Hi team,
About user management introduced in Daml v2.0, is there any audit log showing which user has been accessing the Ledger API and when?
Many thanks.
kc
To my knowledge there is no dedicated user access audit log.
However, we are often logging applicationId (as part of the logging context) which will contain the userId if user based authorization is used.
For example, see applicationId: "e6c6460c-6b8a-467c-8c6a-d8e40b1a8cef-alice-user" in the log line below:
07:31:21.402 [sandbox-akka.actor.default-dispatcher-9] INFO c.d.p.a.s.ApiSubmissionService - Submitting transaction , context: {participantId: “sandbox-participant”, commands: {readAs: , deduplicationPeriod: {duration: “PT30M”}, submittedAt: “2022-04-08T07:29:30.897957Z”, ledgerId: “sandbox-server”, applicationId: “e6c6460c-6b8a-467c-8c6a-d8e40b1a8cef-alice-user”, submissionId: “13e315fc-d66b-42a3-b54b-f94481722c92”, actAs: [“alice-party”], commandId: “-86b3682a-bdf5-4f00-a064-2294aba213ae”, workflowId: “workflowId”}}
Also, we are logging all changes to persisted user state, at info level. For example:
07:36:51.113 [daml.index.db.threadpool.connection.api-server-0] INFO c.d.p.u.PersistentUserManagementStore - Granted 1 user rights to user 79c64b59-0a4e-4565-acac-37f5377d7257-alice-user: CanActAs(b8f75500-b76a-44aa-a996-8f474d1ec48e) , context: {participantId: “sandbox-participant”, submissionId: “3d431421-7858-4330-a481-fae1d65f25ec”}
1 Like
Thanks @pbatko . I just did some quick test on sandbox and it seems it comes back with “alice” instead of the whole UUID in front of it. and the rights granting is also well logged.
It doesn’t show up though if the command is created with daml-script (where applicationId becomes daml-script) and navigator. I see the applicationId correctly when I use JSON-API for testing.
Have a nice weekend.
cheers,
kc
In my example user id is the entire string e6c6460c-6b8a-467c-8c6a-d8e40b1a8cef-alice-user. I got it from a test that generated such a user name. Sorry for the confusion.
1 Like