IAM Operations That Can Be Recorded by CTS¶
Table 1 lists Identity and Access Management (IAM) operations that can be recorded by Cloud Trace Service (CTS).
Operation | Resource Type | Trace Name |
|---|---|---|
Login | user | login |
Login failure | user | loginfailed |
Logout | user | logout |
Changing the password at first login (by an IAM user) | user | changePassword |
QR code login | user | scanQRCodeLogin |
QR code login failure | user | scanQRCodeLoginFailed |
OIDC login | user | oidcLoginSuccess |
OIDC login failure | user | oidcLoginFailed |
SSO login | user | iamUserSsoLoginSuccess |
SSO login failure | user | iamUserSsoLoginFailed |
Creating a user | user | createUser |
Modifying a user | user | updateUser |
Deleting a user | user | deleteUser |
Creating an access key (AK/SK) | user | createCredential |
Deleting an access key (AK/SK) | user | deleteCredential |
Changing the password | user | updateUserPwd |
Successful login using cached information as a federated user | user | federationLoginNoPwdSuccess |
Login failed using cached information as a federated user | user | federationLoginNoPwdFailed |
TSI login | user | tsiLogin |
Creating a user group | userGroup | createGroup |
Updating a user group | userGroup | updateGroup |
Deleting a user group | userGroup | deleteGroup |
Adding a user to a user group | userGroup | addUserToGroup |
Removing a user from a user group | userGroup | removeUserFromGroup |
Unbinding a virtual MFA device | MFA | UnBindMFA |
Binding a virtual MFA device | MFA | BindMFA |
Creating a project | project | createProject |
Deleting a project | project | deleteProject |
Modifying project information | project | updateProject |
Granting permissions to an agency based on project information | roleAgencyProject | assignRoleToAgencyOnProject |
Canceling permissions of an agency based on project information | roleAgencyProject | unassignRoleToAgencyOnProject |
Creating an agency | agency | createAgency |
Modifying an agency | agency | updateAgency |
Deleting an agency | agency | deleteAgency |
Switching an agency | agency | switchRole |
Registering an identity provider | identityProvider | createIdentityProvider |
Updating an identity provider | identityProvider | updateIdentityProvider |
Deleting an identity provider | identityProvider | deleteIdentityProvider |
Updating the login authentication policy | SecurityPolicy | modifySecurityPolicy |
Updating the password policy | SecurityPolicy | modifySecurityPolicy |
Updating the ACL | SecurityPolicy | modifySecurityPolicy |
Granting permissions to an agency for all projects | agency | updateAgencyInheritedGrants |
Removing permissions of an agency in all projects | agency | deleteAgencyInheritedGrants |
Granting permissions to an agency for global services | agency | updateAgencyGrants |
Removing permissions of an agency for global services | agency | deleteAgencyGrants |
Granting permissions to a user group | assignment | createAssignment |
Removing permissions from a user group | assignment | deleteAssignment |
Registering a protocol for federated login | identityProvider | createProtocol |
Updating a protocol for federated login | identityProvider | updateProtocol |
Deleting a protocol for federated login | identityProvider | deleteProtocol |
Modifying the login protection configuration of an IAM user | user | modifyLoginProtect |
Importing a metadata file | identityProvider | metadataConfiguration |
Creating a virtual MFA device | MFA | createMFA |
Deleting a virtual MFA device | MFA | deleteMFA |
Creating an OpenID Connect identity provider | identityProvider | createOIDCConfiguration |
Modifying an OpenID Connect identity provider | identityProvider | updateOIDCConfiguration |
Changing the email address or mobile number | user | updateMobileAndEmail |
Updating user group permissions | group | updateGroupAssignsByRole |
Updating agency permissions | agency | updateAgencyAssignsByRole |
Creating a custom policy | Policy | createRole |
Updating a custom policy | Policy | updateRole |
Deleting a custom policy | Policy | deleteRole |
Granting permissions to an agency based on domain information | roleAgencyDomain | assignRoleToAgencyOnDomain |
Canceling permissions of an agency based on domain information | roleAgencyDomain | unassignRoleToAgencyOnDomain |
Successful initial login as a federated user | user | tenantLoginBySamlSuccess |
Registering a mapping | mapping | createMapping |
Updating a mapping | mapping | updateMapping |
Deleting a mapping | mapping | deleteMapping |
Registering a protocol | protocol | createProtocol |
Updating a protocol | protocol | updateProtocol |
Changing the mobile number using an email | user | changeMobileByEmail |
Changing the password using an email | user | updateUserPwdByEmail |
Modifying agency permissions on the console | agency | updateagenciesRolesByConsole |