Skip to content

User ops audit log #7847

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
alexronquillo wants to merge 11 commits into
base: main
Choose a base branch
from
+385 −76
Draft

User ops audit log #7847

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
fa20e43
docs(audit-log): Remove old monitor op status doc
alexronquillo Feb 3, 2026
1b8b329
docs(audit-log): Add new docs for audit log
alexronquillo Feb 3, 2026
9bcf6e7
fix(audit-log): Fix mistake
alexronquillo Feb 3, 2026
98d3f22
docs(audit-log): Fix additional references
alexronquillo Feb 3, 2026
1f01b7b
docs(ops-log): Remove reference to ops log deletes
alexronquillo Feb 9, 2026
1331e6c
fix(audit-log): Enumerate categories
alexronquillo Feb 10, 2026
dca0c98
fix(audit-log): Add optional permissions per review
alexronquillo Feb 10, 2026
a50cfe7
fix(audit-log): Make rows consistent in recorded ops tables
alexronquillo Feb 10, 2026
7660cff
fix(audit-log): Group resolve incident with PI and var ops
alexronquillo Feb 10, 2026
d134ca3
fix(audit-log): Add note per review
alexronquillo Feb 10, 2026
6bbfe82
fix(audit-log): Language per engineering review
alexronquillo Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 19 additions & 17 deletions docs/components/concepts/access-control/authorizations.md
View file
Open in desktop

Large diffs are not rendered by default.

8 changes: 8 additions & 0 deletions docs/components/identity/access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,11 @@ The following authorizations are required to manage each User, Group, Role, Auth
| Authorization type | Resource type | Resource ID | Permission |
| :--------------------------------- | :---------------------------------------------------------------- | :------------------------------------------------------------------------------ | :------------------------------------------ |
| Create/Read/Update/Delete resource | One of `User`, `Group`, `Authorization`, `Mapping Rule`, `Tenant` | ID of the resource or `*` (for access to all resources and to create resources) | Any of `CREATE`, `READ`, `UPDATE`, `DELETE` |

## Optional authorizations

The following optional authorizations can also be defined:

| Authorization type | Resource type | Resource ID | Permission |
| :---------------------- | :------------ | :--------------------------------- | :--------- |
| View audit log entries. | `AUDIT_LOG` | `ADMIN` or `*` for all categories. | `READ` |
23 changes: 23 additions & 0 deletions docs/components/identity/audit-operations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
id: audit-operations
title: Audit operations
description: "Learn how to audit operations."
---

Audit [operations](../user-operations-audit-log/overview.md) in Camunda 8 Identity.

## Prerequisites

To follow the steps in this guide, you must be [authorized to view operations in the audit log](../user-operations-audit-log/overview/access-control.md).

## Audit operations

In Identity, you can audit all [`ADMIN` operations](../user-operations-audit-log/overview/recorded-operations.md#admin-operations):

1. In the top navigation, click **Operations log**.
2. To sort the log, click a column header.
Copy link
Contributor Author

@alexronquillo alexronquillo Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if this second step is necessary. My rational was twofold:

  • The document felt plain with a single step
  • Users might find it helpful to know they can sort the log while auditing


## Next steps

- [Learn about the operation data structure in the operations log.](../user-operations-audit-log/overview/operation-structure.md)
- [Use the Audit Log REST API to programmatically access the audit log](../../apis-tools/orchestration-cluster-api-rest/specifications/search-audit-logs.api.mdx).
27 changes: 15 additions & 12 deletions docs/components/operate/overview/access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,18 @@ The following mandatory authorizations are required to work with Operate:

