Hi Team,
I am using aem 6.5
I am trying to know when perticular user's permissions changed
I mean whenever any activity happened on user admin
I need to know who did it n what he added or deleted
Is it possible to trace such permissions
Just like logs can we trace users behaviour as well?
Please revert
Solved! Go to Solution.
Topics help categorize Community content and increase your ability to discover relevant content.
Views
Replies
Total Likes
I tried below step as well where changed permissions for a user and it is still not showing in my local.
Hi @kiranc13433869!
Please check the following documentation:
As far as I understand your requirement, this should exactly do what you need.
Update:
I double checked and can confirm the behavior differs from the documentation as you described it in your update. I'll check internally and have raised a ticket for it with our documentation team (CQDOC-18142).
After checking it seems that you need to raise the log level to "DEBUG" and add another entry to the "Logger" section of the OSGI configuration:
com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet
This will at least give you some basic logging on permission management, such as:
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/dam for test
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/dam, [759448319_, 759448319
I'll try to get the documentation fixed for this feature and will update this thread if there is additional information about it.
Thanks for raising this issue!
Hope that helps!
Hi @murukus,
Thanks for info
This is good option but it is only mentioning about if user created, deleted or new group added
What I am looking for
If user permissions changed like read modify, create, delete, read acl, edit acl and replicate
If any of these activities are added to user or group or removed. Those logs am looking for
Can you help me with this.
Views
Replies
Total Likes
Hi,
I followed all steps and its is giving same response which is shared in link
I.e. abt user creating, group adding or deleting, password change etc
Even though it is specified in document, but it is not updating permission issues.
Views
Replies
Total Likes
Hi @kiranc13433869!
Please double check on the documentation. It does exactly what you mentioned:
"[...] auditing CRUD (Create, Read, Update, Delete) actions on permissions and group assignments of users. [...] Permission changes of an existing user or group"
Hope that helps!
Views
Replies
Total Likes
Views
Replies
Total Likes
Hi @kiranc13433869!
I double checked and can confirm the behavior that differs from the documentation as you described it. I'll check internally and raise a ticket for it with our documentation team.
After checking it seems that you need to raise the log level to "DEBUG" and add another entry to the "Logger" section of the OSGI configuration:
com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet
This will at least give you some basic logging on permission management, such as:
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/dam for test
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/dam, [759448319_, 759448319
I'll try to get the documentation fixed for this feature and will update this thread if there is additional information about it.
Thanks for raising this issue!
Hope that helps!
Views
Replies
Total Likes
Hello,
I am not sure why it is not tracked in my logs. I have updated the log level to debug and also added the class that is mentioned below:
com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet
com.adobe.granite.security.user.internal.servlets.AuthorizableServlet
com.adobe.granite.security.user.internal.audit
but still I do not see any user/group level permission change tracking.
Views
Replies
Total Likes
I tried below step as well where changed permissions for a user and it is still not showing in my local.
Hi @kiranc13433869 ,
I tried adding the loggers[0] at debug level and modified the user permissions via the Touch UI. I was able to observe the ACL changes in the logs. Please see the details below[1].
[0]com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet com.adobe.granite.security.user.internal.servlets.AuthorizableServlet com.adobe.granite.security.user.internal.audit
[1]
23.09.2024 16:17:00.085 *DEBUG* [10.172.141.36 [1727088420083] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /conf/global/settings for testuser 23.09.2024 16:19:17.515 *DEBUG* [10.172.141.36 [1727088557514] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/community for testuser 23.09.2024 16:19:32.178 *DEBUG* [10.172.141.36 [1727088572177] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/community, [2091452248_, 2091452248 23.09.2024 16:29:38.295 *DEBUG* [10.172.141.36 [1727089178293] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/community for testuser
Views
Replies
Total Likes