Overview
When a Delegated Admin makes a change to a user, the “sapi” logs do not show which user initiated the PATCH. This article explains how to determine which Delegated Admin made the change.
Applies To
- Delegated Admin Extension
- User Updates
Cause
Only the Tenant Dashboard currently logs which user made changes to the tenant.
Calls to the Management API do not log the user ID involved, and calling these endpoints is typically done machine-to-machine (M2M), so there is no context of a user.
Solution
Though the Auth0 dashboard tenant logs do not show the details of the Delegated Admin user who operated, the Admin Extension has the Hook Extensibility, which can be used for this use case.
The Access Hook can be fired when the admin user takes action. The hook’s ctx object has the details of both the admin user and the user on whom the admin user is making the operation.
Here is a sample hook code showing all events taken by the Delegated Admin User.
function(ctx, callback) {
var request = require('request');
var msg = {"Admin_ID": ctx.request.user.user_id,
"User_ID": ctx.payload.user.user_id,
"Action": ctx.payload.action};
request({
url: 'https://log-service-api-domain',
method: 'POST',
json: {"body": msg}
}, function(error, response, body){
ctx.log(body);
});
return callback();
}
It is possible to customize the logic to send logs only for certain events. The following sample generates logs when the user is deleted.
function(ctx, callback) {
if ( ctx.payload.action === 'delete:user') {
var request = require('request');
var msg = {"Admin_ID": ctx.request.user.user_id,
"User_ID": ctx.payload.user.user_id,
"Action": ctx.payload.action};
request({
url: 'https://log-service-api-domain',
method: 'POST',
json: {"body": msg}
}, function(error, response, body){
ctx.log(body);
});
}
return callback();
}
The sample codes here can be used as a starting point; however, please ensure that the external API calls for transferring the logs are properly secured with an authentication token.
