Chat now with support
Chat with Support

Enterprise Single Sign-On 9.0.2 - One Identity Enterprise Access Management Console Administration Guide

Preface Overview Authenticating to EAM Console and Managing Protection Modes Searching the Directory Tree Managing administrators Managing Security Profiles
Managing time slices Managing Password Format Control Policies Managing User Security Profiles Managing Access Point Security Profiles Managing Application Security Profiles Defining Security Profiles Default Values Managing User and Access Point Security Profiles Priorities
Managing directory objects
Managing applications Managing users Managing access points Managing representative objects Managing clusters of access points Selecting a domain controller
Importing/Exporting security profiles and directory objects Managing smart cards Managing SA server devices Managing RFID tokens Managing biometrics Managing Mobile Devices Enabling the public key authentication method Managing Emergency Accesses Managing audit events Managing reports Customizing configuration files Creating scripts Basic syntax of regular expressions Listing audit events and error codes Correspondence between profiles and administration rights Report Models and Parameters List Custom Group Files Format

Managing audit events

Architecture overview

The following picture shows the streams of audit events within EAM.

Audit events are created on users’ workstations and stored locally in audit cache files. Events are then collected (on a regular basis) by an EAM Controller that provides the EAM audit Services. The server stores the collected audit events in a local audit database.

The audit servers should then be configured to upload collected events into a central audit SQL database.

Administrators get the audit events stored in the central audit database using EAM Console.

Audit cache mechanism

All the audit events are registered in a centralized SQL database, managed by the EAM Controllers.

An audit cache mechanism is located on:

  • The client workstations enabling the storage of the audit events if the workstation is disconnected from the network.
  • The EAM Controllers enabling the storage of the audit events if the server is disconnected from the SQL database.

The EAM Controller compiles all the events related to user authentication and administration actions in all LDAP domains. It provides a consistent overview of the history of the accesses to all your applications.

NOTE:By administration actions, we mean any operation that modifies the directory content: creation, modification, deletion and renaming of any directory object.

If the audit cache file is deleted, EAM sends an audit event to the User Access Controller. The event indicates the name of the workstation and when the file deletion was detected.

EAM audit controllers

The EAM audit servers:

  • Ensure the stream of audit events by detecting the audit cache file deletion.
  • Make sure an EAM Controller is always available to EAM administrators.
  • Do not generate audit events that are not relevant to your customer’s security policy. The administrator can apply an audit filter to an access point profile, a user profile, an administration role or an application.

In this section:

Displaying audit events


Depending on your needs, you can display audit events in different ways:

  • Globally, using the Audit panel, to display the whole EAM audit events.
  • Contextually, using the Directory panel (Events tab of a selected object), to display only the audit events associated directly or indirectly with the selected object.

    For example, let us consider an application object: the Events tab of this object displays any administration action directly associated with this object (as the modification of an option or of the administrator's list for example), but also any event linked to the creation of accounts associated with this application.

    The following procedure focuses on how to display globally audit events. For more details on how to display the audit records of a specific object, see Section Displaying Password Generation Policy Event Logs and Section Managing directory objects.

Before starting

To perform the task described in this section, you must have the following administration role:

  • In classic administration mode: "Auditor".
  • In advanced administration mode, your role must contain the following administration right: "Audit: Visualization".

    NOTE: For more information on administration roles, see Section Managing administrators.
  • By default, the displayed audit events are those corresponding to the EAM category. If you want to display all Identity & Access Manager audit events, set the following registry key (DWORD) to 1: FrameWork\Audit\ShowIAMCategories (REG_DWORD)


  1. In the Audit panel, select the time range corresponding to the events you want to display, and click Apply.

    NOTE: By default, the audit report displays all the audit events of the last two days.
    • All the audit events corresponding to the time range selected are displayed.
  2. If your auditor role is restricted to one or more audit populations, select the population you want to display in the drop-down list, or select the Select all populations check box.

    NOTE: For more information on audit population, see Section Defining an audit population.
  3. To filter the displayed list, click the Advanced Filter button.
    • The Audit base filter window appears (for more details on how to build a filter, see Section Applying an audit filter).
  4. To display more details about an event, double-click the corresponding line.

Defining an audit population


An audit population is a group, a directory or an organizational unit that you want to explicitly mark for audit, so that audit events on the objects (users or access points) that are members of the group, directory or organizational unit can be displayed.

When you audit a group/directory/organization without having defined it as an audit population, the only displayed events are the one related to the group/directory/organization; the events related to its members are not available.

Once the audit population is defined, you can:


  1. In the tree structure of the Directory panel, select the group, organization or directory you want to mark as audit population.
  2. Click the Events tab.
    • The tab appears
  3. In the Audit Population area:
    1. Select the Mark events with label check box.
    2. Type a label for the population (or keep the default label).
    3. Click Set.
    • The group/organization/directory is marked for audit with the chosen label.

      NOTE: To gather several groups/organizations/directories in the same audit population, use the same label for all of them.

Managing and assigning audit filters

In this section:

Related Documents