When you call the Audit Log API to return specific data on your user activity in Pigment, it returns audit events. The audit event is a JSON with standard fields and a payload containing details that vary depending on the event type. This article describes audit event structures, and provides details on the event types that occur in your Pigment Workspace.
All audit events returned by the Audit Logs API has a standard structure. You can read more details about this in the article Calling the Audit Log API. The following is a list of event types returned by the Audit Logs API.
User event types
Audit Log Event Type
Description
Sample Payload
UserInvited
User invited into the organization.
If the user is invited into the organization, and SAML SSO is configured, then you can interpret this event to mean that the user is activated.
This event only appears if the user performs an action using the reset password email.
If the password is reset administratively, this event won’t appear. An example of this would be when a user can’t receive password reset emails, and is provided with a temporary password.
A Group was assigned to a Role in an Application or removed from a Role in an Application from the Groups page, or the Application Role was changed.
When an Application Role is removed from a Group, the payload will only contain the group and application fields - no record of the removed Application Role will be logged.
This event is logged whenever a Member has taken a Snapshot.
Note, a Snapshot creation might have failed but this event will still be logged. The status of the Snapshot created will be available on Pigment in the Snapshots page.
The parameter snapshotGroup refers to the Group that contains the Applications being snapshot. If it is a single Application being snapshot, the Group will just contain a single Application details in the applications parameter.
Every Application with a Snapshot will have two parameters:
The seedApplication is the live Application which is the source of data of the snapshot Application
The snapshotApplication is the snapshot version of the seedApplication
This event is logged whenever a Member has deleted a Snapshot or removed an Application from a Snapshot.
The parameter snapshotGroup refers to the Group that contains the Applications being snapshot. If it is a single Application being snapshot, the Group will just contain a single Application details in the applications parameter.
Every Application with a Snapshot will have two parameters:
The seedApplication is the live Application which is the source of data of the snapshot Application.
The snapshotApplication is the snapshot version of the seedApplication
The deletedSnapshotApplications field will contain details of the Applications that were deleted or removed from the Snapshot.
The name of the deleted Snapshot Application is not available, just the Application ID.
This event is logged whenever a Member has renamed a Snapshot.
There will be two parameters to represent the Group:
previousSnapshotGroup contains details about the Snapshot group prior to the update.
newSnapshotGroup contains details about the Snapshot group post-update.
The Snapshot Group refers to the group that contains the Applications being snapshot. If it is a single Application being snapshot, the Group will just contain a single Application details in the applications parameter.
Every Application with a Snapshot will have two parameters:
The seedApplication is the live Application which is the source of data of the snapshot Application
The snapshotApplication is the snapshot version of the seedApplication
The type parameter at the end of the payload will state the type of update, in this case a “Rename”.
No corresponding deleted View event is available when a Block is deleted.
{ "entity": { "id": "ABC123", "name": "My View", "application": { "id": "ABC123", "name": "My App" }, "entityType": "View" } }
Temporary Views in Pigment
Certain actions in Pigment can result in events from temporary Views being logged. For example, this can happen when you use the Formula Playground, or create a draft View, which is not saved, and then share the View URL with another Member in the Application.
You can identify these from the name of the View from within the entity. It has a suffix containing a random ID. In the example below, the suffix is 111aa1a1:
Using the Formula Playground in Pigment can result in the audit trail logging Metric events on temporary metrics. You can identify these from the name of the Metric from within the entity . It has a prefix Formula Playground. For example:
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
APIKeyRevoked
An API key was deleted.
This applies for all API key types.
The type field specifies the key type:
SecurityAudit - Audit Logs API key
Import - Import API key
Export - Export API key
UserProvisioning - SCIM Provisioning
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
APIKeyRenamed
An API key was renamed.
This applies for all API key types.
The type field specifies the key type:
SecurityAudit - Audit Logs API key
Import - Import API key
Export - Export API key
UserProvisioning - SCIM Provisioning
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
APIKeyRenewed
An API key expiration date was updated.
