamp, the message type (CONSENT AUDIT), and a set of key/value pairs. A subset of important keys are described in the following table.
Trace logger key | Description |
---|---|
requestID | A server-specific HTTP request ID. This value can be correlated with messages produced by other loggers. |
resourceType | The type of Consent Service resource that was changed. Possible values are definition, localization, or consent. |
changeType | The type of change recorded by this message. Possible values are create, update, or delete. |
attrsAdded | A comma-delimited list of the attributes that were added to the resource. |
attrsUpdated | A comma-delimited list of the attributes that were modified on the resource. |
attrsDeleted | A comma-delimited list of the attributes that were removed from the resource. |
requestDN | The DN of the requester, which is available only when the resource type is consent. |
definitionID | The consent definition ID. If the resource type is definition, this identifies the definition that was changed. If the resource type is localization, this identifies the parent definition. If the resource type is consent, this identifies the consent record's related definition. |
locale | The locale. If the resource type is localization, this identifies the localization (in combination with the definition ID). If the resource type is consent, this identifies the related localization (combined with the definition ID). |
consentID | The consent record ID, available only when the resource type is consent. |
subject | The subject value, available only when the resource type is consent. |
subjectDN | The subject's mapped LDAP DN, available only when the resource type is consent. |
actor | The actor value, available only when the resource type is consent. |
actorDN | The actor's mapped LDAP DN, available only when the resource type is consent. |
audience | The audience value, available only when the resource type is consent. |
status | The consent status. Possible values are pending, accepted, denied, revoked, and restricted. Only available when the resource type is consent. |
previousStatus | The previous consent status, if applicable. Only available when the resource type is consent. |
msg | A multiline value that includes the complete body of the changed resource. If the action is an update or a delete, the resource's body before the change will be included. |
Perform an audit
Consent resource changes for particular entities (such as a specific user, or a specific consent definition) can be audited by searching the trace log using a combination of one of the message keys and the desired value. For example, if an individual's LDAP DN is known, then the subjectDN key can be used to construct a text search for any audit log messages containing that DN. Any matching log messages would constitute a history of that individual's consent activity.
Example new consent record
The following is a sample record. this audit log message provides important values in a parseable key/value format, but also includes the entirety of the new consent record.
[22/May/2018:18:02:42.584 -0500] CONSENT AUDIT requestID=57 requestDN="uid=user.0,ou=people,
dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,
ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1"
definitionID="cats" locale="en-US" status="accepted" attrsAdded="actor,audience,createdDate,dataText,subject,
purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="create" resourceType="consent" msg="
New Consent Record:
{'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0,
ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com','audience':
'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect data about your
cats','purposeText':'To recommend cat food flavors that will satisfy and delight your feline companion',
'createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}"
Example updated consent record
This example shows the complete consent record before and after it was updated. With the attrsUpdated, status, and previousStatus keys, one can determine that the status changed from accepted to revoked.
[22/May/2018:18:05:08.660 -0500] CONSENT AUDIT requestID=59 requestDN="uid=user.0,ou=people,
dc=example,dc=com" consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,
ou=People,dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com"
audience="client1" definitionID="cats" locale="en-US" status="revoked" previousStatus="accepted"
attrsUpdated="status" changeType="update" resourceType="consent" msg="
Previous Consent Record:
{'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'accepted','subject':'user.0','subjectDN':'uid=user.0,
ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,dc=com',
'audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':'Collect
data about your cats','purposeText':'To recommend cat food flavors that will satisfy and delight your
feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:02:42.553Z'}
Updated Consent Record:
{'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN':
'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,dc=example,
dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','locale':'en-US'},'dataText':
'Collect data about your cats','purposeText':'To recommend cat food flavors that will satisfy and
delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z','updatedDate':'2018-05-22T23:05:08.655Z'}"
Example deleted consent record
This example shows that a consent record has been deleted, and the complete representation of the consent record prior to its deletion is provided.
[22/May/2018:18:06:35.071 -0500] CONSENT AUDIT requestID=61 requestDN="cn=directory manager"
consentID="6cff325b-e092-4094-b7f9-5a30864b0d24" subject="user.0" subjectDN="uid=user.0,ou=People,
dc=example,dc=com" actor="user.0" actorDN="uid=user.0,ou=People,dc=example,dc=com" audience="client1"
definitionID="cats" locale="en-US" status="revoked" previousStatus="revoked" attrsDeleted="actor,audience,
createdDate,dataText,subject,purposeText,definition,id,updatedDate,actorDN,status,subjectDN" changeType="delete"
resourceType="consent" msg="
Deleted Consent Record:
{'id':'6cff325b-e092-4094-b7f9-5a30864b0d24','status':'revoked','subject':'user.0','subjectDN':
'uid=user.0,ou=People,dc=example,dc=com','actor':'user.0','actorDN':'uid=user.0,ou=People,
dc=example,dc=com','audience':'client1','definition':{'id':'cats','version':'1.0','currentVersion':
'1.0','locale':'en-US'},'dataText':'Collect data about your cats','purposeText':'To recommend cat food
flavors that will satisfy and delight your feline companion','createdDate':'2018-05-22T23:02:42.553Z',
'updatedDate':'2018-05-22T23:05:08.655Z'}"