Auditing events for App ID
You can view, manage, and analyze user-initiated activities that are made in your IBM Cloud® App ID service instance by using the Activity Tracker service.
By integrating Activity Tracker with App ID, you can track two different types of events, administrative and runtime. Administrative events are specific to your instance of the service. Administrative events cover configuration changes such as updating your identity providers or changing the theme of your login widget. Runtime events are those activities that occur at run time by the app user. A password reset request, authentication failures, or a user logout would all fall into the runtime category.
For more information about how the service works, see the Activity Tracker docs.
Viewing administrative events
You can view, manage, and analyze configuration activity that is made in your App ID instance by using the Activity Tracker service.
Monitoring administrative activity
- Log in to your IBM Cloud account.
- From the catalog, provision an instance of the Activity Tracker service in the same account and region as your App ID instance.
- From the Observability > Activity Tracker tab, verify the information for the instance that you created.
- Click View Open Dashboard and make sure you're on the Everything dashboard. Any events that meet the qualifications for your Activity Tracker payment plan are visible. You can filter your results by tags, sources, apps, or levels. You can also search for specific events or jump to a specific timeframe.
List of administrative events
Check out the following table for a list of the events that are sent to Activity Tracker.
Some action names were changed as part of an alignment to new guidelines. Learn more.
| Action | Description | GUI action |
|---|---|---|
appid.recent-activity.read |
View recent activity. | Can be found in the Activity Log box on the Overview tab. |
appid.idp-config.read |
View the identity provider configuration. | Can be found in the Manage authentication > Identity Providers tab. |
appid.idp-config.update |
Update the identity provider configuration. | Can be updated in the Manage authentication > Identity Providers tab. |
appid.tokens-config.read |
View the token expiration configuration. | Can be found in the Manage authentication > Authentication Settings tab. |
appid.tokens-config.update |
Update the token expiration configuration. | Can be found in the Manage authentication > Authentication Settings tab. |
appid.redirect-uris.read |
View the current redirect URI configuration. | Can be found in the Manage authentication > Authentication Settings tab. |
appid.redirect-uris.update |
Update the redirect URI configuration. | Can be updated in the Manage authentication > Identity Providers tab. |
appid.is-profiles-active.read |
View the user profile storage configuration. | Can be found in the Profiles and roles > User Profiles tab. |
appid.is-profiles-active.update |
Update your user profile storage configuration. | Can be found in the Profiles and roles > User Profiles tab. |
appid.users.read |
Search user profiles. | Can be found in the Profiles and roles > User Profiles tab. |
appid.users.create |
Create pre-registered user profile. | Can be found in the Profiles and roles > User Profiles tab. |
appid.users.get |
Export user profiles. | Must be done through the API. |
appid.refresh-token.revoke |
Revoke all the refresh tokens that are issued for the user. | Must be done through the API. |
appid.users.import |
Import user profiles. | Must be done through the API. |
appid.user-profile.read |
View a user profile. | Can be found in the Profiles and roles > User Profiles tab. |
appid.user-profile.update |
Update a user profile. | Can be found in the Profiles and roles > User Profiles tab. |
appid.user-profile.bulkdelete |
Delete a list of user profiles. | Can be found in the Profiles and roles > User Profiles tab. |
appid.user-roles.read |
View the user roles. | Can be found in the Profiles and roles > User Profiles tab. |
appid.user-roles.update |
Update the user roles. | Can be found in the Profiles and roles > User Profiles tab. |
appid.roles.read |
View the roles list. | Can be found in the Profiles and roles > Roles tab. |
appid.roles.create |
Create a role. | Can be found in the Profiles and roles > Roles tab. |
appid.role.read |
View the role. | Can be found in the Profiles and roles > Roles tab. |
appid.role.update |
Update the role. | Can be found in the Profiles and roles > Roles tab. |
appid.applications.read |
