Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11513

Policy Evaluation audit enhancement for end to end tracking

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 14.1.1
    • Fix Version/s: None
    • Component/s: audit logging
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      Currently the REST call for policies and also the PLL does not record a lot of informaton. For example here's what is recorded in the access.csv audit log when a policy evaluation is made

      "593214e9-ce2c-4fd7-9539-401dd2b01ab8-192","2017-08-05T11:17:20.855Z","AM-ACCESS-OUTCOME","593214e9-ce2c-4fd7-9539-401dd2b01ab8-190","id=amadmin,ou=user,dc=openam,dc=forgerock,dc=org","[""f28f1ca4f2e5cd8b01""]","172.28.1.228","8080","172.28.1.228","38508","CREST","ACTION","{""action"":""evaluate""}","false","POST","http://xxx.forgerock.com:8080/openam/json/policies","{""_action"":[""evaluate""]}","{""accept"":[""*/*""],""Accept-API-Version"":[""protocol=1.0""],""host"":[""xxx.forgerock.com:8080""],""user-agent"":[""curl/7.29.0""]}","{}",,"SUCCESSFUL",,"[{""advices"":{},""ttl"":9223372036854775807,""resource"":""http://xxxx.forgerock.com:6800/secured/"",""actions"":{},""attributes"":{}}]","24","MILLISECONDS","Policy","/"
      

      or

      "593214e9-ce2c-4fd7-9539-401dd2b01ab8-173","2017-08-05T10:59:26.216Z","AM-ACCESS-OUTCOME","593214e9-ce2c-4fd7-9539-401dd2b01ab8-171","id=webagent-6800,ou=agent,dc=openam,dc=forgerock,dc=org","[""837e50f62ea20a7701""]","xxx.28.1.xxx","8080","xxx.28.1.xxx","38490","PLL","REQUEST_GET_RESOURCE_RESULTS",,"false","POST","http://xxx.forgerock.com:8080/openam/policyservice","{}","{""accept"":[""text/xml""],""host"":[""xxx.forgerock.com:8080""],""user-agent"":[""OpenAM Web Agent/4.1.0-11""]}","{}",,"SUCCESSFUL",,,"5","MILLISECONDS","Policy","/" 
      

       

      Now, consider the REST can is submitted with claims, subjects (to test) and also the Application name these are not logged.

      {
             "subject": {
                "ssoToken": "$SUBJECT"
             },
             "resources": ["<testurl>"], 
             "application": "iPlanetAMWebAgentService"
      
      }
      

       
      It helps to have some of the data-auditable (note this applies too for the transactional authorization where a TxnId is passed in). We somehow should have the possibility to
      log the these like resources, application, some canonizaliation of the "ssoToken" or claims (to somehow use it for correlation) if this is possible
       
      In fact the above is needed and to make sure the trackingId and also that this policy evaluation can lead back to the agent asking for this decision.

      WHY:

      • To provide a full audit of who access for the the policy decision (or what this policy is evaluated on which subject) on which Application. I know it is probably not possible to provide PolicyRule/Set but if this was possible that would be good.
      • The main aim is to provide end-to-end traceability (say from web agents) or any agents.

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              chee-weng.chea C-Weng C
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated: