https://cerbos.dev logo
Join Slack
Powered by
Hey Cerbos :wave: If I'm reading your docs correc...
# help
h
Hey Cerbos 👋 If I'm reading your docs correctly, your audit feature could give us a history of decisions made by the Cerbos engine. In simple terms, if we use Cerbos to restrict the action 'Edit Customer' to just 'Customer Service Agents', can we retrieve a list of instances that a specific CSA edited a customer?
o
Hi @Harry Pike, The information you’ve described is available in the Cerbos audit logs, and it’s possible to retrieve and filter this information from your application to fit your specific needs. Specifically by using `Admin API`: https://docs.cerbos.dev/cerbos/latest/api/admin_api.html#_audit_logs
h
Thank you for the response. It's not listed, but can you filter by principle?
o
I’m afraid not. If you want additional querying capabilities for audit logs, we recommend using the 
file
backend and ingesting the logs into a log indexer.
h
Alright, thanks. Does the original request get saved? e.g could we see the values that the CSA edited?
o
Yes, you could. Principal, Resource and Actions are all saved as a part of an audit log 
decision log
entry. (It looks like this in the `cerbosctl decisions`(ref), which uses the 
Admin API
behind-the-scenes.
Here is an example response for the `GET /admin/auditlog/list/_KIND_DECISION_`;
Copy code
{
  "callId": "01GQPJQJ66STBED5B35VJ8X4RA",
  "timestamp": "2023-01-26T08:22:27.803937Z",
  "peer": {
    "address": "127.0.0.1:61619",
    "userAgent": "...",
    "forwardedFor": "127.0.0.1"
  },
  "checkResources": {
    "inputs": [
      {
        "requestId": "1",
        "resource": {
          "kind": "student-management",
          "policyVersion": "default",
          "id": "XX125"
        },
        "principal": {
          "id": "john",
          "policyVersion": "default",
          "roles": [
            "user"
          ]
        },
        "actions": [
          "read",
          "delete"
        ]
      }
    ],
    "outputs": [
      {
        "requestId": "1",
        "resourceId": "XX125",
        "actions": {
          "delete": {
            "effect": "EFFECT_DENY",
            "policy": "NO_MATCH"
          },
          "read": {
            "effect": "EFFECT_DENY",
            "policy": "NO_MATCH"
          }
        }
      }
    ]
  }
}
h
Okay, brilliant. Forgive my simple-minded approach, but it seems that if the principle changed a customers name, we could see the new name within the inputs > resource section. Is that right? We'd see the information that they updated?
o
Correct, you’d.
Open in Slack
PreviousNext
Powered by