View the applications list. | Can be found in the Applications tab. |
appid.applications.create |
Create an application. | Can be found in the Applications tab. |
appid.application.read |
View the application. | Can be found in the Applications tab. |
appid.application.update |
Update the application. | Can be found in the Applications tab. |
appid.application-scopes.read |
View the application scopes. | Can be found in the Applications tab. |
appid.application-scopes.update |
Update the application scopes. | Can be found in the Applications tab. |
appid.theme-text.read |
View the theme texts of the login widget. | Can be found in the Login Customization tab. |
appid.theme-text.update |
Update the theme texts of the login widget footnote. | Can be updated in the Login Customization tab. |
appid.theme-color.read |
View the theme color of the login widget header. | Can be found in the Login Customization tab. |
appid.theme-color.update |
Update the theme color of the login widget header. | Can be Updated in the Login Customization tab. |
appid.media.read |
View the image that is shown in the login widget. | Can be found in the Login Customization tab. |
appid.media.update |
Update the image that is shown in the login widget. | Can be updated in the Login Customization tab. |
appid.ui-configuration.read |
View the login widget UI configuration, which includes header color and image. | Can be found in the Login Customization tab. |
appid.ui-languages.read |
View a list of supported languages. | Must be viewed from the API. |
appid.ui-languages.update |
Update your supported languages. | Must be updated through the API. |
appid.saml-metadata.read |
View the App ID SAML metadata. | Can be found in the Identity Providers > SAML 2.0 Federation tab. |
ppid.cloud-directory-user.read |
View a Cloud Directory user. | Can be found in the Cloud Directory > Users > View user details tab. |
appid.cloud-directory-user.update |
Update a Cloud Directory User. | Can be updated in the Users tab. |
appid.cloud-directory-user.delete |
Delete a Cloud Directory user. | Must be deleted through the API. |
appid.user.delete |
Delete a Cloud Directory user and profile. | Must be deleted through the API. |
appid.cloud-directory-users.read |
View a list of your Cloud Directory users. | Can be found in the Cloud Directory > Users tab. |
appid.cloud-directory-user.update |
Update your list of Cloud Directory users. | Can be updated in the Cloud Directory > Users tab. |
appid.cloud-directory-user.delete |
Delete a list of Cloud Directory users. | Must be deleted through the API. |
appid.users.bulkdelete |
Delete a list of Cloud Directory users and profiles. | Must be deleted through the API. |
appid.cloud-directory-users.get |
Export Cloud Directory users. | Must be done through the API. |
appid.cloud-directory-users.import |
Import Cloud Directory users. | Must be done through the API. |
appid.cloud-directory-user-sso.set-off |
Invalidate all SSO sessions of the user. | Must be done through the API. |
appid.email-dispatcher.read |
View the email dispatcher configurations. | Can be found in the Cloud Directory > Email Templates tab. |
appid.email-dispatcher.update |
Update the email dispatcher configurations. | Can be found in the Cloud Directory > Email Templates tab. |
appid.email-dispatcher-test.send |
Test the email dispatcher. | Can be found in the Cloud Directory > Email Templates tab. |
appid.email-settings-test.send |
Test the email settings configurations. | Can be found in the Cloud Directory > Email Templates tab. |
appid.email-template.read |
View an email template. | Can be found in the Cloud Directory > Email Templates tab. |
appid.email-template.update |
Update an email template. | Can be found in the Cloud Directory > Email Templates tab. |
appid.email-template.delete |
Delete an email template to reset to the default. | Can be found in the Cloud Directory > Email Templates tab. |
appid.sender-details.read |
View the sender details. | Can be found in the Cloud Directory > Email Templates tab. |
appid.sender-details.update |
Update the sender details. | Can be found in the Cloud Directory > Email Templates tab. |
appid.resend-notification.send |
Resend user notifications. | Must be done through the API. |
appid.self-forgot-password.start |
Starts the forgot password process. | Can be found in the Cloud Directory > Email Templates tab. |
appid.forgot-password-result.read |
View the forgot password confirmation result. | Must be done through the API. |
appid.self-sign-up.start |
Starts the sign-up process. | Can be found in the Cloud Directory > Settings tab. |
appid.sign-up-result.read |
View the sign-up result confirmation. | Must be done through the API. |
appid.action_url.read |
View the custom URL that is called when an action is performed. | Can be found in the Cloud Directory > Email Templates tab. |
appid.action-url.update |
Update the custom URL that is called when an action is performed. | Can be found in the Cloud Directory > Email Templates tab. |
appid.password-regex.read |
View the password regex. | Can be found in the Cloud Directory > Password Policies tab. |
appid.password-regex.update |
Update the password regex. | Can be found in the Cloud Directory > Password Policies tab. |
appid.advanced-password-management.read |
View the advanced password policy configurations. | Can be found in the Cloud Directory > Password policies tab. |
appid.advanced-password-management.update |
Update the advanced password policy configurations. | Can be found in the Cloud Directory > Password Policies tab. |
appid.user-password.update |
Set a new password for the Cloud Directory user. | Must be done through the API. |
appid.capture-runtime-activity.read |
View runtime activity toggle. | Can be viewed in the Manage Authentication> Authentication Settings tab. |
appid.capture-runtime-activity.update |
Toggle runtime activity monitoring. | Can be updated in the Manage Authentication> Authentication Settings tab. |
appid.mfa.read |
View your MFA configurations. | Can be found in the Cloud Directory > Multi-factor Authentication tab. |
appid.mfa.update |
Update your MFA configurations. | Can be found in the Cloud Directory > Multi-factor Authentication tab. |
appid.mfa-channels.read |
View your MFA channels. | Can be found in the Cloud Directory > Multi-factor Authentication tab. |
appid.mfa-channel.read |
View your MFA channels configurations. | Can be found in the Cloud Directory > Multi-factor Authentication tab. |
appid.mfa-channel.update |
Update your channels. | Can be found in the Cloud Directory > Multi-factor Authentication tab. |
appid.sms-dispatcher-test.send |
Test the SMS dispatcher configurations. | Can be found in the Cloud Directory > Multi-factor Authentication > SMS Provider tab. |
appid.mfa-extension-premfa.read |
View your pre-MFA extension configuration. | Must be done through the API. |
appid.mfa-extension-premfa.update |
Update your pre-MFA extension configuration. | Must be done through the API. |
appid.mfa-extension-postmfa.read |
View your post MFA extension configuration. | Must be done through the API. |
appid.mfa-extension-postmfa.update |
Update your post MFA extension configuration. | Must be done through the API. |
appid.is-mfa-extension-active.update |
Update the status of your registered extension. | Must be done through the API. |
appid.mfa-extension-test.send |
Test your registered extension configuration. | Must be done through the API. |
ppid.sso.read |
View your SSO configuration. | Can be found in the Identity Providers > Cloud Directory > Single Sign-On tab. |
appid.sso.update |
Update your SSO configuration. | Can be found in the Identity Providers > Cloud Directory > Single Sign-On tab. |
appid.rate-limit.read |
View your rate limit configurations. | Must be done through the API. |
appid.rate-limit.update |
Update your rate limit configurations. | Must be done through the API. |
Viewing runtime events
With Activity Tracker, you can review runtime activity that is made by an app user, such as logins, password resets, and authentications.
The reported events are per account, but the data rate and retention period of the collected runtime events have limitations. Increasing the limits might require an upgrade of the Activity Tracker service. For more information about the service limits, see the Activity Tracker docs.
Monitoring runtime activity
- Log in to your IBM Cloud account.
- From the catalog, provision an instance of the Activity Tracker service in the same account as your App ID instance.
- In the App ID dashboard, click Manage authentication > Authentication settings.
- Scroll to the Runtime Activity panel and toggle the switch to enable tracking of runtime authentication activity. A message displays that notifies you that the feature is enabled and that you are charged differently. For more information, see How does App ID calculate pricing.
- From the Observability > Activity Tracker tab in the console navigation, verify the information for the instance that you created.
