Currently OpenFGA logs every API call. These logs can be used track permission changes (calls to the Write endpoint) and permission checks (calls to Check/ListObjects/ListUsers endpoints).
OpenFGA knows the identity of the application making API calls (using a shared key or client credentials), but it does not know which user initiated the action.
We'll be adding a parameter to the /write endpoint to capture the user who initiated the action and adding it to a log. This will allow you to identify who initiated an authorization change.
We’d like your feedback on whether this would be useful for your audit processes, or if you would prefer to keep an audit log on your application's side.
We are also exploring different ways to keep the log:
-
OpenFGA currently has a changelog with all Write /Delete operations. We can add the user identifier to each changelog entry, and you would use the /changes API to retrieve the audit log. In this scenario we would not log additional fields like the user IP address.
-
OpenFGA currently emits logs for each API call. We can add the user identifier to those logs, and additional fields if needed like IP address. Write calls that have multiple tuples will be logged once.
-
We can create a specific audit log for the Write operations. We can add additional fields if needed. We can use the User Access Management class from the OCSF schema to log write/delete operations. If a single Write call includes multiple tuples, we’ll log an entry for each one.
Currently OpenFGA logs every API call. These logs can be used track permission changes (calls to the Write endpoint) and permission checks (calls to Check/ListObjects/ListUsers endpoints).
OpenFGA knows the identity of the application making API calls (using a shared key or client credentials), but it does not know which user initiated the action.
We'll be adding a parameter to the /write endpoint to capture the user who initiated the action and adding it to a log. This will allow you to identify who initiated an authorization change.
We’d like your feedback on whether this would be useful for your audit processes, or if you would prefer to keep an audit log on your application's side.
We are also exploring different ways to keep the log:
OpenFGA currently has a changelog with all Write /Delete operations. We can add the user identifier to each changelog entry, and you would use the /changes API to retrieve the audit log. In this scenario we would not log additional fields like the user IP address.
OpenFGA currently emits logs for each API call. We can add the user identifier to those logs, and additional fields if needed like IP address. Write calls that have multiple tuples will be logged once.
We can create a specific audit log for the Write operations. We can add additional fields if needed. We can use the User Access Management class from the OCSF schema to log write/delete operations. If a single Write call includes multiple tuples, we’ll log an entry for each one.