Solved: Audit Trail for Operator role - Qlik Community

joekhoo · ‎2023-06-05

Currently from QEM , it appears only Admin role is able to access the audit trail. From API, it appears Operator role is also able to access the audit trail. It will be better if QEM is in-line with that and allow Operator to access and download the audit trail as well therefore reducing the need to assign Admin role to users that only need to review audit trail information.

DesmondWOO · ‎2023-06-28

Hi @joekhoo ,

Our product does not currently support this function. I would recommend submitting your idea to the "Product Insight and Ideas" forum. Our Product Management team welcomes any suggestions or ideas.

To get started, please see our article: "Getting Started with Ideas".

Regards,
Desmond

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

View solution in original post

Dana_Baldwin · ‎2023-06-28

Hi @joekhoo

If one of the replies helped to resolve the issue, please mark it as a solution & like it to make it easier for others to find.
Thanks in advance!

View solution in original post

DesmondWOO · ‎2023-06-06

Hi @joekhoo ,

I was unable to reproduce your problem on the QEM v2022.11.0.335. When I changed my account role from Admin to Operator, the Audit Trail icon was removed immediately. Additionally, when I ran the REST API "ExportAuditTrail", I received an unauthorized request error message.

{

"error_code": "UNAUTHORIZED_REQUEST",

"error_message": "Unauthorized Request. request: AemExportAuditTrail"

}

Would you mind testing it again and kindly providing me with the name of the API you used?

Regards,
Desmond

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

joekhoo · ‎2023-06-07

Hi @DesmondWOO ,

We were informed by Qlik Support in this case:

Case Details - Qlik Community

That : "user id with operator permissions should be able to download Audit trail information via API call."

I do not think we have actually validated that yet with an actual API call. I'll get my guys to do the test and come back on this.

Thanks.

best regards,

Joe Khoo

DesmondWOO · ‎2023-06-07

Hi @joekhoo ,

Thank you for your update. If you would like to find out the specific permissions for each API, you can refer to the Qlik Enterprise Manager API guide's Appendix B. It contains detailed information on the permissions required for each API.

Regards,
Desmond

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

Dana_Baldwin · ‎2023-06-07

Hi @DesmondWOO

You can access the documentation here (please set the version of QEM you are using at the top left, this link is for the latest version):

Required Enterprise Manager permissions | Qlik Enterprise Manager Help

You can also download a PDF here: PDF Guides | Qlik Enterprise Manager Help

Hope this helps!

Dana

DesmondWOO · ‎2023-06-19

Hi @joekhoo ,

May I kindly inquire if there have been any updates from your team regarding this matter?

Thanks,
Desmond

Help users find answers! Don't forget to mark a solution that worked for you! If already marked, give it a thumbs up!

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

joekhoo · ‎2023-06-19

Hi @DesmondWOO , my team member that's working on this was on leave. Should be back soon. I'll update in a couple of days. Thanks.

joekhoo · ‎2023-06-19

Hi @DesmondWOO , we just confirmed the behavior.

We will get UNAUTHORIZED_REQUEST if we try to call AemExportAuditTrail using a Session ID that was obtained with credentials that only have Operator role.

Having confirmed that; I would like to ask if there is any way to request to change this.

The rationale is that accessing audit trail thru API or QEM should require the same privileges as Admin user. Typically in QEM the download and review of audit log is to be done by Operators that should have be able to make any changes to the Qlik Replicate tasks themselves.

For the API call, the download/export of audit trail in our case is to be done by our central logging system which again should not be given an account with admin privileges. Having admin privileges increases the risk (impact) unnecessarily in the event that this account is compromised..

DesmondWOO · ‎2023-06-27

Hi @joekhoo ,

I believe it's not possible to define privileges for the APIs. It would need to be a feature request.

Audit trail contains sensitive information such as the account name, associated privileges, login times etc, it's crucial to maintain proper security measures. As a result, we require Admin privileges to get the Audit Trail information.

Regards,
Desmond

Help users find answers! Do not forget to mark a solution that worked for you! If already marked, give it a thumbs up!

joekhoo · ‎2023-06-27

Hi @DesmondWOO ,

I do agree that audit trail will contain sensitive information as you have mentioned, however I don't think Admin role is the right role for this because Admin role comes with a lot of other privileges and it is excessive.

An auditor or security personnel that may need to have access to the log should not be able to perform other administrative tasks that comes with the Admin role.

And in our case, a central log management system that needs to access the API to retrieve the log should not be configured with a service account that is having Admin privileges because that increases the risk for that system unnecessarily.

In some other applications, there are roles for security administration and audit, which have some access to these information but will not include full administrative privileges.

Hope this can be raised as a feature request.

Thanks.

best regards,

Joe Khoo

Audit Trail for Operator role

Security