The following optional authorizations can also be defined:

| Authorization type | Resource type | Resource ID | Permission |
| :---------------------------------------------------------------------------------- | :--------------------------------- | :--------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
| View decision definitions and decision instances | `Decision Definition` | ID of the respective DMN decision definition or `*` (for all process definitions). | `READ_DECISION_DEFINITION`, `READ_DECISION_INSTANCE` |
| View decision requirements definitions | `Decision Requirements Definition` | ID of the respective DRD or `*` (for all process definitions). | `READ` |
| View running and completed batch operations | `Batch` | `*` | `READ` |
| Update process instances via batch (cancellation, retries). | `Batch` | `*` | `CREATE` and corresponding permissions for the individual batch operation (for example, `CREATE_BATCH_OPERATION_CANCEL_PROCESS_INSTANCE`). |
| Update process instance directly (migrate, add/update variables, resolve incidents) | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `UPDATE_PROCESS_INSTANCE` |
| Modify process instances | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `MODIFY_PROCESS_INSTANCE` |
| Cancel process instance directly | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `CANCEL_PROCESS_INSTANCE` |
| Delete process instances | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `DELETE_PROCESS_INSTANCE` |
| Delete process definitions | `Resource` | ID of the respective BPMN process definition or `*` (for all resources). | `DELETE_PROCESS` |
| Delete decisions | `Resource` | ID of the respective decision ID or `*` (for all resources). | `DELETE_DECISION_INSTANCE` |
| Authorization type | Resource type | Resource ID | Permission |
| :-------------------------------------------------------------------------------------------------------- | :--------------------------------- | :-------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------- |
| View audit log entries. | `AUDIT_LOG` | An operation category (`DEPLOYED_RESOURCES` or `USER_TASKS`) or `*` for all categories. | `READ` |
| View decision definitions and decision instances | `Decision Definition` | ID of the respective DMN decision definition or `*` (for all process definitions). | `READ_DECISION_DEFINITION`, `READ_DECISION_INSTANCE` |
| View decision requirements definitions | `Decision Requirements Definition` | ID of the respective DRD or `*` (for all process definitions). | `READ` |
| View running and completed batch operations | `Batch` | `*` | `READ` |
| Update process instances via batch (cancellation, retries). | `Batch` | `*` | `CREATE` and corresponding permissions for the individual batch operation (for example, `CREATE_BATCH_OPERATION_CANCEL_PROCESS_INSTANCE`). |
| Update process instance directly (migrate, add/update variables, resolve incidents) | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `UPDATE_PROCESS_INSTANCE` |
| Modify process instances | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `MODIFY_PROCESS_INSTANCE` |
| Cancel process instance directly | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `CANCEL_PROCESS_INSTANCE` |
| Delete process instances | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `DELETE_PROCESS_INSTANCE` |
| View `DEPLOYED_RESOURCES` and `USER_TASKS` operation logs for instances of a specific process definition. | `Process Definition` | A process definition ID or `*` for all process definitions. | `READ_PROCESS_INSTANCE` |
| View `USER_TASKS` operation logs for instances of a specific process definition. | `Process Definition` | A process definition ID or `*` for all process definitions. | `READ_USER_TASK` |
| Delete process definitions | `Resource` | ID of the respective BPMN process definition or `*` (for all resources). | `DELETE_PROCESS` |
| Delete decisions | `Resource` | ID of the respective decision ID or `*` (for all resources). | `DELETE_DECISION_INSTANCE` |
33 changes: 33 additions & 0 deletions docs/components/operate/userguide/audit-operations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
---
id: audit-operations
title: Audit operations
description: "Learn how to audit operations."
---

Audit [operations](../../user-operations-audit-log/overview.md) in Camunda 8 Operate.

## Prerequisites

To follow the steps in this guide, you must be [authorized to view operations in the audit log](../../user-operations-audit-log/overview/access-control.md).

## Audit all operations

In Operate, you can audit all [`DEPLOYED_RESOURCES` and `USER_TASKS` operations](../../user-operations-audit-log/overview/recorded-operations.md) in the general operations log:

1. In the top navigation, click **Operations Log**.
Copy link
Contributor Author

@alexronquillo alexronquillo Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pointed this out in another channel, but the spelling is "Operations Log" (capital 'L') in Operate and "Operations log" (lowercase 'l') in Identity. I think we should make those consistent before we release the product and docs.

2. To sort the log, click a column header.
3. To see the details of a particular operation, click the info icon at the end of the row.
Copy link
Member

@koevskinikola koevskinikola Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔧 We will also add some filtering in the general audit log tab. But let's only document this when it's added.