- Click Open Dashboard. When the dashboard loads, you see an overall view of all the activity in your account. You can use the search operators to filter your results by tags, sources, apps, or levels. You can also search for specific events or jump to a specific timeframe.
- From the All Apps drop-down, select the instance of App ID that you want to track events for.
List of runtime events
Check out the following table for a list of the runtime events that are sent to Activity Tracker.
Be sure that you turned on Runtime Activity to see these events.
| Description | Action | Outcome | reason. reasonCode |
target.id |
target.name |
target.typeURI |
|---|---|---|---|---|---|---|
| Cloud Directory authentication success | appid.user.authenticate |
success |
200 |
[appid user CRN] |
cloud_directory:[GUID] |
appid/user |
| Cloud Directory authentication failure | appid.user.authenticate |
failure |
401 |
[appid user CRN] |
cloud_directory:[GUID] |
appid/user |
| Facebook authentication success | appid.user.authenticate |
success |
200 |
[appid user CRN] |
facebook:[GUID] |
appid/user |
| Facebook authentication failure | appid.user.authenticate |
failure |
401 |
crn:unknown |
facebook:unknown |
appid/user |
| Google authentication success | appid.user.authenticate |
success |
200 |
[appid user CRN] |
google:[GUID] |
appid/user |
| Google authentication failure | appid.user.authenticate |
failure |
401 |
crn:unknown |
google:unknown |
appid/user |
| SAML authentication success | appid.user.authenticate |
success |
200 |
[appid user CRN] |
SAML:[GUID] |
appid/user |
| SAML authentication failure | appid.user.authenticate |
failure |
401 |
crn:unknown |
SAML:unknown |
appid/user |
| Client Credentials authentication success | appid.application.authenticate |
success |
200 |
[appid application CRN] |
client_credentials:client_id |
appid/application |
| Client Credentials authentication failure | appid.application.authenticate |
failure |
401 |
crn:undefined |
client_credentials:undefined |
appid/application |
| Cloud Directory sign up | appid.cloud-dir-user.create |
success |
200 |
[appid user CRN] |
cloud_directory:[GUID] |
appid/cloud_dir/user |
| Cloud Directory signup failure | appid.cloud-dir-user.create |
failure |
400 |
crn:unknown |
cloud_directory:unknown |
appid/cloud_dir/user |
| Cloud Directory signup confirmation | appid.cloud-dir-user.allow |
success |
200 |
[appid user CRN] |
cloud_directory:[GUID] |
appid/cloud_dir/user |
| Cloud Directory signup confirmation failure | appid.cloud-dir-user.allow |
failure |
400 |
crn:unknown |
cloud_directory:unknown |
appid/cloud_dir/user |
| Cloud Directory reset or renew password | appid.cloud-dir-user-credentials.renew |
success |
200 |
[appid user CRN] |
cloud_directory:[GUID] |
appid/cloud_dir/user |
| Cloud Directory reset or renew password failure | appid.cloud-dir-user-credentials.renew |
failure |
400 |
crn:unknown |
cloud_directory:unknown |
appid/cloud_dir/user |
| Cloud Directory change password | appid.cloud-dir-user-credentials.update |
success |
200 |
[appid user CRN] |
cloud_directory:[GUID] |
appid/cloud_dir/user |
| Cloud Directory change password failure | appid.cloud-dir-user-credentials.update |
failure |
400 |
crn:unknown |
cloud_directory:unknown |
|
| Revoke user tokens | appid.user-tokens.revoke |
success |
200 |
appid user CRN |
idp:[GUID] |
appid/user |
| Revoke user tokens failure | appid.user-tokens.revoke |
failure |
400 |
appid user CRN |
idp:[GUID] |
appid/user |
| Cloud Directory user SSO logout | appid.cloud-dir-user.set-off |
success |
200 |
appid user CRN |
idp:[GUID] |
appid/user |
| View user profile attributes | appid.user-profile-attributes.read |
success |
200 |
crn:profiles:[User-ID] |
profiles:[User-ID] |
appid-user-profiles/attributes |
| Update user profile attribute | appid.user-profile-attributes.update |
success |
200 |
crn:profiles:[User-ID] |
profiles:[User-ID] |
appid-user-profiles/attribute/[Attribute-name] |
| Delete user profile attribute | appid.user-profile-attributes.delete |
success |
200 |
crn:profiles:[User-ID] |
profiles:[User-ID] |
appid-user-profiles/attribute/[Attribute-name] |
Analyzing runtime events
A user that generates a runtime event is identified as a GUID rather than by name or email. As the account owner, you can use the GUID to identify a specific user and then you can search to see all the events that the user triggered.
The following scenario works only for Cloud Directory users. If the user is defined by an external IdP such as Google or Facebook, only that identity provider can interpret the GUID.
Extracting user information from the GUID
An event in the Activity Tracker console contains the following fields.
| Field | Value | Description |
|---|---|---|
| initiator.id | cb967e0d-43c1-454a-968d-0efa24766846 | The tenant ID. |
| target.name | cloud_directory:34e1ea6d-cc02-4941-9462-7e9c5a40b360 | The user ID. |
To find the user information that aligns with the event GUID, use the following steps.
-
In the Credentials tab of the App ID dashboard, copy, and save the information in the
apiKeyandtenantIDfields. The tenant ID should match the ID of the event. If no credentials exist, create a set. -
Obtain an IAM token for the
apiKeyby inserting the key into the following command:curl -k -X POST \ --header "Content-Type: application/x-www-form-urlencoded" \ --header "Accept: application/json" \ --data-urlencode "grant_type=urn:ibm:params:oauth:grant-type:apikey" \ --data-urlencode "apikey=<apiKey>" \ "https://iam.cloud.ibm.com/identity/token" -
Copy the IAM token from the access_token field in the response.
-
Select a region. Learn more about the available regions.
-
Insert the IAM token, the tenant ID, and the user ID, into the following command to obtain the user information.
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <IAMToken>' \ 'https://<region>.appid.cloud.ibm.com/<tenantID>/cloud_directory/Users/<userID>'You can also run this command by using the management APIs. Your output would look similar to the following JSON object:
{ "displayName": "test test", "active": true, "userName": "test0001", "mfaContext": {}, "emails": [ { "value": "mytest@yahoo.com", "primary": true } ], "meta": { "lastLogin": "2018-12-10T16:05:36.665Z", "created": "2018-08-21T08:55:50.643Z", "location": "/v1/cb967e0d-43c1-454a-968d-0efa24766846/Users/34e1ea6d-cc02-4941-9462-7e9c5a40b360", "lastModified": "2018-12-10T16:05:36.675Z", "resourceType": "User" }, "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User" ], "name": { "givenName": "test", "familyName": "test", "formatted": "test test" }, "id": "34e1ea6d-cc02-4941-9462-7e9c5a40b360" }
Finding user-related events
You can track the events of specific Cloud Directory users in Activity Tracker by using their email. Before you can begin tracking, the email must be mapped to a Cloud Directory GUID.
-
Obtain an IAM token, a tenant ID, and a region as described in the previous section.
-
Insert the IAM token, the tenant ID, and the email into the following command to obtain the user information.
curl -X GET --header 'Accept: application/json' --header 'Authorization: Bearer <IAMToken>' 'https://<region>.appid.cloud.ibm.com/<tenantID>/users?email=<emailAddress>'The email address must be escaped. For example,
myTest%40yahoo.cominstead ofmyTest@yahoo.com.Alternatively, you can use the Management APIs. Your output would look similar to the following JSON object:
{ "users": [ { "idp": "cloud_directory", "id": "1e123399-3499-4a5c-b5a9-93843a91dc80" }, { "idp": "cloud_directory", "id": "2a7abbe5-0fce-402e-9ddf-265246b415c8" } ] } -
Search for a cloud_directory:id value in the target.name_str field in the Activity Tracker console.