Timestamp

Includes time zone (UTC)

Severity

Path = Low

Info = Medium

Warning = High

Error = Very High

Actor

The logged in user or <systemuser> if no user was logged in (optional).

Event

Consists of a category (such as USER, LOGIN, ACL) and an action (such as CREATE, DELETE).

ObjectType

The type of object involved in the event, for example, USER, USERACCOUNT, ROLE, GROUP, PRINCIPIAL or NONE

ObjectID

Unique ID of the object. Only the object IDs of users, groups, UME roles, and user accounts can be displayed. For all other objects, only a hash value is available.

ObjectName

Human readable description of the object (optional). Only the object names of users, groups, UME roles, and user accounts can be displayed. Object names of other objects are not available.

Details

Additional information as a comma-separated list of key=value pairs.

Event

Severity

Object ID

Details

Principal modification

User creation

Medium

The new user

Company ID

Low

The new user

All user attributes

User account creation

High

The new user account

Assigned user ID

Group creation

High

The new group

Assigned users and groups

Role creation

High

The new role

Assigned users and groups

Assigned actions

User modification

Medium

The modified user

If user was assigned to a company: Company ID

Low

The modified user

All changed user attributes

User account modification

High

The modified user account

Password was changed (Forced to change / Success / Failed: Reason)

User was locked (reason).

User was unlocked

Certificate was modified

Possible reasons for a locked user are:

·        [1]: User was locked due to too many incorrect logon attempts.

·        [2]: User was locked by an administrator.

Group modification

High

The modified group

If group members were modified: Added or removed users and groups

Role modification

High

The modified role

If role members were modified: Added or removed users and groups

If actions were modified: Added or removed actions

User deletion

Medium

The deleted user

(no details)

User account deletion

High

The deleted user account

Assigned user ID

Group deletion

High

The deleted group

(no details)

Role deletion

High

The deleted role

(no details)

User mapping 

User mapping creation

Medium

The mapped user

System alias

Remote user ID

Type of system (SAP_R3, SAP_BW, or SAP_CRM)

User mapping modification

Medium

The mapped user

System alias

Remote user ID

User mapping deletion

Medium

The mapped user    

System alias

Remote user ID

User mapping usage

Medium

The mapped user

System alias

Remote user ID

Login/Logoff         

Successful user logon

Medium

The used user account

User ID

Logon method/ Authentication scheme

IP address

Failed user logon

High

The used user account

User ID

Logon method/ Authentication scheme

IP address

Reason why logon failed (wrong password, user locked, …)

User logoff

Medium

The used user account

(no details)

Permission (checking)      

ACL creation

High

The object for which the ACL was created

Owner

ACL modification

High

The object whose ACL was modified

Added or removed owners

Added or removed ACEs (access control entries): (Principle, Permission)

Changed object ID

ACL deletion

High

The object to which the ACL was assigned  

(no details)

Access violation or access denied

Very high

The object the user wanted to access (if available)

Permission the user would have needed to access the object

Access granted

Low

The object the user accessed (if available)

Permission that was needed to access the object