This documentation supports the 22.1 version of BMC Helix Single Sign-On, which is available only to BMC Helix customers (SaaS). To view an earlier version, select the version from the Product version menu.

Reviewing audit records

As a BMC Helix Single Sign-On administrator, you can review the audit records for all events performed from administrator and end-user accounts.


Before you begin

For a selected tenant, enable auditing of records for administrators or end users in the BMC Helix SSO Admin Console. For information about how to enable auditing, see Configuring-settings-for-BMC-Helix-SSO-administrators.

To view the audit records

  1. Log in to the BMC Helix SSO Admin Console as an administrator.
  2. Click the Audit tab.


By default, the Audit tab shows all logged administrator, end-user actions, or actions of both for the last day. You can filter audit data by a certain date. 

Audit.png


The following types of events are recorded on the Audit Events page for administrator actions:

Audit events for administrator actions

Audit event

Audit description

ADMIN_LOGIN_SUCCESS

An administrator has successfully logged in to the BMC Helix SSO Admin Console.

ADMIN_LOGOUT

An administrator has logged out from the BMC Helix SSO Admin Console.

ADMIN_USER_CREATED

An administrator user was created.

ADMIN_USER_DELETED

An administrator user was deleted.

ADMIN_USER_PWD_CHANGED

A password of an administrator user was changed.

ADMIN_USER_UPDATED

An administrator user was updated.

AUDIT_DISABLED

Auditing of administrator actions is disabled.

AUDIT_ENABLED

Auditing of administrator is enabled.

LAUNCHPAD_CREATED

A launchpad application was added to the Digital Service Management page.

LAUNCHPAD_DELETED

A launchpad application was deleted from the Digital Service Management page.

LAUNCHPAD_UPDATED

A launchpad application was updated on the Digital Service Management page.

LOCAL_GROUP_CREATED

A local group was created.

LOCAL_GROUP_DELETED

A local group was deleted.

LOCAL_GROUP_UPDATED

A local group was updated.

LOCAL_USER_ADDED_TO_GROUP

A local user was added to a group.

LOCAL_USER_CREATED

A local user was created.

LOCAL_USER_DELETED

A local user was deleted.

LOCAL_USER_PWD_CHANGED

A password for a local user was changed.

LOCAL_USER_REMOVED_FROM_GROUP

A local user was removed from a group.

LOCAL_USER_UPDATED

A local user was updated.

LOCAL_USER_UNLOCKED_BY_ADMIN

A local user was unlocked by the BMC Helix SSO administrator.

LOCAL_USER_UNLOCKED_BY_SYSTEM

A local user was unlocked automatically after the lockout interval expires.

OAUTH_CLIENT_CREATED

An OAuth client was created.

OAUTH_CLIENT_DELETED

An OAuth client was deleted.

OAUTH_CLIENT_UPDATED

An OAuth client was updated.

OAUTH_TOKEN_DELETED

An OAuth token was deleted.

OPENID_JWK_CREATED

An OpenID JWK was created.

OPENID_JWK_DELETED

An OpenID JWK was deleted.

RSSO_CONFIG_CHANGED

This event is generated when an administrator makes the following changes in the BMC Helix SSO Admin Console:

  • Changes to the configuration of the BMC Helix SSO server, on the General tab.
  • Changes to the realms configuration, on the Realms tab.
  • Changes to the local users configuration on the Local User tab.

CONFIG_EXPORTED

Server configuration was exported.

CONFIG_IMPORTED

Server configuration was imported.

TENANT_CREATED

A tenant was created.

TENANT_DELETED

A tenant was deleted.

TENANT_UPDATED

A tenant was updated.

USER_SESSION_DELETED

An end-user session was deleted.

LOCAL_USER_REG_PENDING_DELETED

A nonconfirmed user was deleted.

LOCAL_USER_REG_PENDING

A request to create a local user by the end user.

LOCAL_USER_REG_COMPLETED

Local user registration is completed.

LOCAL_USER_REG_REQUEST_EXPIRED

A request to create a local user was expired and cleaned up.

The following types of events are recorded on the Audit Events page for end-user actions:

Audit events for end-user actions

Audit event

Audit description

END_USER_AUDIT_ENABLED

Auditing of end-user actions is enabled.

END_USER_AUDIT_DISABLED

Auditing of end-user actions is disabled.

ADMIN_LOGIN_FAILED

An administrator has failed to log in to the BMC Helix SSO Admin Console.

USER_LOGIN_FAILED

An end user has failed to log in.

SESSION_QUOTA_LIMIT_REACHED

A session quota limit was reached.

USER_LOGGED_IN

An end user has successfully logged in.

USER_LOGGED_OUT

An end user has successfully logged out.

SESSION_EXPIRED

An end-user session expired.

REAUTHENTICATION

An end user confirmed an operation by providing their credentials again.

AGENT_REGISTERED

A new agent was registered.

AGENT_UNREGISTERED

An agent was removed by the application server and the BMC Helix SSO listener.

REQUEST_AUTH_CODE

An authorization code was requested.

USER_WENT_THROUGH_CONSENT_PAGE

An end user went through the OAuth consent page.

REQUESTS_NEW_OAUTH_TOKEN_WITH_AUTH_CODE

An OAuth client requested a new access or refresh token with a code. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.

REQUESTS_NEW_OAUTH_TOKEN_WITH_REFRESH_TOKEN

An OAuth client requested a new access or refresh token with a refresh token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.

REQUESTS_NEW_OAUTH_TOKEN_WITH_JWT

An application used the JWT grant type to request an access or refresh token for the particular end user. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.

ACCESS_TOKEN_REVOKED

An OAuth client revoked an access token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.

REFRESH_TOKEN_REVOKED

The OAuth client revoked a refresh token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.

AUTH_CODE_EXPIRED

An authorization code expired.

OAUTH_TOKEN_EXPIRED

An OAuth token expired. You must clean up the outdated OAuth token.

TOKEN_INFO_REQUESTED

An application used an end-user token to get information about the token.

TOKEN_USER_GROUPS_REQUESTED

An application used an end-user token to get information about the users groups.

USER_LOGGED_IN_NATIVE_APP

A user logged in using an identity provider from the chain configuration by using a native application.

LOCAL_USER_CHANGED_OWN_PWD 

A local user changed password per forced password reset.

LOCAL_USER_LOCKED

A local user was locked after unsuccessful login attempts.

LOCAL_USER_UNLOCKED

A local user was unlocked by the BMC Helix SSO administrator or automatically.

REQUEST_NEW_OAUTH_INTERNAL_TO_EXTERNAL_EXCHANGE_TOKEN

The OAuth client requests an internal to external token by using the token exchange grant type.

To view the audit records for a session

To view actions that are related to one session in BMC Helix SSO, perform the following steps:

Important

Viewing audit records for one session is available only to actions that were created in BMC Helix SSO version 21.02.

  1. On the Audit page, click the Chain_icon.png icon next to the action.
  2. To return to the list of all sections, click Back to list .

Important

Audit is enabled separately for every tenant, but records related to tenants management are recorded only in the SaaS tenant.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*