Adobe Experience Manager Sites & More

Hi @murukus,

Thanks for info

This is good option but it is only mentioning about if user created, deleted or new group added

What I am looking for 

If user permissions changed like read modify, create, delete, read acl, edit acl and replicate

If any of these activities are added to user or group or removed. Those logs am looking for 

Can you help me with this.

Hi,

 

I followed all steps and its is giving same response which is shared in link

I.e. abt user creating, group adding or deleting, password change etc 

Even though it is specified in document, but it is not updating permission issues.

Hi @kiranc13433869!

Please double check on the documentation. It does exactly what you mentioned:

"[...] auditing CRUD (Create, Read, Update, Delete) actions on permissions and group assignments of users. [...] Permission changes of an existing user or group"

 

Hope that helps!

Hi, I followed all steps and its is giving same response which is shared in link I.e. abt user creating, group adding or deleting, password change etc  Even though it is specified in document, but it is not updating permission issues

Hi @kiranc13433869!

I double checked and can confirm the behavior that differs from the documentation as you described it. I'll check internally and raise a ticket for it with our documentation team.

After checking it seems that you need to raise the log level to "DEBUG" and add another entry to the "Logger" section of the OSGI configuration:

com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet

This will at least give you some basic logging on permission management, such as:

*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/dam for test
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/dam, [759448319_, 759448319

I'll try to get the documentation fixed for this feature and will update this thread if there is additional information about it.

 

Thanks for raising this issue!

Hope that helps!

Hello,

I am not sure why it is not tracked in my logs. I have updated the log level to debug and also added the class that is mentioned below: 
com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet
com.adobe.granite.security.user.internal.servlets.AuthorizableServlet
com.adobe.granite.security.user.internal.audit

but still I do not see any user/group level permission change tracking.

Hi @kiranc13433869 ,

I tried adding the loggers[0] at debug level and modified the user permissions via the Touch UI. I was able to observe the ACL changes in the logs. Please see the details below[1].

 

[0]com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet com.adobe.granite.security.user.internal.servlets.AuthorizableServlet com.adobe.granite.security.user.internal.audit

 

[1]

23.09.2024 16:17:00.085 *DEBUG* [10.172.141.36 [1727088420083] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /conf/global/settings for testuser
23.09.2024 16:19:17.515 *DEBUG* [10.172.141.36 [1727088557514] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/community for testuser
23.09.2024 16:19:32.178 *DEBUG* [10.172.141.36 [1727088572177] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/community, [2091452248_, 2091452248
23.09.2024 16:29:38.295 *DEBUG* [10.172.141.36 [1727089178293] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/community for testuser