Almost from the beginning, the Akamai Identity Cloud Console has provided a way to track, and to audit, changes to user profiles. For example, suppose Maria Fuentes – who used to get marketing and promotional materials for people who live in the Portland, OR area – has suddenly started getting marketing and promotional materials for people who live in the Seattle, WA area. By checking Maria’s profile change audit data, you can see that, on May 29th, an agent mistakenly changed her address (city, state, and zip code) to one in the Seattle area:
As this example shows, the ability to monitor audit logs for user profile changes is a very useful tool.
At the same time, however, the Console has evolved to be being more than just a repository for user profiles: the Console is also used for everything from managing properties (API clients) and applications to restoring and promoting flows. It’s definitely useful to know who has made an update to a user profile; however, it’s equally useful to know who has created a new API client, deleted a flow, or assigned a new role to a Console agent.
And now, thanks to the addition of Console Audit Logs, you can do just that. With Audit Logs, you can still monitor changes to your user profiles. However, you can also monitor such things as:
- Creating and deleting API clients
- Updating API client permissions
- Accessing and resetting client secrets
- Updating global settings and API client settings
- Sending password reset and verification emails
- Searching and exporting user profiles
- Inviting, removing, or changing a Console user's access to an application
- Managing flows
In other words, you can now audit pretty much anything that an agent does in the Identity Cloud Console.
Important. But only if the agent does those things in the Console itself. If an agent uses the Console to change an application setting or to reset a client secret then those actions are recorded in the audit logs. However, if an agent employs the Configuration APIs to change an application setting or to reset a client secret then those actions will not be recorded in the Console audit logs. That’s because the Configuration APIs use API client credentials for authentication, and those credentials cannot be tied back to an individual user.
This documentation details the following Audit Log topics:
- Audit Logs Terminology
- Accessing the Console Audit Logs
- Searching/Filtering the Console Audit Logs
- Viewing Audit Log Search Results
- Appendix A: Console Audit Log Activity Reference