Copy link
Contributor Author

@alexronquillo alexronquillo Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO


## Audit process instance operations

You can also review operations at the process instance level:

1. On the **Processes** page, in the **Process Instances** table, click the **Process Instance Key** of the instance you want to audit.
2. Under the process diagram, click **Operations Log**.
3. To sort the log, click a column header.
4. To see the details of a particular operation, click the info icon at the end of the row.

## Next steps

- [Learn about the operation data structure in the operations log.](../../user-operations-audit-log/overview/operation-structure.md)
- [Use the Audit Log REST API to programmatically access the audit log](../../../apis-tools/orchestration-cluster-api-rest/specifications/search-audit-logs.api.mdx).
2 changes: 1 addition & 1 deletion docs/components/operate/userguide/monitor-batch-operations.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,5 @@ On the batch operation details page, expand a failed item row to view the failur

## Next steps

- [Learn how to monitor a process instance operation](./monitor-operation-status.md).
- [Learn how to audit process instance operations](./audit-operations.md).
Copy link
Contributor Author

@alexronquillo alexronquillo Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed the old "Monitor" guide and pointed to the new audit instead.

- [Learn how to manage a batch operation](./manage-batch-operation.md).
31 changes: 0 additions & 31 deletions docs/components/operate/userguide/monitor-operation-status.md
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion docs/components/operate/userguide/process-instance-modification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,5 +102,5 @@ If you click the **Apply** button from the summary modal as described [here](#vi

## Next steps

- [Monitor the operation status](./monitor-operation-status.md).
- [Learn how to audit process instance operations](./audit-operations.md).
- [Learn how to move a batch of process instances](./process-instance-batch-modification.md)
19 changes: 11 additions & 8 deletions docs/components/tasklist/userguide/access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,16 +14,19 @@ You can assign these [in the Identity UI](components/identity/authorization.md#c

The following mandatory authorizations are required to work with Tasklist:

| Authorization type | Resource type | Resource ID | Permission |
| :---------------------------- | :------------------- | :--------------------------------------------------------------------------------- | :--------------- |
| Component access for Tasklist | `Component` | `tasklist` or `*` (for access to all web components). | `ACCESS` |
| Read user tasks | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `READ_USER_TASK` |
| Authorization type | Resource type | Resource ID | Permission |
| :----------------------------- | :------------------- | :--------------------------------------------------------------------------------- | :--------------- |
| Component access for Tasklist. | `Component` | `tasklist` or `*` (for access to all web components). | `ACCESS` |
| Read user tasks. | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `READ_USER_TASK` |

## Optional authorizations

The following optional authorizations can also be defined:

| Authorization type | Resource type | Resource ID | Permission |
| :----------------------------- | :------------------- | :--------------------------------------------------------------------------------- | :------------------------ |
| Assign and complete user tasks | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `UPDATE_USER_TASK` |
| View BPMN diagrams | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `READ_PROCESS_DEFINITION` |
| Authorization type | Resource type | Resource ID | Permission |
| :-------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------- | :--------------------------------------------------------------------------------- | :------------------------ |
| View task history records. | `AUDIT_LOG` | `USER_TASKS` or `*` for all categories. | `READ` |
| Assign and complete user tasks. | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `UPDATE_USER_TASK` |
| View BPMN diagrams. | `Process Definition` | ID of the respective BPMN process definition or `*` (for all process definitions). | `READ_PROCESS_DEFINITION` |
| View [`USER_TASKS` operations](../../user-operations-audit-log/overview/recorded-operations.md#user_tasks-operations) for instances of a specific process definition. | `PROCESS_DEFINITION` | A process definition ID or `*` for all process definitions. | `READ_USER_TASK` |
Copy link
Contributor Author

@alexronquillo alexronquillo Feb 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we've added the operations log, I added the corresponding authorizations under "Optional authorizations"

| View task history records related to specific tasks the user has access to based on task properties. | `USER_TASK` | A user task property (`assignee`, `candidateUsers`, `candidateGroups`). | `READ` |
Loading
Loading