System Log events for access control

The role-based access control (RBAC) feature introduces four new event types to the System Log.

  • workflows.user.role.user.add

  • workflows.user.role.user.remove

  • workflows.user.role.group.add

  • workflows.user.role.group.remove

These events happen when an Okta super admin or a Workflows Administrator manually changes the role for a user or group in the Workflows Console.

Any admin or security team member can use these events to monitor the addition or removal of a role to an Okta user or group. The event payload includes information about both the role that changed and the user or group that was impacted.

Changing multiple roles in a single action creates individual System Log events for each change.

View System Log events

  1. In the Admin Console, go to ReportsSystem Log.

  2. Use the Search field to add the specific event type query in the System Log.
  3. Configure a date range, if required.
  4. Click the magnifying glass icon beside the Search field.
  5. Paste any of the following queries into the System Log Search field to find events where the Workflows role changed:

    Query

    Display message

    eventType eq "workflows.user.role.user.add"

    Role added to user

    eventType eq "workflows.user.role.user.remove"

    Role removed from user

    eventType eq "workflows.user.role.group.add"

    Role added to group

    eventType eq "workflows.user.role.group.remove"

    Role removed from group

Other System Log events related to these Okta Workflows access control events:

  • application.user_membership.add

  • application.user_membership.remove