Activity reporting provides a useful audit trail for actions that change role-based access control (RBAC) entities, such as users, directory groups, and user roles.
Local users
These events are displayed in the console on the Activity tab for the affected user.
| Event | Description | Example |
|---|---|---|
| Creation | A new local user is created. An initial value for each metadata field is reported. | Created with login set to
"jean". |
| Metadata | Any change to the login,
display name, or email keys. |
Display name set to "Jean
Jackson". |
| Role membership | A user is added to or removed from a role. The display name and user ID of the affected user are displayed. | User Jean Jackson
(973c0cee-5ed3-11e4-aa15-123b93f75cba) added to role
Operators. |
| Authentication | A user logs in. The display name and user ID of the affected user are displayed. | User Jean Jackson
(973c0cee-5ed3-11e4-aa15-123b93f75cba) logged
in. |
| Password reset token | A token is generated for a user to use when resetting their password. The display name and user ID of the affected user are shown. | A password reset token was generated for
user Jean Jackson
(973c0cee-5ed3-11e4-aa15-123b93f75cba). |
| Password changed | A user successfully changes their password with a token. | Password reset for user Jean Jackson
(973c0cee-5ed3-11e4-aa15-123b93f75cba). |
| Revocation | A user is revoked or reinstated. | User revoked. |
Remote users
These events are displayed in the console on the Activity tab for the affected user.
| Event | Description | Example |
|---|---|---|
| Role membership | A user is added to or removed from a role. These events are also shown on the page for the role. The display name and user ID of the affected user are displayed. | User Kalo Hill
(76483e62-5ed4-11e4-aa15-123b93f75cba) added to role
Viewers. |
| Revocation | A user is revoked or reinstated. | User revoked. |
Directory groups
These events are displayed in the console on the Activity tab for the affected group.
| Event | Description | Example |
|---|---|---|
| Importation | A directory group is imported. The initial value for each metadata field is reported (these cannot be updated using the RBAC UI). | Created with display name set to
"Engineers". |
| Role membership | A group is added to or removed from a role. These events are also shown on the page for the role. The group's display name and ID are provided. | Group Engineers
(7dee3acc-5ed4-11e4-aa15-123b93f75cba) added to role
Operators. |
Roles
These events are displayed in the console on the Activity tab for the affected role.
| Event | Description | Example |
|---|---|---|
| Metadata | A role's display name or
description changes. |
Description set to "Sysadmins with full
privileges for node groups." |
| Members | A group is added to or removed from a role. The display name and ID of the user or group are provided. These events are also displayed on the page for the affected user or group. | User Kalo Hill
(76483e62-5ed4-11e4-aa15-123b93f75cba) removed from role
Operators. |
| Permissions | A permission is added to or removed from a role. | Permission
users:edit:76483e62-5ed4-11e4-aa15-123b93f75cba added to role
Operators. |
| Delete | A role has been removed. | The Delete event is recorded and available only through the activity service API, not the Activity tab. |
Orchestration
These events are displayed in the console on the Activity tab for the affected node.
| Event | Description | Example |
|---|---|---|
| Agent runs | Puppet runs as part of an orchestration job. This includes runs started from the orchestrator or the PE console. | Request Puppet agent run on
node.example.com via orchestrator job 12. |
| Task runs | Tasks run as orchestration jobs set up in the console or on the command line. | Request echo task on
neptune.example.com via orchestrator job 9,607 |
Authentication tokens
These events are displayed in the console on the Activity tab on the affected user's page.
| Event | Description | Example |
|---|---|---|
| Creation | A new token is generated. These events are exposed in the console on the Activity tab for the user who owns the token. | Amari Perez
(c84bae61-f668-4a18-9a4a-5e33a97b716c) generated an
authentication token. |
| Direct revocation | A successful token revocation request. These events are exposed in the console on the Activity tab for the user performing the revocation. | Administrator
(42bf351c-f9ec-40af-84ad-e976fec7f4bd) revoked an authentication
token belonging to Amari Perez
(c84bae61-f668-4a18-9a4a-5e33a97b716c), issued at
2016-02-17T21:53:23.000Z and expiring at
2016-02-17T21:58:23.000Z. |
| Revocation by username | All tokens for a username are revoked. These events are exposed in the console on the Activity tab for the user performing the revocation. | Administrator
(42bf351c-f9ec-40af-84ad-e976fec7f4bd) revoked all
authentication tokens belonging to Amari Perez
(c84bae61-f668-4a18-9a4a-5e33a97b716c). |
Directory service settings
These events are not exposed in the console. The activity service API must be used to see these events.
| Event | Description | Example |
|---|---|---|
| Update settings (except password) | A setting is changed in the directory service settings. | User rdn set to
"ou=users". |
| Update directory service password | The directory service password is changed. | Password updated. |