Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

User changes in aem

Avatar

Level 4

Hi Team,

 

I am using aem 6.5

I am trying to know when perticular user's permissions changed

 

I mean whenever any activity happened on user admin

I need to know who did it n what he added or deleted

Is it possible to trace such permissions

Just like logs can we trace users behaviour as well?

Please revert

 

 

 

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Level 4

Hi @markus_bulla_adobe 

I tried below step as well where changed permissions for a user and it is still not showing in my local.

View solution in original post

9 Replies

Avatar

Employee Advisor

Hi @kiranc13433869!

Please check the following documentation:

As far as I understand your requirement, this should exactly do what you need.

 

Update:

I double checked and can confirm the behavior differs from the documentation as you described it in your update. I'll check internally and have raised a ticket for it with our documentation team (CQDOC-18142).

After checking it seems that you need to raise the log level to "DEBUG" and add another entry to the "Logger" section of the OSGI configuration:

 

 

com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet

 

 

This will at least give you some basic logging on permission management, such as:

 

 

*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/dam for test
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/dam, [759448319_, 759448319

 

 

I'll try to get the documentation fixed for this feature and will update this thread if there is additional information about it.

 

Thanks for raising this issue!

Hope that helps!

Hi @murukus,

Thanks for info

This is good option but it is only mentioning about if user created, deleted or new group added

What I am looking for 

If user permissions changed like read modify, create, delete, read acl, edit acl and replicate

If any of these activities are added to user or group or removed. Those logs am looking for 

Can you help me with this.

Hi,

 

I followed all steps and its is giving same response which is shared in link

I.e. abt user creating, group adding or deleting, password change etc 

Even though it is specified in document, but it is not updating permission issues.

Avatar

Employee Advisor

Hi @kiranc13433869!

Please double check on the documentation. It does exactly what you mentioned:

"[...] auditing CRUD (Create, Read, Update, Delete) actions on permissions and group assignments of users. [...] Permission changes of an existing user or group"

 

Hope that helps!

Hi, I followed all steps and its is giving same response which is shared in link I.e. abt user creating, group adding or deleting, password change etc  Even though it is specified in document, but it is not updating permission issues

Avatar

Employee Advisor

Hi @kiranc13433869!

I double checked and can confirm the behavior that differs from the documentation as you described it. I'll check internally and raise a ticket for it with our documentation team.

After checking it seems that you need to raise the log level to "DEBUG" and add another entry to the "Logger" section of the OSGI configuration:

com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet

This will at least give you some basic logging on permission management, such as:

*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/dam for test
*DEBUG* [127.0.0.1 POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/dam, [759448319_, 759448319

I'll try to get the documentation fixed for this feature and will update this thread if there is additional information about it.

 

Thanks for raising this issue!

Hope that helps!

Avatar

Employee

Hello,

I am not sure why it is not tracked in my logs. I have updated the log level to debug and also added the class that is mentioned below: 
com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet
com.adobe.granite.security.user.internal.servlets.AuthorizableServlet
com.adobe.granite.security.user.internal.audit

but still I do not see any user/group level permission change tracking.

Avatar

Correct answer by
Level 4

Hi @markus_bulla_adobe 

I tried below step as well where changed permissions for a user and it is still not showing in my local.

Avatar

Employee

Hi @kiranc13433869 ,

I tried adding the loggers[0] at debug level and modified the user permissions via the Touch UI. I was able to observe the ACL changes in the logs. Please see the details below[1].

 

[0]com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet com.adobe.granite.security.user.internal.servlets.AuthorizableServlet com.adobe.granite.security.user.internal.audit

 

[1]

23.09.2024 16:17:00.085 *DEBUG* [10.172.141.36 [1727088420083] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /conf/global/settings for testuser
23.09.2024 16:19:17.515 *DEBUG* [10.172.141.36 [1727088557514] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/community for testuser
23.09.2024 16:19:32.178 *DEBUG* [10.172.141.36 [1727088572177] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin removing policy for /content/community, [2091452248_, 2091452248
23.09.2024 16:29:38.295 *DEBUG* [10.172.141.36 [1727089178293] POST /bin/policies HTTP/1.1] com.adobe.granite.security.permissions.internal.servlets.PoliciesServlet admin adds policy on /content/community for testuser