IAM Operations That Can Be Recorded by CTS

Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).

Table 1 IAM operations that can be recorded by CTS

Operation

Resource Type

Trace Name

Login

user

login

Login failure

user

loginfailed

Logout

user

logout

Changing the password at first login (by an IAM user)

user

changePassword

QR code login

user

scanQRCodeLogin

QR code login failure

user

scanQRCodeLoginFailed

OIDC login

user

oidcLoginSuccess

OIDC login failure

user

oidcLoginFailed

SSO login

user

iamUserSsoLoginSuccess

SSO login failure

user

iamUserSsoLoginFailed

Creating a user

user

createUser

Modifying a user

user

updateUser

Deleting a user

user

deleteUser

Creating an access key (AK/SK)

user

createCredential

Deleting an access key (AK/SK)

user

deleteCredential

Changing the password

user

updateUserPwd

Successful login using cached information as a federated user

user

federationLoginNoPwdSuccess

Login failed using cached information as a federated user

user

federationLoginNoPwdFailed

Creating a user group

userGroup

createGroup

Updating a user group

userGroup

updateGroup

Deleting a user group

userGroup

deleteGroup

Adding a user to a user group

userGroup

addUserToGroup

Removing a user from a user group

userGroup

removeUserFromGroup

Unbinding a virtual MFA device

MFA

UnBindMFA

Binding a virtual MFA device

MFA

BindMFA

Creating a project

project

createProject

Deleting a project

project

deleteProject

Modifying project information

project

updateProject

Granting permissions to an agency based on project information

roleAgencyProject

assignRoleToAgencyOnProject

Canceling permissions of an agency based on project information

roleAgencyProject

unassignRoleToAgencyOnProject

Creating an agency

agency

createAgency

Modifying an agency

agency

updateAgency

Deleting an agency

agency

deleteAgency

Switching an agency

agency

switchRole

Registering an identity provider

identityProvider

createIdentityProvider

Updating an identity provider

identityProvider

updateIdentityProvider

Deleting an identity provider

identityProvider

deleteIdentityProvider

Updating the login authentication policy

SecurityPolicy

modifySecurityPolicy

Updating the password policy

SecurityPolicy

modifySecurityPolicy

Updating the ACL

SecurityPolicy

modifySecurityPolicy

Granting permissions to an agency for all projects

agency

updateAgencyInheritedGrants

Removing permissions of an agency in all projects

agency

deleteAgencyInheritedGrants

Granting permissions to an agency for global services

agency

updateAgencyGrants

Removing permissions of an agency for global services

agency

deleteAgencyGrants

Granting permissions to a user group

assignment

createAssignment

Removing permissions from a user group

assignment

deleteAssignment

Registering a protocol for federated login

identityProvider

createProtocol

Updating a protocol for federated login

identityProvider

updateProtocol

Deleting a protocol for federated login

identityProvider

deleteProtocol

Modifying the login protection configuration of an IAM user

user

modifyLoginProtect

Importing a metadata file

identityProvider

metadataConfiguration

Creating a virtual MFA device

MFA

createMFA

Deleting a virtual MFA device

MFA

deleteMFA

Creating an OpenID Connect identity provider

identityProvider

createOIDCConfiguration

Modifying an OpenID Connect identity provider

identityProvider

updateOIDCConfiguration

Changing the email address or mobile number

user

updateMobileAndEmail

Updating user group permissions

group

updateGroupAssignsByRole

Updating agency permissions

agency

updateAgencyAssignsByRole

Creating a custom policy

Policy

createRole

Updating a custom policy

Policy

updateRole

Deleting a custom policy

Policy

deleteRole

Granting permissions to an agency based on domain information

roleAgencyDomain

assignRoleToAgencyOnDomain

Canceling permissions of an agency based on domain information

roleAgencyDomain

unassignRoleToAgencyOnDomain

Successful initial login as a federated user

user

tenantLoginBySamlSuccess

Registering a mapping

mapping

createMapping

Updating a mapping

mapping

updateMapping

Deleting a mapping

mapping

deleteMapping

Registering a protocol

protocol

createProtocol

Updating a protocol

protocol

updateProtocol

Changing the mobile number using an email

user

changeMobileByEmail

Changing the password using an email

user

updateUserPwdByEmail

Modifying agency permissions on the console

agency

updateagenciesRolesByConsole