Events
Use Events to audit access updates and additional events in Opal.
Log retention
Opal guarantees display and exports of logs up to 90 days. To indefinitely retain and export your logs, you should set up Events Streaming.
In the Events section of the left sidebar, administrators can view, filter, and export all audit events. Exports can be created by downloading CSVs using the Export button, or with the /events API endpoint.
Administrators can also create Saved filters for Events to easily access a view of events for a date range, user, event type, Object ID, or API token.
The events include all changes for configurations in Opal, all actions taken in Opal, and all access changes.
Event types
Opal records the following events.
| Event type |
|---|
USERS_CREATED |
USERS_DELETED |
USERS_UPDATED |
USER_EMAIL_UPDATED |
USER_NAME_UPDATED |
USER_POSITION_UPDATED |
USER_MANAGER_UPDATED |
USER_TEAM_ATTR_UPDATED |
USER_REMOTE_ID_UPDATED |
USER_NOTIFIED |
USER_NOTIFICATION_FAILED |
USER_NOT_NOTIFIED |
USER_MERGED |
USER_LOGGED_IN_SAML |
USER_LOGGED_IN_OAUTH |
GROUP_FOLDERS_CREATED |
GROUP_FOLDERS_DELETED |
GROUPS_CREATED |
GROUPS_DELETED |
GROUPS_UPDATED |
GROUPS_ADDED_TO_FOLDERS |
GROUPS_REMOVED_FROM_FOLDERS |
GROUP_VISIBILITY_GROUPS_ADDED |
GROUP_VISIBILITY_GROUPS_REMOVED |
GROUP_NAME_UPDATED |
GROUP_ADMIN_OWNER_UPDATED |
GROUP_FUNCTION_UPDATED |
GROUP_VISIBILITY_UPDATED |
GROUP_MAX_DURATION_UPDATED |
GROUP_RECOMMENDED_DURATION_UPDATED |
GROUP_ACCESS_REQUEST_ESCALATION_PERIOD_UPDATED |
GROUP_REQUIRE_SUPPORT_TICKET_UPDATED |
GROUP_REQUIRE_MANAGER_APPROVAL_UPDATED |
GROUP_REQUIRE_MFA_UPDATED |
GROUP_REQUEST_REQUIRE_MFA_UPDATED |
GROUP_AUTO_APPROVAL_UPDATED |
GROUP_IS_REQUESTABLE_UPDATED |
BREAK_GLASS_USERS_ADDED_TO_GROUPS |
BREAK_GLASS_USERS_REMOVED_FROM_GROUPS |
BREAK_GLASS_USED |
USERS_ADDED_TO_CONNECTIONS |
USERS_REMOVED_FROM_CONNECTIONS |
CONNECTIONS_CREATED |
CONNECTIONS_DELETED |
CONNECTIONS_UPDATED |
CONNECTION_USERS_UPDATED |
CONNECTION_VISIBILITY_GROUPS_ADDED |
CONNECTION_VISIBILITY_GROUPS_REMOVED |
HRIS_STATUS_ACTIVE |
HRIS_STATUS_INACTIVE |
HRIS_STATUS_DEPROVISIONED |
HRIS_STATUS_DELETED |
HRIS_STATUS_NOT_FOUND |
IDP_STATUS_ACTIVE |
IDP_STATUS_INACTIVE |
IDP_STATUS_DEPROVISIONED |
IDP_STATUS_DELETED |
IDP_STATUS_NOT_FOUND |
IDP_CONNECTIONS_CREATED |
IDP_CONNECTIONS_DELETED |
IDP_CONNECTIONS_UPDATED |
IDP_CONNECTION_USER_ATTRIBUTE_MAPPING_CREATED |
IDP_CONNECTION_USER_ATTRIBUTE_MAPPING_DELETED |
RESOURCE_FOLDERS_CREATED |
RESOURCE_FOLDERS_DELETED |
RESOURCES_CREATED |
RESOURCES_DELETED |
RESOURCES_UPDATED |
RESOURCES_ADDED_TO_FOLDERS |
RESOURCES_REMOVED_FROM_FOLDERS |
RESOURCE_VISIBILITY_GROUPS_ADDED |
RESOURCE_VISIBILITY_GROUPS_REMOVED |
RESOURCE_NAME_UPDATED |
RESOURCE_ADMIN_OWNER_UPDATED |
RESOURCE_VISIBILITY_UPDATED |
