5.7 Data Item or Resource Element Content Access Events

Resource content-access events are related to access of any data files protected by an authentication domain. This could be file system files, database records, Web pages etc. While instrumenting applications, consider securing access to the resources. Resource access can be a high-bandwidth process. Therefore, only security-relevant events should be reported. Such instrumentation should be configurable at the application level by the application administrator, thus must be policy driven. This implies that such applications add additional infrastructure and user interface to allow administrators to manage the resource-access events that has to be audited, and determine the unimportant events within the security context.

Table 5-7 Data Item or Resource Element Content Access Events Taxonomy

Event Name

Event Identifier

Corresponding eDir Event

Description

Use

Create Data Item Association

0.0.6.0

DSE_ADD_VALUE

Create association with a data item

This event is reported when rights are granted by an identity to a specific data item – when a trust relationship is established between an identity and a data item.

Terminate Data Item Association

0.0.6.1

DSE_DELETE_ATTRIBUTE

DSE_DELETE_VALUE

Terminate association with a data item

This event is reported when rights are revoked from an identity to a specific data item – when a trust relationship is revoked between an identity and a data item.

Modify Data Item Association

0.0.6.3

DSE_BKLINK_OPERATOR

DSE_BKLINK_SEV

DSE_CHANGE_OBJ_SECURITY

DSE_CHANGE_PROP_SECURITY

DSE_CHANGE_SECURITY_EQUALS

Modify context of association with data item

This event is reported when rights are modified on the previously established relationship between an identity and specific data item.

5.7.1 Examples for Data Item and Resource Element Management Events

The following sections include examples for data item and resource element management events.

Create Data Item Association

Click Create Data Item Association to generate an event when rights are granted by an identity to a specific data item, as shown in the following example:

Jan 08 10:20:18 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=SLES11-SP2-164,O=mycom","Id" : "32833"},"Entity" : {"SysAddr" : "100.1.2.164:39570"}},"Target" : {"Data" : {"Attribute Name" : "Local Received Up To","Attribute Value" : "2918332558536081408","ClassName" : "Tree Root","Syntax" : "9"}},"Action" : {"Event" : {"Id" : "0.0.0.0","Name" : "CREATE_DATA_ITEM_ASSOCIATION","CorrelationID" : "eDirectory#21#bf97ffb6-91d0-4019-6988-b6ff97bfd091","SubEvent" : "DSE_ADD_VALUE"},"Time" : {"Offset" : 1389847818},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}} 

Terminate Data Item Association

Click Terminate Data Item Association to generate an event when rights are revoked from an identity to a specific data item, as shown in the following example:

Jan 08 10:20:18 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Name" : "CN=SLES11-SP2-164,O=mycom","Id" : "32833"},"Entity" : {"SysAddr" : "100.1.2.164:39570"}},"Target" : {"Data" : {"Attribute Name" : "syncPanePoint","ClassName" : "Tree Root","Syntax" : "9"}},"Action" : {"Event" : {"Id" : "0.0.6.1","Name" : "TERMINATE_DATA_ITEM_ASSOCIATION","CorrelationID" : "eDirectory#21#bf97ffb6-91d0-4019-6988-b6ff97bfd091","SubEvent" : "DSE_DELETE_ATTRIBUTE"},"Time" : {"Offset" : 1389847818},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}