https://cerbos.dev logo
#help
Title
# help
h

Harry Pike

10/19/2023, 10:12 AM
Hey Cerbos 👋 If I'm reading your docs correctly, your audit feature could give us a history of decisions made by the Cerbos engine. In simple terms, if we use Cerbos to restrict the action 'Edit Customer' to just 'Customer Service Agents', can we retrieve a list of instances that a specific CSA edited a customer?
o

oguzhan

10/19/2023, 10:34 AM
Hi @Harry Pike, The information you’ve described is available in the Cerbos audit logs, and it’s possible to retrieve and filter this information from your application to fit your specific needs. Specifically by using `Admin API`: https://docs.cerbos.dev/cerbos/latest/api/admin_api.html#_audit_logs
h

Harry Pike

10/19/2023, 10:36 AM
Thank you for the response. It's not listed, but can you filter by principle?
o

oguzhan

10/19/2023, 10:40 AM
I’m afraid not. If you want additional querying capabilities for audit logs, we recommend using the
file
backend and ingesting the logs into a log indexer.
h

Harry Pike

10/19/2023, 10:43 AM
Alright, thanks. Does the original request get saved? e.g could we see the values that the CSA edited?
o

oguzhan

10/19/2023, 10:50 AM
Yes, you could. Principal, Resource and Actions are all saved as a part of an audit log
decision log
entry. (It looks like this in the `cerbosctl decisions`(ref), which uses the
Admin API
behind-the-scenes.
Here is an example response for the `GET /admin/auditlog/list/_KIND_DECISION_`;
Copy code
{
  "callId": "01GQPJQJ66STBED5B35VJ8X4RA",
  "timestamp": "2023-01-26T08:22:27.803937Z",
  "peer": {
    "address": "127.0.0.1:61619",
    "userAgent": "...",
    "forwardedFor": "127.0.0.1"
  },
  "checkResources": {
    "inputs": [
      {
        "requestId": "1",
        "resource": {
          "kind": "student-management",
          "policyVersion": "default",
          "id": "XX125"
        },
        "principal": {
          "id": "john",
          "policyVersion": "default",
          "roles": [
            "user"
          ]
        },
        "actions": [
          "read",
          "delete"
        ]
      }
    ],
    "outputs": [
      {
        "requestId": "1",
        "resourceId": "XX125",
        "actions": {
          "delete": {
            "effect": "EFFECT_DENY",
            "policy": "NO_MATCH"
          },
          "read": {
            "effect": "EFFECT_DENY",
            "policy": "NO_MATCH"
          }
        }
      }
    ]
  }
}
h

Harry Pike

10/19/2023, 10:57 AM
Okay, brilliant. Forgive my simple-minded approach, but it seems that if the principle changed a customers name, we could see the new name within the inputs > resource section. Is that right? We'd see the information that they updated?
o

oguzhan

10/19/2023, 11:02 AM
Correct, you’d.