Audit logs

Audit logs are a record of all actions taken in Oblique. They’re enabled by default and can’t be disabled. Audit logs are stored for 13 months.

Caution

Audit logs are only a record of actions performed in Oblique. Automated changes, such as expirations or attribute-based group membership changes, don’t appear in these logs. These do appear in the access change timeline.

Actions taken in an integration

When an action is taken outside Oblique through an integration, the audit event records the integration it was taken in as the author. For example, a change to an Okta integration such as importing a new user or updating user attribute lists the Okta integration as the author.

Actions taken through a client

When an action is taken in Oblique using a client, in addition to recording the user that took the action as the author, the audit log records the client that was used:

• When a reviewer approves or closes a request from Slack, the Slack integration is recorded as the client.
• When a user makes a change through the MCP server, the MCP server is recorded as the client.
• When an admin makes a change using Terraform, the Terraform provider is recorded as the client.

Events

Target	Action	Description
User	CREATE	A user was imported.
Team	CREATE	A team group was created.
Team	DELETE	A team group was deleted.
TeamProfile	UPDATE	The team group’s description was updated.
TeamMember	CREATE	A user was added to the team group.
TeamMember	DELETE	A user was removed from the team group.
TeamOwner	CREATE	A user or group was added as an owner of the team group.
TeamOwner	DELETE	An owner was removed from the team group.
Group	CREATE	An attribute-based group or reporting group was created.
Group	DELETE	An attribute-based group or reporting group was deleted.
GroupOwner	CREATE	A user or group was added as an owner of an attribute-based group or reporting group.
GroupOwner	DELETE	An owner was removed from an attribute-based group or reporting group.
Resource	CREATE	A resource was imported or created.
Resource	UPDATE	The resource’s management mode was changed.
Entitlement	CREATE	An entitlement was added, including by assigning a role.
Entitlement	UPDATE	An entitlement was edited, including by editing a role assignment.
Entitlement	DELETE	An entitlement was revoked, including by revoking a role.
Listing	CREATE	A listing was created.
Listing	UPDATE	A listing’s name, description, or visibility was edited.
Listing	DELETE	A listing was deleted.
ListingRole	CREATE	A role was added to a listing.
ListingRole	UPDATE	A listing’s name, description or role mapping was edited.
ListingRole	DELETE	A role was removed from a listing.
ListingOwner	CREATE	An owner was added to a listing.
ListingOwner	DELETE	An owner was removed from a listing.
ListingRolePolicy	CREATE	An auto-approval policy was created.
ListingRolePolicy	DELETE	An auto-approval policy was deleted.
Request	CREATE	A request was created.
Request	UPDATE	A request’s state, reviewers, or auto-apply settings changed.
RequestEvent	CREATE	A request’s state, reviewers, or auto-apply settings changed.
Integration	CREATE	An integration was added.
Integration	UPDATE	An integration’s settings were updated, including allowing resource creation or approvals from Slack.
ServiceAccount	CREATE	An API key was created.
ServiceAccount	DELETE	An API key was revoked.
Admin	CREATE	An admin was added.
Admin	DELETE	An admin was removed.
Owner	UPDATE	The organization owner was changed.

Note

Connecting or disconnecting an MCP client to Oblique’s MCP server isn’t recorded in Oblique audit logs. Because authentication uses OAuth 2.0 through your identity provider, those events should be avialable in your identity provider’s logs.

View logs

You must be an admin to view audit logs.

Navigate to the Logs page.

The system displays the most recent logs by default, including information about the actor, action, and target. Select Show diff to view more details, including a one-line summary of the action and a diff of the values for the affected target.

View authentication logs

Oblique’s audit logs are a record of all actions taken in Oblique or synced to Oblique, including authorization changes. Oblique does not track when a user authenticates, fails to authenticate, or otherwise uses their access.

For Okta resources, you can see authentication events in Okta’s admin system log. From an Okta resource’s detail page, select More in the header, then View logs in Okta. Okta opens with the system log filtered to that resource.

Filter logs

Select Filter to narrow the events shown. You can filter by:

• Time: today, yesterday, last 7 days, or last 30 days. By default, the last 30 days of logs are shown.
• Author: the user, service account, or integration that performed the action
• Client: where the action was performed from, such as the web app, an MCP client, or an integration
• Action: Create, Update, or Delete
• Targets: a specific user, group, team, listing, resource, integration, or service account affected by the event
• Target type: the type of object affected by the event, such as entitlement, request, integration, resource, service account, team member, or user attribute