RESOURCE_MAX_DURATION_UPDATED |
RESOURCE_RECOMMENDED_DURATION_UPDATED |
RESOURCE_REQUIRE_SUPPORT_TICKET_UPDATED |
RESOURCE_REQUIRE_MANAGER_APPROVAL_UPDATED |
RESOURCE_CONNECT_REQUIRE_MFA_UPDATED |
RESOURCE_APPROVE_REQUIRE_MFA_UPDATED |
RESOURCE_REQUEST_REQUIRE_MFA_UPDATED |
RESOURCE_AUTO_APPROVAL_UPDATED |
RESOURCE_IS_REQUESTABLE_UPDATED |
REQUESTS_CREATED |
REQUESTS_APPROVED |
REQUESTS_ADMIN_APPROVED |
REQUESTS_DENIED |
REQUESTS_ADMIN_DENIED |
REQUESTS_CANCELED |
REQUEST_COMMENT_ADDED |
REQUEST_SUPPORT_TICKET_ADDED |
REQUEST_REVIEWERS_ADDED_TO_REQUESTS |
REQUEST_SKIP_MANAGER_ADDED_TO_REQUESTS |
REQUEST_REVIEWERS_APPROVED |
REQUEST_REVIEWERS_DENIED |
REQUEST_RESOURCE_REQUESTED |
REQUEST_GROUP_REQUESTED |
REVIEWERS_ADDED_TO_RESOURCES |
REVIEWERS_REMOVED_FROM_RESOURCES |
REVIEWERS_ADDED_TO_GROUPS |
REVIEWERS_REMOVED_FROM_GROUPS |
RESOURCE_REVIEWER_STAGE_CREATED |
RESOURCE_REVIEWER_STAGE_UPDATED |
RESOURCE_REVIEWER_STAGE_DELETED |
GROUP_REVIEWER_STAGE_CREATED |
GROUP_REVIEWER_STAGE_UPDATED |
GROUP_REVIEWER_STAGE_DELETED |
REVIEWERS_REMINDED |
ON_CALL_SCHEDULES_CREATED |
ON_CALL_SCHEDULES_UPDATED |
ON_CALL_SCHEDULES_DELETED |
ON_CALL_SCHEDULES_ADDED_TO_GROUPS |
ON_CALL_SCHEDULES_UPDATED_FOR_GROUPS |
ON_CALL_SCHEDULES_REMOVED_FROM_GROUPS |
OWNERS_CREATED |
OWNERS_UPDATED |
OWNERS_DELETED |
OWNER_USERS_ADDED |
OWNER_USERS_REMOVED |
OWNER_USERS_UPDATED |
OWNER_SOURCE_GROUP_UPDATED |
OWNER_SOURCE_GROUP_REMOVED |
OWNER_REVIEWER_CHANNEL_UPDATED |
OWNER_REVIEWER_CHANNEL_REMOVED |
MESSAGE_CHANNELS_CREATED |
MESSAGE_CHANNELS_DELETED |
MESSAGE_CHANNELS_ADDED_TO_GROUPS |
MESSAGE_CHANNELS_REMOVED_FROM_GROUPS |
MESSAGE_CHANNELS_ADDED_TO_RESOURCES |
MESSAGE_CHANNELS_REMOVED_FROM_RESOURCES |
ACCESS_REVIEWS_CREATED |
ACCESS_REVIEWS_UPDATED |
SESSIONS_CREATED_FOR_RESOURCES |
THIRD_PARTY_INTEGRATION_CREATED |
THIRD_PARTY_INTEGRATION_DELETED |
API_TOKEN_CREATED |
API_TOKEN_DELETED |
ACCESS_REVIEW_REVIEW_PERFORMED |
ACCESS_REVIEW_AUTO_ASSIGN_REVIEWER_BY_OWNING_TEAM_ADMIN |
ACCESS_REVIEW_AUTO_ASSIGN_REVIEWER_BY_MANAGER |
ACCESS_REVIEW_AUTO_ASSIGN_REVIEWER_BY_APPROVERS |
ACCESS_REVIEW_CONNECTION_REVIEWERS_UPDATED |
ACCESS_REVIEW_REVIEWER_FOR_CONNECTION_USER_SET |
ACCESS_REVIEW_CONNECTION_REVIEWED |
ACCESS_REVIEW_USER_ACCESS_TO_CONNECTION_ACCEPTED |
ACCESS_REVIEW_USER_ACCESS_TO_CONNECTION_REVOKED |
ACCESS_REVIEW_RESOURCE_REVIEWERS_UPDATED |
ACCESS_REVIEW_REVIEWER_FOR_RESOURCE_USER_SET |
ACCESS_REVIEW_RESOURCE_REVIEWED |
ACCESS_REVIEW_USER_ACCESS_TO_RESOURCE_ACCEPTED |
ACCESS_REVIEW_USER_ACCESS_TO_RESOURCE_CHANGED |
ACCESS_REVIEW_USER_ACCESS_TO_RESOURCE_REVOKED |
ACCESS_REVIEW_USER_ACCESS_TO_RESOURCE_REVOKED_FROM_END_SYSTEM |
ACCESS_REVIEW_GROUP_REVIEWERS_UPDATED |
ACCESS_REVIEW_REVIEWER_FOR_GROUP_USER_SET |
ACCESS_REVIEW_REVIEWER_FOR_GROUP_RESOURCE_SET |
ACCESS_REVIEW_GROUP_REVIEWED |
