IBM Enterprise Records, Version 5.1.2    

Auditing

There is a much information concerning the auditing features, event, and logs available in an IBM® Enterprise Records environment. There is also information about how to configure and use these features, events, and logs.

Also for more information about showing the audit history of an entity, see the viewing audit log entries topic. For more information about auditing, see the Help for Content Platform Engine Administration, specifically the auditing concepts topic.

For Auto Destroy, use the standard Content Platform Engine audit mechanism, specifically the delete audit event to keep the destruction history. For more information, see the audit logging concept in Content Platform Engine documentation.

Using the auditing features available for IBM Enterprise Records, you can:

Audit events

The Content Platform Engine includes a number of system events that, if configured for auditing, are automatically recorded to the audit log when the event occurs. Examples of these events include creating an object and filing an object into a folder. IBM Enterprise Records adds to the object store the custom event, RMAudit, which records IBM Enterprise Records events such as relocating or destroying an entity.

Each recorded event is stored in Content Platform Engine as an object. You can perform operations like searching, exporting, and examining properties on these recorded event objects.

RMAudit Event

When a IBM Enterprise Records data model is imported into an object store, the RMAudit event is added to the object store. In addition, the event is automatically subscribed to for the RecordCategory, RecordFolder, and Volume classes in an FPOS. You can manually configure this event for the Record class. (Note, however, that auditing is not automatically enabled for the object store.)

The RMAudit event records an audit entry whenever any of the following actions are performed on an entity:

System events

In addition to recording audit events for the above-mentioned IBM Enterprise Records actions, you can configure auditing for the following system events supplied with Content Platform Engine. The following table lists a subset of the available system events; the listed events are the events you are probably most interested in auditing for IBM Enterprise Records.

Table 1. System events and information
Event Logged when Applies to
Creation An instance of a class is created (includes declaring a record: configure the event for the Record class on the FPOS). You can audit this event for any class, including the RecordCategory, RecordFolder, Volume, and Record classes in the FPOS, and the Document class in the ROS.
Deletion An object is deleted from the object store. You can audit this event for any class.
File An object is filed in a folder (includes creating a subfolder and the automatic filing that occurs when declaring a record). You can audit this event for any Folder class (and subclass), including the RecordCategory, RecordFolder, and Volume classes in the FPOS.
GetContent The content of a content-carrying object is retrieved (for example, when a user views the content of a document). You can audit this event for any Document class (and subclass). To audit when a user sees the content of a document, enable this event on the ROS.
GetObject An object is retrieved from Content Platform Engine (which includes retrieval attempts by the IBM Enterprise Records application). You can audit this event for any class.
Query A query is performed (which includes queries the IBM Enterprise Records application performs as part of its processing). You can audit this event for any class (except VersionSeries).
Unfile An object is removed (unfiled) from a folder (includes deleting a subfolder). You can audit this event for any Folder class (and subclass), including the RecordCategory, RecordFolder, and Volume classes in the FPOS.
Update The properties of an object are changed (which includes marking a container as Vital and activating or deactivating a container). You can audit this event for any class.
UpdateSecurity The security of an object is changed. A failure is not logged when a user attempts to delete an object from the IBM Enterprise Records application. The attempt is unsuccessful because the deletion is protected by a marking (which is the case with some IBM Enterprise Records objects). You can audit this event for any class (except ReferentialContainmentRelationship and VersionSeries).

Audit log

When you enable and configure audit logging on an object store, the system generates audit log entries. These entries exist as a table in a database in the object store. To perform actions on the log, run a query for the events you want and then perform the action. Perform the action against the result set of the query, if necessary. Audit events remain in the audit log even if the audited object is deleted. For detailed information about audit logs, including information about how to delete unneeded log entries and manage the log size, see the auditing concepts topic in the Help for Content Platform Engine Administration.

The audit log stores the following information:

Some audit log entries can contain additional information, depending on the type of audit event that occurred. For example, a successful Query event logs the original query text from which the query was generated. Also the class ID of the object that was the subject of the audit event is logged.

Audit event properties

The following lists the symbolic name and a brief description of the properties available for audit events. Properties that are specific to the RMAudit event are AuditActionType, ReasonForAction, Reviewer, and RMEntityDescription.

AuditActionType For an RMAudit event, specifies the type of audit action, such as Delete, Relocate, Destroy, Transfer, Interim Transfer, Export, Review, Undeclare, Hold, or Remove Hold.

AuditLevel For an AuditConfiguration event, specifies the level of auditing (auditing disabled = 0, auditing enabled = 1).

ContainmentName For a File and Unfile event, specifies the name of the object added or removed from the container object.

Creator For all events, specifies the short name of the user who generated the event (the user who created the event object).

DateCreated For all events, contains the date and time the event was generated (the date and time the event object was created). Content Engine stores dates and times using Coordinated Universal Time (UTC).

DateLastModified For all events, contains the date and time the event was last modified (the date and time the event object was last modified).

EventStatus For all events, indicates whether the operation that generated this event was successful (0) or not (an internally used error code).

LastModifier For all events, contains the short name of the user who last modified the event object.

LifecycleOperation For a ChangeState event, specifies the lifecycle operation performed on the source object.

ModifiedProperties For a ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Custom, DemoteVersion, Freeze, Lock, PromoteVersion, RMAudit, Unlock, Update, and UpdateSecurity event, specifies a list of the symbolic names of the properties modified by the operation being audited.

ObjectType For all events, specifies a number that denotes the base type of an object. For event objects, the value is always 1180.

QueryText For a Query event, specifies the original text from which the query was generated.

ReasonForAction For an RMAudit event, specifies the reason for the action. This field is populated with the value entered by the user in the Review Comments field while completing the workflow.

Reviewer For an RMAudit event, specifies the name of the user who performed the action that generated the event (the user who started the IBM Enterprise Records workflow queue).

RMEntityDescription For an RMAudit event, specifies a description for the audited action where appropriate. For example, a Relocate action might be described as RM entity MyRecordFolder moved from source /Records Management/My File Plan/My Record Category to destination /Records Management/My File Plan/Another Record Category.

SourceClassId For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, File, Freeze, GetContent, GetObject, Lock, PromoteVersion, Query, RMAudit, Unfile, Unlock, Update, and UpdateSecurityEvent event, specifies the class ID of the object that is the subject of an audit event.

SourceObject For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, File, Freeze, Lock, PromoteVersion, RMAudit, Unfile, Unlock, Update, and UpdateSecurity event, specifies a snapshot of the object that is the source of an audit event at the time the event occurred. The object reference contained in this property represents the object in its state when the event occurred, and might be different from the current state of the object.

SourceObjectId For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, File, Freeze, GetContent, GetObject, Lock, PromoteVersion, RMAudit, Unfile, Unlock, Update, and UpdateSecurity event, specifies the ID of the object that is the subject of an audit event.

VersionSeriesId For a CancelCheckout, ChangeClass, ChangeState, Checkin, Checkout, ClassifyComplete, Creation, Custom, Deletion, DemoteVersion, Freeze, Lock, PromoteVersion, RMAudit, Unlock, Update, and UpdateSecurity event, specifies (where relevant) the ID of the version series for the source object.



Feedback

Last updated: November 2013
rm_auditing.htm

© Copyright IBM Corporation 2013