# List Audit Trail `Available on Agent 2.55.0 and above.` ## Get a list of actions performed by a privileged account acting as privileged user given a period of time. > Get a list of actions performed by a privileged account acting as privileged user given a period of time. ```json {"openapi":"3.0.1","info":{"title":"Agent API","version":"25.8.1"},"servers":[{"url":"youragentURL.symphony.com/agent"}],"paths":{"/v1/audittrail/privilegeduser":{"get":{"tags":["AuditTrail"],"summary":"Get a list of actions performed by a privileged account acting as privileged user given a period of time.","description":"Get a list of actions performed by a privileged account acting as privileged user given a period of time.","parameters":[{"name":"sessionToken","in":"header","description":"Session authentication token.","required":true,"schema":{"type":"string"}},{"name":"keyManagerToken","in":"header","description":"Key Manager authentication token.","schema":{"type":"string"}},{"name":"startTimestamp","in":"query","description":"Start timestamp in unix timestamp in millseconds.","required":true,"schema":{"type":"integer","format":"int64"}},{"name":"endTimestamp","in":"query","description":"End timestamp in unix timestamp in millseconds. If not specified, it assumes to be current time.","schema":{"type":"integer","format":"int64"}},{"name":"before","in":"query","description":"Return results from an opaque “before” cursor value as presented via a response cursor.","schema":{"type":"string"}},{"name":"after","in":"query","description":"Return results from an opaque “after” cursor value as presented via a response cursor.","schema":{"type":"string"}},{"name":"limit","in":"query","description":"Max No. of violations to return. If no value is provided, 50 is the default.\nSome maximums for limit may be enforced for performance reasons.\nThe maximum supported value is 500.\n","schema":{"type":"integer"}},{"name":"initiatorId","in":"query","description":"If present, only the initiator with this initiator will be returned.","schema":{"type":"integer","format":"int64"}},{"name":"role","in":"query","description":"If present, only the audit trail initiated by s user with privileged role acting as\nprivileged user will be returned.\nPrivileged eliglible roles:\nUser Provisioning (USER_PROVISIONING),\nContent Management (CONTENT_MANAGEMENT),\nExpression Filter Policy Management (EF_POLICY_MANAGEMENT),\nSCO (SUPER_COMPLIANCE_OFFICER),\nCO (COMPLIANCE_OFFICER),\nSuper admin (SUPER_ADMINISTRATOR),\nAdmin (ADMINISTRATOR),\nL1 (L1_SUPPORT),\nL2 (L2_SUPPORT),\nScope Manager (SCOPE_MANAGEMENT)\n","schema":{"type":"string"}}],"responses":{"200":{"description":"OK","content":{"application/json":{"schema":{"$ref":"#/components/schemas/V1AuditTrailInitiatorList"}}}},"204":{"description":"No Messages.","content":{}},"400":{"description":"Client error, see response body for further details.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"401":{"description":"Unauthorized: Session tokens invalid.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden: Caller lacks necessary entitlement.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Server error, see response body for further details.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}}}}},"components":{"schemas":{"V1AuditTrailInitiatorList":{"type":"object","properties":{"items":{"type":"array","items":{"$ref":"#/components/schemas/V1AuditTrailInitiatorResponse"}},"pagination":{"$ref":"#/components/schemas/Pagination"}}},"V1AuditTrailInitiatorResponse":{"type":"object","properties":{"action":{"type":"string","description":"The audit trail action that has peformed"},"actionName":{"type":"string","description":"The audit trail action name that has peformed"},"timestamp":{"type":"string","description":"The timestamp when the action has occurred"},"initiatorId":{"type":"string","description":"The user's id that has performed the action"},"initiatorUsername":{"type":"string","description":"The username that has performed the action"},"initiatorEmailAddress":{"type":"string","description":"The user's e-mail address that has performed the action"}},"description":"Audit Trail Initiator object response.