Audit Events — IAM Events¶
This page describes the audit events generated by the Identity and Access Management (IAM) component of the Industrial Edge Management. These events are produced by IAM and cover authentication, user management, and configuration changes.
Event ID Pattern Conventions¶
IAM audit events use hierarchical eventID (routing key) patterns to identify each action.
Admin Events Pattern¶
Admin events are generated when administrators make changes in the IAM configuration.
iem.iam.admin.<ResourceTypeGroup>.[ResourceTypeSubGroup].<OperationType>.<result>
| Element | Required | Description | Examples |
|---|---|---|---|
ResourceTypeGroup |
Yes | Main resource category | user, group, client, realm |
ResourceTypeSubGroup |
No | Sub-resource type (only when applicable) | role_mapping, session, membership |
OperationType |
Yes | The operation performed | create, update, delete, action |
result |
Yes | Operation outcome | success, failure |
Note: The ResourceTypeSubGroup segment is optional and only included when the IAM ResourceType has a hierarchical structure (e.g., REALM_ROLE_MAPPING → realm.role_mapping, GROUP_MEMBERSHIP → group.membership). For simple resource types like USER, GROUP, or CLIENT, no ResourceTypeSubGroup is used.
Examples:
- With ResourceTypeSubGroup:
iem.iam.admin.realm.role_mapping.create.success— Role mapping created in realm - Without ResourceTypeSubGroup:
iem.iam.admin.user.create.success— User account created
User Events Pattern¶
User events are generated when end users interact with the IAM (login, password changes, profile updates, etc.).
iem.iam.user.<eventtype_lowercase>.<result>
Rule: Events ending with _ERROR in IAM are mapped to .failure; all others are mapped to .success
Examples:
iem.iam.user.login.success— User login succeedediem.iam.user.login.failure— User login failediem.iam.user.update_credential.success— User changed password
Unknown / Fallback Events¶
In some cases, the IAM component may encounter events where the resource type, operation type, or event type is empty or unrecognized. These are handled using fallback event IDs to ensure all actions are still recorded.
All fallback events are assigned the SE_OBJECT_OPERATION security event.
Admin Events — Fallback Patterns¶
| Condition | Example eventID |
|---|---|
| Both resource type and operation type are unknown | iem.iam.admin.unknown.unknown.success |
| Resource type is unknown, operation type is known | iem.iam.admin.unknown.create.success |
| Resource type is known, operation type is unknown | iem.iam.admin.user.unknown.success |
User Events — Fallback Pattern¶
| Condition | Example eventID |
|---|---|
| Event type is empty or unrecognized | iem.iam.user.unknown.success / iem.iam.user.unknown.failure |