HomeDownloadsUser GuideDevelopment

Architecture: Auditing

Auditing

Auditing is the process of chronologically recording all activities of a system, with the purpose of evidence in the future.

Auditing OpenPermis

OpenPermis provides an interface for registering your own audit service. This audit service has a veto right and can deny an access that would otherwise be granted by the OpenPermis PDP. For example the audit service might deny all requests if it is not able to record the access decisions because its backend database is down.

Note

OpenPermis currently does not provide any secure auditing services itself! The decision to provide an interface for auditing has been made on purpose so that you can integrate it to use the same auditing service that you use for the rest of your application.

Usage

The simple example shows how to integrate an audit service.

The following steps are needed to integrate an auditing service:

  1. Provide an implementation of the org.openpermis.audit.VetoableAccessDecisionListener interface:

    public interface VetoableAccessDecisionListener {
    			
        /**
         * This method gets called when an access decision has been reached.
         * @param request the request parameters for the access decision.
         * @param decision the calculated access decision.
         * @throws AccessDecisionVetoException if the recipient wishes to veto the access decision.
         */
        public void vetoableAccessDecision (
            AccessDecisionRequest request, AccessDecision decision
        )
            throws AccessDecisionVetoException;
        
        /**
         * This method gets called if the PDP fails to determine an access decision.
         * @param request the request parameters for the access decisions.
         * @param exception the exception that caused the failure in the PDP.
         */
        public void accessDecisionFailure (
            AccessDecisionRequest request, PolicyDecisionException exception
        );
    }

    Adapter

    To guard against future changes you should extend the org.openpermis.audit.VetoableAccessDecisionAdapter. It provides an empty implementation of the above interface.

  2. Create an org.openpermis.audit.AuditPolicyDecisionPoint with your vetoable access decision listener.