\nThe attributes may vary according to the action.\nThere are different types of action and each action could have specific attributes.\n"},"Pagination":{"required":["cursors"],"type":"object","properties":{"cursors":{"type":"object","properties":{"before":{"type":"string","description":"This is the opaque url-safe string that points to the start of the page of data\nthat has been returned.\n"},"after":{"type":"string","description":"This is the opaque url-safe string that points to the end of the page of data\nthat has been returned.\n"}}},"previous":{"type":"string","description":"API endpoint that will return the previous page of data. If not included, this is\nthe first page of data.\n"},"next":{"type":"string","description":"API endpoint that will return the next page of data. If not included, this is the\nlast page of data. Due to how pagination works with visibility and privacy, it is\npossible that a page may be empty but contain a 'next' paging link. Stop paging when\nthe 'next' link no longer appears.\n"}}},"Error":{"type":"object","properties":{"code":{"type":"integer","format":"int32"},"message":{"type":"string"}}}}}} ``` ### Pagination The `pagination` field will be returned (displayed) only if the response returns 50 or more items. Pagination object definition: • `before`: This is the opaque url-safe string that points to the start of the page of data that has been returned.\ • `after`: This is the opaque url-safe string that points to the end of the page of data that has been returned. ### Privileged Eligible Roles Roles for which audit trail can be exported. It retrieves the audit trail of all writing actions performed by Admin and Compliance users acting as a privileged user, via privileged account audit trail APIs. * User Provisioning (`USER_PROVISIONING`) * Content Management (`CONTENT_MANAGEMENT`) * Expression Filter Policy Management (`EF_POLICY_MANAGEMENT`) * SCO (`SUPER_COMPLIANCE_OFFICER`) * CO (`COMPLIANCE_OFFICER`) * Super admin (`SUPER_ADMINISTRATOR`) * Admin (`ADMINISTRATOR`) * L1 (`L1_SUPPORT`) * L2 (`L2_SUPPORT`) * Scope Manager (`SCOPE_MANAGEMENT`). > #### 🚧 Required Roles and Permissions > > Calling this endpoint requires a **Service Account** with the **Audit Trail Management** role.\ > See [Permissions](ref:permissions) for a list of roles and associated privileges. ### Examples of Usage ### before and after Suppose we have an initial call. It will be returned only after the response because there is no before records.\ \` ```json { "items": [ { "action": "RSA Key Added", "actionName": "rsaKeyAdded", "initiatorId": 7215545057307, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@symphony.com", "affectedId": 7215545222851, "affectedUsername": "account.test", "affectedEmailAddress": "account.test@symphony.com", "authorizationRoles": [ "SUPER_ADMINISTRATOR" ], "timestamp": 1555510357831 } ], "pagination": { "cursors": { "after": "1" }, "next": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&after=1" } n ``` `after` (next)\ `https://acme.symphony.com/agent/v1/audittrail/privilegeduser?startTimestamp=1553264312000&limit=1&after=1` ```json { "items": [ { "action": "Service Account Created", "actionName": "createServiceAccount", "initiatorId": 7215545057307, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@symphony.com", "affectedId": 7215545222851, "affectedUsername": "account.test", "affectedEmailAddress": "account.test@symphony.com", "authorizationRoles": [ "SUPER_ADMINISTRATOR" ], "timestamp": 1555510357104 } ], "pagination": { "cursors": { "before": "2", "after": "2" }, "previous": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&before=2", "next": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&after=2" } } ``` `after` (next again)\ `https://acme.symphony.com/agent/v1/audittrail/privilegeduser?startTimestamp=1553264312000&limit=1&after=2` ```json { "items": [ { "action": "Enabled EF Enforcement", "actionName": "enabledEfEnforcement", "initiatorId": 