Authorization Audit Configuration

  • Updated on Oct 27, 2025
  • Published on Jan 22, 2024
  • 1 minute(s) read
Prev Next

The PDP supports logging of authorization decisions for observability, compliance, and debugging. Audit records include request and response payloads, metadata, and timing details.

Audit data can be stored in:

  • A database (e.g., PostgreSQL, Oracle, MSSQL, MySQL), or
  • A syslog server, based on your configuration.

Audit Configuration for PAA Deployments

In PAA-based deployments, each PDP instance handles its own audit data locally. This data is not sent to the Authorization Platform’s central audit store, and is therefore not visible in the Audit Report of the PAP UI.

You can collect this data directly from your configured database or syslog target to generate custom audit reports.

Database Audit Logging

To enable audit logging to a database:

Creating the Audit Table

Example structure for PostgreSQL:

CREATE TABLE authorization_audit (
    request_id varchar(2044) NULL,
    request text NULL,
    response text NULL,
    ip varchar(2044) NULL,
    client_id varchar(2044) NULL,
    entity_id varchar(2044) NULL,
    entity_type varchar(2044) NULL,
    request_type varchar(2044) NULL,
    organization varchar(2044) NULL,
    instance_name varchar(2044) NULL,
    request_time numeric(20) NULL,
    external_request_id varchar(128) NULL,
    total_duration numeric(20) NULL
);

CREATE INDEX auth_requests ON authorization_audit USING btree (
    request_time, entity_id, organization, request_type, external_request_id
);

Note: For other database types, the table structure may vary. Make sure your environment includes the appropriate JDBC driver. Contact PlainID Support if needed.

Configuring the Runtime Service

In your PDP Runtime configuration (extraEnv), set the following:

Property Default Description
isDataBaseEnable false Set to true to enable storing audit data in a database
connection -- JDBC details for DB connectivity (see example below)

Example connection block:

{
  "driverName": "org.postgresql.Driver",
  "type": "POSTGRESQL",
  "url": "jdbc:postgresql://127.0.0.1:5432/audit",
  "user": "your-username",
  "password": "your-password"
}

If you use a secret store for credentials, refer to the Secret Management Configuration for syntax.

Syslog Audit Logging

To forward audit data via syslog:

  • Set isSysLogEnable to true
  • Configure syslog parameters based on your deployment

For VM-Based (Standalone) PAA:

Edit the log4j.xml file located at $PLAINID_HOME/runtime/conf:

  • Set syslog-host, syslog-port, and protocol (e.g., UDP)
  • Define a syslog appender

For Kubernetes-Based PAA:

In values-custom.yaml, include the following:

runtime:
  syslog:
    enabled: true
    host: "10.20.11.7"
    port: "5000"
    protocol: "UDP"  # Supported: UDP

Ensure the PDP Runtime can reach the syslog host and has the correct network permissions.

Syslog records will include a _source field and a message property with the complete audit event, similar in structure to the database records.