Reviewing audit records
As a BMC Helix Single Sign-On administrator, you can review the audit records for all events performed from administrator and end-user accounts.
Before you begin
For a selected tenant, enable auditing of records for administrators or end users in the BMC Helix SSO Admin Console. For information about how to enable auditing, see Configuring-settings-for-BMC-Helix-SSO-administrators.
To view an audit record and its remote IP address and login resource details
- Log in to the BMC Helix SSO Admin Console as an administrator.
- Click the Audit tab.
On the Audit Events page, click search
to view audit events for the default time period, or enter search criteria in the field search or Filter by date/time to view specific audit events.
The Audit Events page displays the events for administrator and end-user actions.By default, the Audit tab shows all logged administrator, end-user actions, or actions of both for the previous day, but you can filter audit data for certain time periods.
For more information about the types of audit records displayed, see Types of audit events.
- To view the audit records for a session:
From the Action menu, click Select related records
.- Click Back to list to return to the list of audit records.
- To view details of the remoteAddr attribute of the HTTP request and the login resource details in the audit record:
From the Action menu, click Details
.
The Audit record details window displays details of the following:Details displayed
Description
remoteAddr attribute
The remote IP address of the HTTP request, which can be used to verify the source IP address in the audit record.
Important: The source details of the client IP address are not available for automatic scheduled jobs because client IP address values are not available for such requests.
actionBy
The login resource details, which provide details about the login resource for the following audit records:
- ADMIN_LOGIN_SUCCESS
- ADMIN_LOGOUT
- ADMIN_LOGOUT_DUE_TO_PASSWORD_CHANGE
- ADMIN_LOGIN_FAILED
The audit record displays one of the following values based on the resource that logged in successfully:
- UI—If an administrator logged in by using a browser.
- REST—If an administrator logged in by using Rest API.
For example, if an administrator successfully logged in to BMC Helix SSO server user interface, the following details are added to the audit record:
"actionBy":"UI"- Click OK to return to the list of audit records.
Types of audit events
Audit event | Audit description |
|---|---|
ADMIN_LOGIN_SUCCESS | An administrator has successfully logged in to the BMC Helix SSO Admin Console. |
ADMIN_LOGOUT | An administrator has logged out from the BMC Helix SSO Admin Console. |
ADMIN_USER_CREATED | An administrator user was created. |
ADMIN_USER_DELETED | An administrator user was deleted. |
ADMIN_USER_PWD_CHANGED | A password of an administrator user was changed. |
ADMIN_USER_UPDATED | An administrator user was updated. |
AUDIT_DISABLED | Auditing of administrator actions is disabled. |
AUDIT_ENABLED | Auditing of administrator is enabled. |
LAUNCHPAD_CREATED | A launchpad application was added to the Digital Service Management page. |
LAUNCHPAD_DELETED | A launchpad application was deleted from the Digital Service Management page. |
LAUNCHPAD_UPDATED | A launchpad application was updated on the Digital Service Management page. |
LOCAL_GROUP_CREATED | A local group was created. |
LOCAL_GROUP_DELETED | A local group was deleted. |
LOCAL_GROUP_UPDATED | A local group was updated. |
LOCAL_USER_ADDED_TO_GROUP | A local user was added to a group. |
LOCAL_USER_CREATED | A local user was created. |
LOCAL_USER_DELETED | A local user was deleted. |
LOCAL_USER_PWD_CHANGED | A password for a local user was changed. |
LOCAL_USER_REMOVED_FROM_GROUP | A local user was removed from a group. |
LOCAL_USER_UPDATED | A local user was updated. |
LOCAL_USER_UNLOCKED_BY_ADMIN | A local user was unlocked by the BMC Helix SSO administrator. |
LOCAL_USER_UNLOCKED_BY_SYSTEM | A local user was unlocked automatically after the lockout interval expired. |
