Auditing

Applies To: Windows Server 2003 with SP1

Authorization Manager provides two types of auditing.

  • Authorization Manager runtime auditing

  • Authorization Manager policy store change auditing.

Authorization Manager runtime auditing

Authorization Manager runtime auditing audits:

  • Application initialization

  • Client context initialization or deletion

  • All calls to AccessCheck with pass and fail audits

Auditing can be configured at the store or application layers. Authorization Manager runtime auditing is enabled through the GenerateAudits property of the AzAuthorizationStore interface, which is stored in the Authorization Manager policy store.

In order to use Authorization Manager runtime auditing, the system that is running Authorization Manager must have enabled auditing, and the context that calls the Authorization Manager interfaces must have the SE_AUDIT_NAME or the Generate Audits privilege. If an application requires that auditing is enabled, it can require the audit privilege by passing the AZ_AZSTORE_FLAG_AUDIT_IS_CRITICAL flag to IAzAuthorizationStore::Initialize. This requires the calling application to have SE_AUDIT_PRIVILEGE or else IAzAuthorizationStore::Initialize fails.

Authorization Manager policy store change auditing

Authorization Manager policy store change auditing triggers audits when there is a change to the Authorization Manager auditing policy. The Active Directory supports auditing of Active Directory objects so that the Active Directory store changes can be audited using the Active Directory system auditing where auditing settings can be configured at the store, application, and scope levels. Changes to the XML store can be audited as a whole by using the system access control list (SACL) that is on the objects.