AccessAuditLog

Comprehensive audit trail of all access control decisions and security events in the system, providing forensic evidence for security investigations, compliance reporting, and behavioral analysis. This entity records every authorization attempt, whether successful or failed, capturing the complete context: who tried to access what, when, from where, why it was allowed or denied, and which policies were evaluated. Unlike general activity logs, this focuses specifically on access control events like permission checks, role changes, policy violations, and authentication events. Each entry includes the decision path showing which rules, roles, and permissions were evaluated, making it possible to understand exactly why access was granted or denied. This is crucial for debugging permission problems ('Why can't user X access resource Y?'), investigating breaches ('Who accessed sensitive data last month?'), and proving compliance ('Show all access to patient records'). The log captures risk indicators like unusual access patterns, privilege escalations, or access from new locations. It supports real-time alerting for high-risk events and provides data for machine learning models that detect anomalous behavior. Retention policies ensure logs are kept as long as required by regulations while managing storage costs. The immutable nature of these logs makes them admissible as evidence in legal proceedings.

30 properties
Schema

Properties

PropertyTypeModeDescriptionRequired
auditIduuid
stored

Unique identifier for this audit entry

Required
timestampDateTime
stored

Exact time of the access attempt

Required
eventTypestring
enum

Category of access event

Values: permission_check, authentication, authorization, role_change, policy_evaluation, privilege_escalation, access_denied, access_granted, suspicious_activity

Required
userIduuid
stored

User who attempted access

Required
userContextstring
stored

JSON context about the user at time of access

Example: "{\"roles\":[\"engineer\"],\"groups\":[\"backend_team\"],\"clearance_level\":2}"

Optional
resourceTypestring
stored

Type of resource accessed

Example: "database"

Optional
resourceIdstring
stored

Identifier of the specific resource

Example: "db_customers_prod"

Optional
resourceContextstring
stored

JSON context about the resource

Example: "{\"classification\":\"sensitive\",\"owner\":\"finance_dept\",\"encryption\":\"AES256\"}"

Optional
actionstring
stored

Action attempted on the resource

Example: "write"

Required
decisionstring
enum

Access control decision

Values: allow, deny, partial, conditional, error

Required
decisionReasonstring
stored

Explanation of why decision was made

Example: "Denied: User lacks required permission 'database.write'"

Optional
evaluatedPoliciesstring
stored

JSON array of policies that were checked

Example: "[{\"policy\":\"data_classification\",\"result\":\"pass\"},{\"policy\":\"time_restriction\",\"result\":\"fail\"}]"

Optional
evaluatedRolesstring
stored

JSON array of roles that were evaluated

Example: "[\"engineer\",\"employee\"]"

Optional
evaluatedPermissionsstring
stored

JSON array of permissions that were checked

Example: "[\"database.read\",\"database.write\"]"

Optional
decisionPathstring
stored

Complete evaluation path showing how decision was reached

Optional
riskScoreinteger
stored

Calculated risk level of this access (0-100)

Optional
riskFactorsstring
stored

JSON array of detected risk indicators

Example: "[\"after_hours\",\"new_location\",\"sensitive_data\"]"

Optional
ipAddressstring
stored

Source IP of the access attempt

Optional
userAgentstring
stored

Browser or application information

Optional
locationstring
stored

Geographic location of access

Optional
deviceIdstring
stored

Device identifier if known

Optional
sessionIdstring
stored

Session during which access occurred

Optional
requestIdstring
stored

Unique request identifier for correlation

Optional
responseTimeinteger
stored

Milliseconds taken to make decision

Optional
dataAccessedstring
stored

Description of data that was accessed

Optional
dataVolumeinteger
stored

Amount of data accessed in bytes

Optional
alertsTriggeredstring
stored

JSON array of alerts generated

Optional
complianceFlagsstring
stored

JSON compliance-related markers

Example: "{\"gdpr\":true,\"hipaa\":false,\"pci\":true}"