OAUTH_CLIENT_CREATED | An OAuth client was created. |
OAUTH_CLIENT_DELETED | An OAuth client was deleted. |
OAUTH_CLIENT_UPDATED | An OAuth client was updated. |
OAUTH_TOKEN_DELETED | An OAuth token was deleted. |
OPENID_JWK_CREATED | An OpenID JWK was created. |
OPENID_JWK_DELETED | An OpenID JWK was deleted. |
RSSO_CONFIG_CHANGED | This event is generated when an administrator makes the following changes in the BMC Helix SSO Admin Console:
|
CONFIG_EXPORTED | Server configuration was exported. |
CONFIG_IMPORTED | Server configuration was imported. |
TENANT_CREATED | A tenant was created. |
TENANT_DELETED | A tenant was deleted. |
TENANT_UPDATED | A tenant was updated. |
USER_SESSION_DELETED | An end-user session was deleted. |
LOCAL_USER_REG_PENDING_DELETED | A nonconfirmed user was deleted. |
LOCAL_USER_REG_PENDING | A request to create a local user by the end user. |
LOCAL_USER_REG_COMPLETED | Local user registration has been completed. |
LOCAL_USER_REG_REQUEST_EXPIRED | A request to create a local user was expired and cleaned up. |
SAML_TEMPLATE_CREATED | A SAML template was created. |
SAML_TEMPLATE_UPDATED | A SAML template was updated. |
Audit events for end-user actions
Audit event | Audit description |
|---|---|
AR_CTM_PEOPLE_DATA_OBTAIN_SUCCESS | Data was successfully obtained from the AR CTM:People form |
AR_CTM_PEOPLE_DATA_OBTAIN_FAILURE | Failed to obtain AR CTM:People form data |
END_USER_AUDIT_ENABLED | Auditing of end-user actions is enabled. |
END_USER_AUDIT_DISABLED | Auditing of end-user actions is disabled. |
ADMIN_LOGIN_FAILED | An administrator has failed to log in to the BMC Helix SSO Admin Console. |
USER_LOGIN_FAILED | An end user has failed to log in. |
SESSION_QUOTA_LIMIT_REACHED | A session quota limit was reached. |
USER_LOGGED_IN | An end user has successfully logged in. |
USER_LOGGED_OUT | An end user has successfully logged out. |
SESSION_EXPIRED | An end-user session expired. |
REAUTHENTICATION | An end user confirmed an operation by providing their credentials again. |
AGENT_REGISTERED | A new agent was registered. |
AGENT_UNREGISTERED | An agent was removed by the application server and the BMC Helix SSO listener. |
REQUEST_AUTH_CODE | An authorization code was requested. |
USER_WENT_THROUGH_CONSENT_PAGE | An end user went through the OAuth consent page. |
REQUESTS_NEW_OAUTH_TOKEN_WITH_AUTH_CODE | An OAuth client requested a new access or refresh token with a code. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user. |
REQUESTS_NEW_OAUTH_TOKEN_WITH_REFRESH_TOKEN | An OAuth client requested a new access or refresh token with a refresh token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user. |
REQUESTS_NEW_OAUTH_TOKEN_WITH_JWT | An application used the JWT grant type to request an access or refresh token for the particular end user. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user. |
ACCESS_TOKEN_REVOKED | An OAuth client revoked an access token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user. |
REFRESH_TOKEN_REVOKED | The OAuth client revoked a refresh token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user. |
AUTH_CODE_EXPIRED | An authorization code expired. |
OAUTH_TOKEN_EXPIRED | An OAuth token expired. You must clean up the outdated OAuth token. |
TOKEN_INFO_REQUESTED | An application used an end-user token to get information about the token. |
TOKEN_USER_GROUPS_REQUESTED | An application used an end-user token to get information about the users groups. |
USER_LOGGED_IN_NATIVE_APP | A user logged in using an identity provider from the chain configuration by using a native application. |
LOCAL_USER_CHANGED_OWN_PWD | A local user changed password per forced password reset. |
LOCAL_USER_LOCKED | A local user was locked after unsuccessful login attempts. |
LOCAL_USER_UNLOCKED | A local user was unlocked by the BMC Helix SSO administrator or automatically. |
REQUEST_NEW_OAUTH_INTERNAL_TO_EXTERNAL_EXCHANGE_TOKEN | The OAuth client requests an internal to external token by using the token exchange grant type. |