AnsweredAssumed Answered

Audit Events viewing rights

Question asked by PhBrand on Mar 15, 2017
Latest reply on Apr 24, 2017 by Stephen_Hughes

Hi,

We have a problem trying to segregate viewing access to Audit Events.

We have more than 15 organizations entitled to use Policy Manager as per developing APIs.

 

Each organizations have a dedicated role, one of which being: "Message Audit Records: in security zone "<organization_name>_zone". Each organization have their own root folder "<organization_name>_folder", with a security zone option "<organization_name>_zone" applied on it. Each organization have multiple developers.

 

Let's say we have a user "user1" with role "org1_role" creating an API "org1_api" within folder or sub-folder of "org1_folder". He can see only its own audit events for "org1_api". Fine.

 

Now if "user1" is also entitled to develop for "org2", thus getting an additional role '"org2_role", he can't see audit events generated by an API in security zone "org2_zone".

 

More than this, if "user3" is a co-worker of "user1" thus for only role also "org1", he can't see events created by his co-worker "user1".

 

This seems to be due to internal role "Manage org1_api service" being automagically applied to the API creator, "user1".

 

If we add this very same induced role to "user3", then it works.

 

Are we doing this completly wrong ?

 

What we want: multiple users within the same organization (same role) only see their APIs in audit events.

Outcomes