Optional
retentionDateDateTime
stored

When this log entry can be deleted

Optional
metadataobject
stored

Additional audit context

Optional

Examples

Example 1

{
  "@type": "AccessAuditLog",
  "auditId": "audit_abc123",
  "timestamp": "2024-03-15T14:30:45.123Z",
  "eventType": "access_denied",
  "userId": "user_john_doe",
  "userContext": "{\"roles\":[\"developer\"],\"groups\":[\"engineering\"],\"mfa_verified\":false}",
  "resourceType": "database",
  "resourceId": "db_financial_prod",
  "resourceContext": "{\"classification\":\"highly_sensitive\",\"contains_pii\":true}",
  "action": "delete",
  "decision": "deny",
  "decisionReason": "Multiple policy violations: Missing required MFA, insufficient permissions for delete operation on financial data",
  "evaluatedPolicies": "[{\"policy\":\"mfa_required_sensitive\",\"result\":\"fail\",\"reason\":\"MFA not verified\"},{\"policy\":\"financial_data_protection\",\"result\":\"fail\",\"reason\":\"Role lacks financial permissions\"}]",
  "evaluatedRoles": "[\"developer\",\"employee\"]",
  "evaluatedPermissions": "[\"database.read\",\"database.write\"]",
  "decisionPath": "Check MFA -> FAIL -> Deny; Check Permissions -> Missing 'financial.delete' -> Deny",
  "riskScore": 85,
  "riskFactors": "[\"sensitive_data_access\",\"destructive_operation\",\"missing_mfa\",\"permission_elevation_attempt\"]",
  "ipAddress": "203.0.113.42",
  "userAgent": "Mozilla/5.0 (X11; Linux x86_64)",
  "location": "Mumbai, India",
  "sessionId": "sess_xyz789",
  "requestId": "req_2024031514304512",
  "responseTime": 47,
  "alertsTriggered": "[{\"type\":\"security_team\",\"severity\":\"high\",\"message\":\"Unauthorized financial data access attempt\"}]",
  "complianceFlags": "{\"sox\":true,\"pci\":true}",
  "retentionDate": "2031-03-15T14:30:45.123Z",
  "metadata": {
    "threat_score": 8,
    "anomaly_detected": true
  }
}

Example 2

{
  "@type": "AccessAuditLog",
  "auditId": "audit_def456",
  "timestamp": "2024-03-15T09:15:00.000Z",
  "eventType": "access_granted",
  "userId": "user_admin",
  "userContext": "{\"roles\":[\"admin\",\"security_officer\"],\"groups\":[\"security_team\"],\"mfa_verified\":true}",
  "resourceType": "audit_logs",
  "resourceId": "security_audit_export",
  "resourceContext": "{\"classification\":\"internal\",\"purpose\":\"compliance_report\"}",
  "action": "export",
  "decision": "allow",
  "decisionReason": "All policies satisfied: Valid admin role, MFA verified, within allowed time window",
  "evaluatedPolicies": "[{\"policy\":\"admin_access\",\"result\":\"pass\"},{\"policy\":\"mfa_required\",\"result\":\"pass\"},{\"policy\":\"business_hours\",\"result\":\"pass\"}]",
  "evaluatedRoles": "[\"admin\",\"security_officer\"]",
  "evaluatedPermissions": "[\"audit.read\",\"audit.export\",\"compliance.report\"]",
  "riskScore": 15,
  "riskFactors": "[\"bulk_export\",\"audit_data\"]",
  "ipAddress": "10.0.0.50",
  "userAgent": "SecurityAuditTool/2.1",
  "location": "Corporate Office, New York",
  "deviceId": "device_corp_laptop_001",
  "sessionId": "sess_admin_abc",
  "responseTime": 23,
  "dataVolume": 52428800,
  "complianceFlags": "{\"sox\":true,\"quarterly_audit\":true}",
  "retentionDate": "2031-03-15T09:15:00.000Z",
  "metadata": {
    "export_format": "csv",
    "report_period": "Q1-2024"
  }
}