Access the audit logs for changes in the personal data, successful, and failed authentications for Identity Authentication tenants on both the SAP, and the AWS and Azure infrastructures in the Audit Log Service in SAP BTP, Cloud Foundry.
You have a subaccount in your global account in SAP BTP, Cloud Foundry. For more information, see Create a Subaccount.
The content in this document is both for tenants on the SAP, and AWS and Azure infrastructures.
If your tenant is on the SAP infrastructure, when you access the administration console for SAP Cloud Identity Services, the Audit and Change Logs tile, you see the Cloud Foundry, NEO, and Change Logs options for configurations. If your tenant is on the AWS, Azure infrastructure, you see the Audit Logs and Change Logs options for configurations.
The audit log entries in the Audit Log Service in SAP BTP, Cloud Foundry are retained for 90 days.
To view the audit logs, follow the procedures below:
-
In the SAP BTP cockpit, navigate to the corresponding subaccount. For more information, see Navigate in the Cockpit.
-
In the navigation area on the left, choose Entitlements, then choose Edit > Add Service Plans.
-
From the dialog, search for and select Audit Log Viewer Service, select the free (Application) checkbox, and then choose Add 1 service plan.
-
Save your changes.
-
In the SAP BTP cockpit, navigate to the corresponding subaccount. For more information, see Navigate in the Cockpit.
-
Navigate to Services > Service Marketplace, and select Audit Log Viewer Service.
-
Choose Create.
In the New Instance or Subscription dialog box,
Audit Log Viewer Servicefor Service, andfreefor Plan are already preselected. -
Choose Create and close the information message.
-
In the SAP BTP cockpit, navigate to the corresponding subaccount. For more information, see Navigate in the Cockpit.
-
Choose Security > Roles Collections in the navigation area.
-
Choose Create.
-
Enter name for the new role in the Create Role Collection popup and choose Create.
The new role appears in the Role Collections list.
-
Select the newly created role collection from the list.
-
Choose the Edit button.
-
Under the Roles tab, expand the Role Name list and select the auditlog viewer and auditlog-management roles.
If the roles don't exist, create them. For more information, see Configure Application Roles and Assign Roles to Users.
-
Choose Add.
-
Navigate back to the subaccount and choose Security > Users and assign the role collection to the user.
You can have only one configuration in the administration for Cloud Identity services. If you want to add a new configuration, you must remove the already configured one, and then follow the steps below to add the new one.
-
Sign in to the administration console for SAP Cloud Identity Services.
-
Choose the Audit and Change Logs tile.
-
Choose the Audit Logs tab.
-
You have the following options:
- If your tenant is on the SAP infrastructure, choose the Cloud Foundry tab.
- If your tenant is on the AWS, Azure infrastructure, choose the Audit Logs tab.
-
Choose +Add.
-
Fill in the required information in the pop up and save your changes.
Configuration
Notes
Tenant ID
Required. The tenant ID of your Cloud Foundry account.
Region
SAP BTP, Cloud Foundry region. You can choose a region from the options in the dropdown. For more information, see the mapping table.
Subdomain
Optional. If you provide it, a link to the Audit Log Viewer is added in the Audit Service Configuration, and you can access the audit logs directly from the administration console.
The subaccount region must map your Identity Authentication region. Otherwise you'll get an error when you try to access the audit logs directly from the administration console.
Identity Authentication - Cloud Foundry Regions Mapping
Identity Authentication
Cloud Foundry Regions
Region
Infrastructure
Technical Name
Name
Default
North America (Canada Central) / Canada (Toronto)
azure-canadacentral
cf-ca10
Canada (Montreal)
Yes
US West / West US 2
azure-westus2
cf-us20
US West (WA)
Yes
cf-us21
US East (VA)
No
cf-us10
US East (VA)
No
cf-us30
US Central (IA)
No
US West / East US
azure-eastus
cf-us20
US West (WA)
Yes
Singapore
aws-ap-southeast-1
cf-ap11
Singapore
Yes
cf-ap21
Singapore
No
South Korea / South Korea (Seoul)
aws-ap-northeast-2
cf-ap12
South Korea (Seoul)
Yes
Europe / Germany (Frankfurt)
aws-eu-central-1
cf-eu11
Europe (Frankfurt) EU Access
Yes
cf-eu10
Europe (Frankfurt)
No
cf-eu20
Europe (Netherlands)
No
cf-eu30
Europe (Frankfurt) GCP
No
Europe / Switzerland
azure-switzerlandnorth
cf-ch20
Switzerland (Zurich) Azure EU Access
Yes
India (Mumbai)
aws-ap-south-1
cf-in30
India (Mumbai)
Yes
Brazil
aws-sa-east-1
cf-br10
Brazil (São Paulo)
Yes
Europe / Germany (Frankfurt)
eu-de-2
cf-eu10
Europe (Frankfurt)
Yes
cf-eu11
Europe (Frankfurt) EU Access
No
cf-eu20
Europe (Netherlands)
No
cf-eu30
Europe (Frankfurt) GCP
No
Australia (Sydney)
ap-au-1
cf-ap10
Australia (Sydney)
Yes
cf-ap20
Australia (Sydney)
No
Japan (Tokyo)
ap-jp-1
cf-jp10
Japan (Tokyo)
Yes
cf-jp20
Japan (Tokyo)
No
US East / East US
na-us-2
cf-us10
US East (VA)
Yes
cf-us21
US East (VA)
No
Europe / Netherlands (Amsterdam)
eu-nl-1
cf-eu10
Europe (Frankfurt)
Yes
cf-eu11
Europe (Frankfurt) EU Access
No
cf-eu20
Europe (Netherlands)
No
cf-eu30
Europe (Frankfurt) GCP
No
US East / East US
na-us-1
cf-us10
US East (VA)
Yes
cf-us21
US East (VA)
No
-
Save your changes.
If your SAP Cloud Identity Services tenant is migrated to a new region, you must remove the current configuration and repeat procedure with the new region.
-
View the audit logs. You have two optiont:
- (if subdomain is configured) choose the link to the Audit Log Viewer in the Audit Service Configuration in the administration console.
- in the cockpit, navigate to Services > Instances and Subscriptions > Audit Log Viewer.
The configuration will be enabled with the next 15 minutes. Upon accessing the Audit Log Viewer, you have the option to filter the logs based on date and keyword filters.
The audit logs provide information about the event category and timestamp, the event and object type, who performed the action and others. For example:
-
Category: audit.security-events (logged as security event message), audit.configuration (logged as configuration modification message), audit.data-access (logged as data access message).
-
Event Type: JOB_TRIGGERED, SYSTEM_UPDATED, SYSTEM_CREATED, SYSTEM_DELETED
-
Object Type: Job, System
-
ObjectAttribute.performed-by-user: P123456
For more information about the security events that are logged by Identity Authentication, see Auditing and Logging Information.
(Optional) Retrieve the audit logs via the Audit Log Retrieval API. See Audit Log Retrieval API Usage for Subaccounts in the Cloud Foundry Environment.