Categories
OCI Logging for OAC Enhancement on Catalog Permissions updates
Use Case:
The Audit logs available via OCI Logging enables administrators to identify the changes to catalog objects, specifically permissions.
For example, When changing the permissions on some Shared Folders with Sub-Folders, whether for testing purposes or by user error, The only way to revert the changes is by restoring the snapshot to the earlier state. This might cause overwrites or missing objects if no recent snapshots.
In order to be aware of the exact permission changes on the catalog objects, it will be helpful if the logs capture the changes so it can be manually applied instead of going for a full snapshot restore.
Available Troubleshooting Options:
OCI Logging is the option by which administrators can determine that there has been updates in the catalog permissions via the log entry - "category": "catalog".
Currently the Audit log corresponding to the permission change includes below entries:
"logContent": {
"data": {
"additionalDetails": {
"path": "/shared/<FolderPath>/<ReportName>",
"type": "analysis"
},
"category": "catalog",
"message": "Analysis (Test) permissions updated."
However, the log entry does not include the previous grants/permissions or the specifics on the permissions changes.
Idea To Enable Self-Service Troubleshooting:
It would be helpful if the OCI audit log captures the exact roles/permission changes, captured within the Additional Information tags or included in the message column itself.
For example:
"category": "catalog", "message": "Analysis (Test) permissions updated for Role (BIConsumer) from <Read,Execute,Run Publisher Reports> to <Read>."