This applies for all API key types.
The type field specifies the key type:
SecurityAudit - Audit Logs API key
Import - Import API key
Export - Export API key
UserProvisioning - SCIM Provisioning
actOnBehalfOfKeyOwner confirms if the API key uses the credentials of the user who owns the API key (represented by the ownerID). It has a value of true or false.
ownerId indicates the user ID of the user who created the API key.
{ "id": "ABC123", "type": "SecurityAudit", "name": "My API Key", "expirationDate": "2025-01-04T14:42:14.397Z", "actOnBehalfOfKeyOwner": true, "ownerId": "ABC123" }
The value for allowResetAccessRightsForSharedBlocksDependencies is equal to true when the setting to allow the use of RESETACCESSRIGHTS on Shared Blocks is activated.
The value for disableAccessRightsInheritanceForBlocksInApp is equal to true when the setting to remove inheritance throughout the entire Application is activated.
When a data access rights rule is created, this event is logged.
Details available in the payload: settings contains the following parameters:
read: The value will be true if either the Read option or Read and Write option is selected
write: The value will be true if either the Write option only or Read and Write option is selected
applyRule: The value will be true if the rule is created to “apply”, false if the rule created is set to “do not apply”
accessRightsMetric contains details (name, id, application) about the access rights type Metric that is created for the configuration.
ruleAppliesTo contains details about the selected options for where the rule is set in the application. Depending on the settings for the rule, the following information will be logged:
all: The value will be true if the rule is set for All Metrics and List Properties in the Application.
singleMetric :
This parameter will be logged if the rule is set for Specific Metric(s)
The specific Metric details will be logged in this parameter (metric id, name)
There will be a single event per Metric where the rule is added
metricsUsingSpecificDimensions :
This parameter will be logged if the rule is set for All Metrics using specific Dimension(s)
The Dimension details will be logged (dimension id, name)
listProperty:
This parameter will be logged if the rule is set on a List Property through either the Specific List Properties or List Items Values options
There will be a single event per List Property where the rule is added.
This parameter will contain the details of the Dimension or Transaction List where the rule is set
This parameter will contain details of the Property on which the rule is set (propertyId, propertyName)
If a Dimension is mapped to a Property on the List, this parameter will contain details of the mapped Dimension (id and name), as well as the details of the Property which the Dimension is mapped to (mappedToId and mappedToName)
When a data access rights rule is deleted, this event is logged.
Details available in the payload: settings contains the following parameters:
read: The value will be true if either the Read option or Read and Write option is selected
write: The value will be true if either the Write option only or Read and Write option is selected
applyRule: The value will be true if the rule is created to “apply”, false if the rule created is set to “do not apply”
accessRightsMetric contains details (name, id, application) about the access rights type Metric that is created for the configuration.
ruleAppliesTo contains details about the selected options for where the rule is set in the Application. Depending on the settings for the rule, the following information will be logged:
all: The value will be true if the rule is set for All Metrics and List Properties in the Application.
singleMetric :
This parameter will be logged if the rule is set for Specific Metric(s)
The specific Metric details will be logged in this parameter (metric id, name)
There will be a single event per Metric where the rule is added
metricsUsingSpecificDimensions :
This parameter will be logged if the rule is set for All Metrics using specific Dimension(s)
The Dimension details will be logged (dimension id, name)
listProperty:
This parameter will be logged if the rule is set on a list property through either the Specific List Properties or List Items Values options
There will be a single event per List Property where the rule is added.
This parameter will contain the details of the Dimension or Transaction List where the rule is set.
This parameter will contain details of the Property on which the rule is set (propertyId, propertyName)
If a Dimension is mapped to a Property on the List, this parameter will contain details of the mapped Dimension (id and name), as well as the details of the Property which the Dimension is mapped to (mappedToId and mappedToName)
