Audit logs

Audit logs are a record of all actions taken in Oblique. They’re enabled by default and can’t be disabled. Audit logs are stored for 13 months.

Caution

Audit logs are only a record of actions performed in Oblique. Automated changes, such as expirations or attribute-based group membership changes, don’t appear in these logs. These do appear in the access change timeline.

Actions taken in or through an integration

When an action is taken outside Oblique through an integration, the audit event records the integration it was taken in, and if applicable, the user that took the action:

• Changes made in another system are synced to Oblique with the integration as the author. For example, a change to an Okta integration such as importing a new user or updating user attribute lists the Okta integration as the author.
• Changes made to Oblique through an integration are synced to Oblique with the user as the author and the integration as the client. For example, when a reviewer approves or closes a request from Slack, they are listed as the author, and the Slack integration as the client.

Events

Target	Action	Description
User	CREATE	A user was imported.
Team	CREATE	A team group was created.
Team	DELETE	A team group was deleted.
TeamProfile	UPDATE	The team group’s description was updated.
TeamMember	CREATE	A user was added to the team group.
TeamMember	DELETE	A user was removed from the team group.
TeamOwner	CREATE	A user or group was added as an owner of the team group.
TeamOwner	DELETE	An owner was removed from the team group.
Group	CREATE	An attribute-based group or reporting group was created.
Group	DELETE	An attribute-based group or reporting group was deleted.
GroupOwner	CREATE	A user or group was added as an owner of an attribute-based group or reporting group.
GroupOwner	DELETE	An owner was removed from an attribute-based group or reporting group.
Resource	CREATE	A resource was imported or created.
Resource	UPDATE	The resource’s management mode was changed.
Entitlement	CREATE	An entitlement was added, including by assigning a role.
Entitlement	UPDATE	An entitlement was edited, including by editing a role assignment.
Entitlement	DELETE	An entitlement was revoked, including by revoking a role.
Listing	CREATE	A listing was created.
Listing	UPDATE	A listing’s name, description, or visibility was edited.
Listing	DELETE	A listing was deleted.
ListingRole	CREATE	A role was added to a listing.
ListingRole	UPDATE	A listing’s name, description or role mapping was edited.
ListingRole	DELETE	A role was removed from a listing.
ListingOwner	CREATE	An owner was added to a listing.
ListingOwner	DELETE	An owner was removed from a listing.
ListingRolePolicy	CREATE	An auto-approval policy was created.
ListingRolePolicy	DELETE	An auto-approval policy was deleted.
Request	CREATE	A request was created.
Request	UPDATE	A request’s state, reviewers, or auto-apply settings changed.
RequestEvent	CREATE	A request’s state, reviewers, or auto-apply settings changed.
Integration	CREATE	An integration was added.
Integration	UPDATE	An integration’s settings were updated, including allowing resource creation or approvals from Slack.
ServiceAccount	CREATE	An API key was created.
ServiceAccount	DELETE	An API key was revoked.
Admin	CREATE	An admin was added.
Admin	DELETE	An admin was removed.
Owner	UPDATE	The organization owner was changed.

View logs

You must be an admin to view audit logs.

Navigate to the Logs page.

The system displays the most recent logs by default, including information about the actor, action, and target. Select Show diff to view more details, including a one-line summary of the action and a diff of the values for the affected target.

Filter logs

Select Filter to narrow the events shown. You can filter by:

• Time: today, yesterday, last 7 days, or last 30 days. By default, the last 30 days of logs are shown.
• Author: the user, service account, or integration that performed the action
• Action: Create, Update, Delete, or Unknown
• Targets: a specific user, group, team, listing, resource, integration, or service account affected by the event
• Target type: the type of object affected by the event, such as entitlement, request, integration, resource, service account, team member, or user attribute