7215545057307, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@symphony.com", "authorizationRoles": [ "EF_POLICY_MANAGEMENT" ], "timestamp": 1555505109178 } ], "pagination": { "cursors": { "before": "3", "after": "3" }, "previous": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&before=3", "next": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&after=3" } } ``` `before` (previous)\ `https://acme.symphony.com/agent/v1/audittrail/privilegeduser?startTimestamp=1553264312000&limit=1&before=3` ```json { "items": [ { "action": "Service Account Created", "actionName": "createServiceAccount", "initiatorId": 7215545057307, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@symphony.com", "affectedId": 7215545222851, "affectedUsername": "account.test", "affectedEmailAddress": "account.test@symphony.com", "authorizationRoles": [ "SUPER_ADMINISTRATOR" ], "timestamp": 1555510357104 } ], "pagination": { "cursors": { "before": "2", "after": "2" }, "previous": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&before=2", "next": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=1&after=2" } } ``` Last page (aka no more records to fetch), before the response. Note that we did not set the limit on this example, so it is using the default limit=50\ `https://acme.symphony.com/agent/v1/audittrail/privilegeduser?startTimestamp=1553264312000&after=127` ```json { "items": [ { "action": "End-user account created", "actionName": "createUser", "initiatorId": 7215545069230, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@symphony.com", "affectedId": 7215545221479, "affectedUsername": "account.test", "affectedEmailAddress": "account.test@symphony.com", "authorizationRoles": [ "SUPER_ADMINISTRATOR" ], "timestamp": 1553277265644 }, { "action": "Added Member", "actionName": "addedMember", "attribute": "admin@symphony.com", "initiatorId": 7215545069230, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@qa5.com", "affectedId": 7215545057281, "affectedUsername": "test@symphony.com", "affectedEmailAddress": "test@symphony.com", "threadId": "UX2HkxQ2B4vs5qFkqs8jFX%2F%2F%2FpZryRyXdA%3D%3D", "scope": "Internal", "authorizationRoles": [ "SUPER_COMPLIANCE_OFFICER" ], "conversationType": "Room", "timestamp": 1553273839863 } ], "pagination": { "cursors": { "before": "128" }, "previous": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&before=128" } } ``` ### initiatorId `https://acme.symphony.com/agent/v1/audittrail/privilegeduser?startTimestamp=1553264312000&limit=5&initiatorId=7215545057307` The response will return only events generated by this initiatorId ### role Returns only events generated by a particular role.\ ´ ```json { "items": [ { "action": "Profile info update", "actionName": "profileInfoUpdate", "attribute": "roles", "newValue": "[Individual,Administrator]", "oldValue": "[Individual]", "initiatorId": 7215545222842, "initiatorUsername": "bob.smith", "initiatorEmailAddress": "bob.smith@symphony.com", "affectedId": 7215545222843, "affectedUsername": "account.test", "affectedEmailAddress": "account.test@symphony.com", "authorizationRoles": [ "ADMINISTRATOR" ], "timestamp": 1555437274937 }, { "action": "Profile info update", "actionName": "profileInfoUpdate", "attribute": "roles", "newValue": "[Individual,Administrator]", "oldValue": "[Individual]", "initiatorId": 7215545222800, "initiatorUsername": "bob.smith_3", "initiatorEmailAddress": "bob.smith_3@symphony.com", "affectedId": 7215545222801, "affectedUsername": "account.test_3", "affectedEmailAddress": "account.test_3@symphony.com", "authorizationRoles": [ "ADMINISTRATOR" ], "timestamp": 1555264469483 } ], "pagination": { "cursors": { "after": "1" }, "next": "/agent/v1/audittrail/privilegeduser?&startTimestamp=1553264312000&limit=3&role=ADMINISTRATOR&after=1" } } ``` ### startTimestamp The API returns an error when the period (startTimestamp - endTimstamp) is greater than 30 days. ```json { "code": 400, "message": "\"Max of 30 days is allowed per request.\"", "details": "Max of 30 days is allowed per request." } ```