Skip to content

Audit Logs #68

Description

@aaguiarz

Currently OpenFGA logs every API call. These logs can be used track permission changes (calls to the Write endpoint) and permission checks (calls to Check/ListObjects/ListUsers endpoints).

OpenFGA knows the identity of the application making API calls (using a shared key or client credentials), but it does not know which user initiated the action.

We'll be adding a parameter to the /write endpoint to capture the user who initiated the action and adding it to a log. This will allow you to identify who initiated an authorization change.

We’d like your feedback on whether this would be useful for your audit processes, or if you would prefer to keep an audit log on your application's side.

We are also exploring different ways to keep the log:

  • OpenFGA currently has a changelog with all Write /Delete operations. We can add the user identifier to each changelog entry, and you would use the /changes API to retrieve the audit log. In this scenario we would not log additional fields like the user IP address.

  • OpenFGA currently emits logs for each API call. We can add the user identifier to those logs, and additional fields if needed like IP address. Write calls that have multiple tuples will be logged once.

  • We can create a specific audit log for the Write operations. We can add additional fields if needed. We can use the User Access Management class from the OCSF schema to log write/delete operations. If a single Write call includes multiple tuples, we’ll log an entry for each one.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions