IBM_SECURITY_RTSS_AUDIT_AUTHZ events

This event type identifies the authorization decision events for runtime security services. Runtime security services generates an authorization decision event record if both of the following conditions occur:

In addition to the base Common Base Event content, runtime security services authorization decision records contain authorization-specific properties. These authorization-specific properties are defined in the Common Base Event Extensions for Security Events specification with the ExtendedDataElement.

The following table lists the event properties that are included in the output of an IBM_SECURITY_RTSS_AUDIT_AUTHZ event record. All elements are included in the output, unless indicated otherwise.

Element Description and values
accessDecision Present when the result is SUCCESSFUL

This property specifies the decision of the authorization call.

Possible element values include:

  • Permit
  • Deny
  • NotApplicable
  • Indeterminate

If a Permit decision is returned with obligations, then a ConditionalPermit decision is recorded in the event.

accessDecisionReason Present when accessDecision is DENY

This property provides more information about the denial of the access decision.

action Not always in output.

This property specifies the action that caused the authorization event.

outcome Specifies the outcome of the action for which the security event is being generated.

This ExtendedDataElement element does not have a value declaration.

This container element uses the children of the outcomeType element type.

outcome.failureReason Not always in output.

This property provides more information about the outcome.

outcome majorStatus Major status code.
outcome minorStatus Not always in output.

This property specifies the minor status code.

outcome result Specifies the overall status of the event. This element is also used for filtering.

Element values are UNSUCCESSFUL if an error condition occurs that prevents standard processing. Element values are SUCCESSFUL when the error condition starts standard processing.

permissionInfo Provides information about access permissions.

This ExtendedDataElement element has no value declaration.

This container element uses the children of the PermissionInfoType element type.

permissionInfo.checked Specifies permissions that are checked during the authorization call.
permissionInfo.denied Not always in output.

This property specifies the permissions that are denied among the permissions that are requested.

permissionInfo.granted Not always in output.

This property specifies permissions that are granted.

policyInfo Not always in output.

This property provides information about policies that are attached to the resource or the container of a resource.

This ExtendedDataElement element does not have a value declaration.

This container element uses the children of the PolicyInfoType element type.

policyInfo.attributes Not always in output.

This property specifies attributes associated with a policy.

policyInfo.description Not always in output.

This property provides a description of the policy.

policyInfoname Not always in output.

This property specifies the name of the policy.

policyInfo type Not always in output.

This property specifies the type of the policy.

registryInfo Not always in output.

This property provides information about the registry that is involved in the authentication.

This ExtendedDataElement element does not have a value declaration.

This container element uses the children of the RegistryInfoType element type.

registryInfo serverLocation Not always in output.

This property specifies where the registry server is located.

resourceInfo Provides information about the resource that is accessed.

This ExtendedDataElement element has no a value declaration.

This container element uses the children of the resourceInfoType element type.

resourceInfo.attributes Attributes for the resource.
resourceInfo.nameInApp Not always in output.

This property specifies the name of the resource in the context of the application.

resourceInfo.nameInPolicy Name of the resource when it applies a policy to the resource.
resourceInfo.type Type of the resource.
userInfo Provides information about each user in the delegation chain.

This ExtendedDataElement element has no a value declaration.

This container element uses the children of the UserInfoType element type.

userInfo.appUserName Present when the accessing subject is authenticated.

This property specifies the name of a user within an application.

userInfo.attributes Not always in output.

This property provides more user information.

userInfo.callerList Not always in output.

This property specifies a list of names representing the identities of a user.

userInfo location Not always in output.

This property specifies the location of the user.

userInfo locationType Not always in output.

This property specifies the type of location.

userInfo.realm Not always in output.

This property specifies the registry partition to which the user belongs.

userInfo.registryUserName Not always in output.

This property specifies the name of the user in the registry.

userInfo.sessionId Not always in output.

This property specifies the ID for the session that belongs to the user.

userInfo.uniqueId Not always in output.

This property specifies the unique identifier that belongs to the user within an application.

creationTime Date and time when the event was issued.

For example: 2008-09-11T19:18:04.140Z

The letter Z in the example indicates the UTC format. All time stamps are issued in UTC format. There is no provision for specifying local time.

contextDataElement Specifies the ContextDataElement type, which defines the contexts that each event references.

This element contains data that assists with problem diagnostic procedures by correlating messages or events generated during the execution of a unit of work.

contextDataElement type Data type of the contextValue property.
contextDataElement name Name of the application that created the contextDataElement.
contextDataElement contextValue Value of the context regarding the implementation of the context.
extensionName Name of the event class the extensionName event represents.

The extensionName event indicates more elements that are expected to be present within the event.

The value for runtime security services is the following value: IBM_SECURITY_RTSS_
AUDIT_AUTHZ

globalInstanceId Primary identifier for the event.

This property must be globally unique and can be used as the primary key for the event.

For example:f5e6bcc5-d1e8-4638- 8f84-3ba29ca950b2

msg Provides the text that accompanies the event.

This element is typically the resolved message string in human readable format that is rendered for a specific locale.

The following example uses runtime security services data: Subject cn=wasadmin,c=us requests access to the http://localhost:9081/rtss/test/jaxws/echo/EchoService protected resource.

situation Situation that caused the event to be reported.
situation categoryName Category type of the situation that caused the event to be reported.
situation situationType Type of situation that caused the event to be reported.
situation reportCategory Category of the reported situation.

This element is used if the value that belongs to the element is STATUS.

situation reasoningScope Defines Whether this situation has either of the following impacts:

  • Internal-only impact.
  • Potential external impact.

This element is used if the element value is either of the following values:

  • INTERNAL
  • EXTERNAL

sourceComponentId Identifies the component that is impacted by the event.

This element has no a value declaration.

This container element uses the children of the ComponentIdType element type.

sourceComponentId application Name of the application.

The value that belongs to this element is the following: IBM runtime security services

sourceComponentId component Logical identity of a component.
sourceComponentId componentIdType Format of the component and meaning of the component that is identified by this componentIdentification.

For example: ProductName

sourceComponentId componentType Specifies a well-defined name used to characterize all of the instances that belong to this component.
sourceComponentIdlocation Physical address that corresponds to the location of a component.

For example: Host name, IP address, or MAC address.

sourceComponentIdlocationType Present if available.

This property specifies the format and meaning of the value in the location property. For runtime security services, the value is set to Not available if the meaning of the location element value is not determined.

The following is sample runtime security services data: ipAddress.

sourceComponentId processId Not always in output.

This property identifies the process ID of the running component or subcomponent that generated the event.

sourceComponentId subComponent Not always in output.

This property specifies a further distinction for the logical component property of the event.

version String that identifies the version of the event.

The element value is 2.0.

Parent topic: Audit Advanced Access Control