Audit Policy Examples

Policy on the audit::/ realm grants permission to view the audit log in the web console.

Audit permission

The following system policy defines the sole read permission available for the audit::/ realm.

audit::/ {
  if (permit == all) {
    permit read
  }
}

Auditor permission grant

The following policy permits a named user to read audit logs:

audit::/ {
  if (auth_server@apcera.me->name == "some-name") { 
    permit read 
  }
}

Typically you grant audit permission to auditors, operations, and administrators, for example:

audit::/ {
  if (auth_server@apcera.me->name == "auditor-name") { 
    permit read 
  }
}

Auditor role

The following policy creates an auditor role and assigns a named auditor to that role.

audit::/ {
  if (auth_server@apcera.me->name == "auditor-name") {
    role auditor
  }
}

The following policy maps the permissions to the auditor role with all permissions on the audit::/ realm:

on audit::/ {
  if (role == auditor) {
    permit all
  }
}

Since there is only one permission available for the audit::/ realm, the following policy block accomplishes the same thing:

on audit::/ {
  if (role == auditor) {
    permit read
  }
}

Limited audit log capabilities

You can use a designated namespace to limit what a user can view in the audit log. To do this, you specify a namespace that is more specific than the root namespace for the audit::/ realm.

For example:

audit::/sandbox/user 
{
  if (auth_server@apcera.me->name == "user") 
  {
    permit read 
  }
}

Or, the following templated version:

audit::/sandbox/[group] 
{
  if (LDAP->group == [group]) 
  {
    permit read 
  }
}

With either of the above policies in place, the user will only be able to see audit log data for his or her sandboxed namespace.

Note that with this configuration, when the user first clicks on the Audit Log tab in the web console, a message will state that there is no data to display. To view the audit log data for that user:

1) In the console, click Jobs from the navigation pane.

2) Expand the drop-down list, and select the namespace for which you are permitted to read the audit log (e.g. /sandbox/user).

screenshot

3) Click Audit to see the audit log specific to the namespace.