Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11513

Policy Evaluation audit enhancement for end to end tracking


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.1.1
    • Fix Version/s: None
    • Component/s: audit logging
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:


      Currently the REST call for policies and also the PLL does not record a lot of informaton. For example here's what is recorded in the access.csv audit log when a policy evaluation is made



      "593214e9-ce2c-4fd7-9539-401dd2b01ab8-173","2017-08-05T10:59:26.216Z","AM-ACCESS-OUTCOME","593214e9-ce2c-4fd7-9539-401dd2b01ab8-171","id=webagent-6800,ou=agent,dc=openam,dc=forgerock,dc=org","[""837e50f62ea20a7701""]","xxx.28.1.xxx","8080","xxx.28.1.xxx","38490","PLL","REQUEST_GET_RESOURCE_RESULTS",,"false","POST","http://xxx.forgerock.com:8080/openam/policyservice","{}","{""accept"":[""text/xml""],""host"":[""xxx.forgerock.com:8080""],""user-agent"":[""OpenAM Web Agent/4.1.0-11""]}","{}",,"SUCCESSFUL",,,"5","MILLISECONDS","Policy","/" 


      Now, consider the REST can is submitted with claims, subjects (to test) and also the Application name these are not logged.

             "subject": {
                "ssoToken": "$SUBJECT"
             "resources": ["<testurl>"], 
             "application": "iPlanetAMWebAgentService"

      It helps to have some of the data-auditable (note this applies too for the transactional authorization where a TxnId is passed in). We somehow should have the possibility to
      log the these like resources, application, some canonizaliation of the "ssoToken" or claims (to somehow use it for correlation) if this is possible
      In fact the above is needed and to make sure the trackingId and also that this policy evaluation can lead back to the agent asking for this decision.


      • To provide a full audit of who access for the the policy decision (or what this policy is evaluated on which subject) on which Application. I know it is probably not possible to provide PolicyRule/Set but if this was possible that would be good.
      • The main aim is to provide end-to-end traceability (say from web agents) or any agents.





            • Assignee:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              9 Start watching this issue


              • Created: