When you call the Audit Log API to return specific data on your user activity in Pigment, it returns audit events. The audit event is a JSON with standard fields and a payload containing details that vary depending on the event type. This article describes audit event structures, and provides details on the event types that occur in your Pigment Workspace.
All audit events returned by the Audit Logs API has a standard structure. You can read more details about this in the article Calling the Audit Log API. The following is a list of event types returned by the Audit Logs API.
User Event Types
Audit Log Event Type
Description
Earliest Possible Start Date
Sample Payload
UserInvited
User invited into the organization.
If the user is invited into the organization, and SAML SSO is configured, then you can interpret this event to mean that the user is activated.
This event only appears if the user performs an action using the reset password email.
If the password is reset administratively, this event won’t appear. An example of this would be when a user can’t receive password reset emails, and is provided with a temporary password.
A Group was assigned to a Role in an Application or removed from a Role in an Application from the Groups page, or the Application Role was changed.
When an Application Role is removed from a Group, the payload will only contain the group and application fields - no record of the removed Application Role will be logged.
No corresponding deleted view event is available when a Block is deleted.
2024-01-01
{ "entity": { "id": "ABC123", "name": "My View", "application": { "id": "ABC123", "name": "My App" }, "entityType": "View" } }
Temporary Views in Pigment
Certain actions in Pigment can result in events from temporary Views being logged. For example, this can happen when you use the Formula Playground, or create a draft View, which is not saved, and then share the View URL with another Member in the Application.
You can identify these from the name of the View from within the entity. It has a suffix containing a random ID. In the example below, the suffix is 111aa1a1:
Using the Formula Playground in Pigment can result in the audit trail logging Metric events on temporary metrics. You can identify these from the name of the Metric from within the entity . It has a prefix Formula Playground. For example:
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
2024-01-01
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
APIKeyRevoked
An API key was deleted.
This applies for all API key types.
The type field specifies the key type:
SecurityAudit - Audit Logs API key
Import - Import API key
Export - Export API key
UserProvisioning - SCIM Provisioning
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
2024-01-01
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
APIKeyRenamed
An API key was renamed.
This applies for all API key types.
The type field specifies the key type:
SecurityAudit - Audit Logs API key
Import - Import API key
Export - Export API key
UserProvisioning - SCIM Provisioning
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
2024-01-01
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
APIKeyRenewed
An API key expiration date was updated.
This applies for all API key types.
The type field specifies the key type:
SecurityAudit - Audit Logs API key
Import - Import API key
Export - Export API key
UserProvisioning - SCIM Provisioning
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
2024-01-01
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
Data Export Event Type
Audit Log Event Type
Description
Earliest Possible Start Date
Sample Payload
DataExported
Data exported from any Pigment block using the Pigment Export API will be logged in this event.
If data is exported through the Pigment UI, only Dimension and Transaction Lists have this event.
2024-01-01
{ "entity": { "id": "ABC123", "name": "My Dimension", "application": { "id": "ABC123", "name": "My App" }, "entityType": "Dimension" } }
The value for allowResetAccessRightsForSharedBlocksDependencies is equal to true when the setting to allow the use of RESETACCESSRIGHTS on Shared Blocks is activated.
The value for disableAccessRightsInheritanceForBlocksInApp is equal to true when the setting to remove inheritance throughout the entire application is activated.
When a data access rights rule is created, this event is logged.
Details available in the payload: settings contains the following parameters:
read: The value will be true if either the Read option or Read and Write option is selected
write: The value will be true if either the Write option only or Read and Write option is selected
applyRule: The value will be true if the rule is created to “apply”, false if the rule created is set to “do not apply”
accessRightsMetric contains details (name, id, application) about the access rights type metric that is created for the configuration.
ruleAppliesTo contains details about the selected options for where the rule is set in the application. Depending on the settings for the rule, the following information will be logged:
all: The value will be true if the rule is set for All Metrics and List Properties in the application.
singleMetric :
This parameter will be logged if the rule is set for Specific Metric(s)
The specific Metric details will be logged in this parameter (metric id, name)
There will be a single event per metric where the rule is added
metricsUsingSpecificDimensions :
This parameter will be logged if the rule is set for All Metrics using specific Dimension(s)
The dimension details will be logged (dimension id, name)
listProperty:
This parameter will be logged if the rule is set on a list property through either the Specific List Properties or List Items Values options
There will be a single event per list property where the rule is added.
This parameter will contain the details of the dimension or transaction list where the rule is set
This parameter will contain details of the property on which the rule is set (propertyId, propertyName)
If a dimension is mapped to a property on the list, this parameter will contain details of the mapped dimension (id and name), as well as the details of the property which the dimension is mapped to (mappedToId and mappedToName)
When a data access rights rule is deleted, this event is logged.
Details available in the payload: settings contains the following parameters:
read: The value will be true if either the Read option or Read and Write option is selected
write: The value will be true if either the Write option only or Read and Write option is selected
applyRule: The value will be true if the rule is created to “apply”, false if the rule created is set to “do not apply”
accessRightsMetric contains details (name, id, application) about the access rights type metric that is created for the configuration.
ruleAppliesTo contains details about the selected options for where the rule is set in the application. Depending on the settings for the rule, the following information will be logged:
all: The value will be true if the rule is set for All Metrics and List Properties in the application.
singleMetric :
This parameter will be logged if the rule is set for Specific Metric(s)
The specific Metric details will be logged in this parameter (metric id, name)
There will be a single event per metric where the rule is added
metricsUsingSpecificDimensions :
This parameter will be logged if the rule is set for All Metrics using specific Dimension(s)
The dimension details will be logged (dimension id, name)
listProperty:
This parameter will be logged if the rule is set on a list property through either the Specific List Properties or List Items Values options
There will be a single event per list property where the rule is added.
This parameter will contain the details of the dimension or transaction list where the rule is set
This parameter will contain details of the property on which the rule is set (propertyId, propertyName)
If a dimension is mapped to a property on the list, this parameter will contain details of the mapped dimension (id and name), as well as the details of the property which the dimension is mapped to (mappedToId and mappedToName)