ACCESS_REVIEW_USER_ACCESS_TO_GROUP_ACCEPTED |
ACCESS_REVIEW_USER_ACCESS_TO_GROUP_REVOKED |
ACCESS_REVIEW_USER_ACCESS_TO_GROUP_REVOKED_FROM_END_SYSTEM |
ACCESS_REVIEW_RESOURCE_ACCESS_TO_GROUP_ACCEPTED |
ACCESS_REVIEW_RESOURCE_ACCESS_TO_GROUP_REVOKED |
ACCESS_REVIEW_RESOURCE_USER_SUPPORT_TICKET_LINKED |
ACCESS_REVIEW_RESOURCE_USER_SUPPORT_TICKET_UNLINKED |
REVIEWERS_ESCALATED |
ORG_SETTINGS_UPDATED |
TOXIC_SET_VIOLATIONS_CREATED |
TOXIC_SET_VIOLATIONS_UPDATED |
TOXIC_SET_VIOLATIONS_REMEDIATED |
EVENT_MONITOR_EVENTS_DETECTED |
ACCESS_REVIEW_TEMPLATES_CREATED |
ACCESS_REVIEW_TEMPLATES_UPDATED |
ACCESS_REVIEW_TEMPLATES_DELETED |
BUNDLES_CREATED |
BUNDLES_UPDATED |
BUNDLES_DELETED |
BUNDLE_RESOURCES_ADDED |
BUNDLE_RESOURCES_REMOVED |
BUNDLE_GROUPS_ADDED |
BUNDLE_GROUPS_REMOVED |
Propagation events
| Event type |
|---|
PROPAGATED_ADD_USER_TO_GROUP |
PROPAGATED_REMOVE_USER_FROM_GROUP |
PROPAGATED_ADD_USER_TO_RESOURCE |
PROPAGATED_REMOVE_USER_FROM_RESOURCE |
PROPAGATED_ADD_RESOURCE_TO_GROUP |
PROPAGATED_REMOVE_RESOURCE_FROM_GROUP |
PROPAGATED_REMOVE_USER_FROM_CONNECTION |
PROPAGATION_SUCCESS_ADD_USER_TO_GROUP |
PROPAGATION_SUCCESS_REMOVE_USER_FROM_GROUP |
PROPAGATION_SUCCESS_ADD_USER_TO_RESOURCE |
PROPAGATION_SUCCESS_REMOVE_USER_FROM_RESOURCE |
PROPAGATION_SUCCESS_ADD_RESOURCE_TO_GROUP |
PROPAGATION_SUCCESS_REMOVE_RESOURCE_FROM_GROUP |
PROPAGATION_SUCCESS_REMOVE_USER_FROM_CONNECTION |
PROPAGATION_FAILURE_ADD_USER_TO_GROUP |
PROPAGATION_FAILURE_REMOVE_USER_FROM_GROUP |
PROPAGATION_FAILURE_ADD_USER_TO_RESOURCE |
PROPAGATION_FAILURE_REMOVE_USER_FROM_RESOURCE |
PROPAGATION_FAILURE_ADD_RESOURCE_TO_GROUP |
PROPAGATION_FAILURE_REMOVE_RESOURCE_FROM_GROUP |
PROPAGATION_FAILURE_REMOVE_USER_FROM_CONNECTION |
PROPAGATION_TICKET_UPDATED_REMOTELY |
PROPAGATION_MANUAL_ADD_USER_TO_RESOURCE |
PROPAGATION_MANUAL_REMOVE_USER_FROM_RESOURCE |
PROPAGATION_TIMED_OUT |
Deprecated events
GROUP_RESOURCEevents were updated in self-hosted version 1.990.0,GROUP_USERSevents in version 1.1016.0, andRESOURCE_USERevents in version 1.970.0.
The following table lists events that have been migrated and now map to ROLE_ASSIGNMENTS_* events.
| Deprecated events | New event |
|---|---|
GROUPS_ADDED_TO_GROUPS, USERS_ADDED_TO_GROUPS, RESOURCES_ADDED_TO_GROUPS, USERS_ADDED_TO_RESOURCES | ROLE_ASSIGNMENTS_CREATED |
GROUP_GROUPS_UPDATED, GROUP_USERS_UPDATED, GROUP_RESOURCES_UPDATED, RESOURCE_USERS_UPDATED | ROLE_ASSIGNMENTS_UPDATED |
GROUPS_REMOVED_FROM_GROUPS, USERS_REMOVED_FROM_GROUPS, RESOURCES_REMOVED_FROM_GROUPS, USERS_REMOVED_FROM_RESOURCES | ROLE_ASSIGNMENTS_DELETED |
Remote events
Remote events are accessible from the Usage tab on Okta apps, AWS IAM roles, and resources within custom connectors. They are not included in CSV exports nor returned from the /events API.
| Event type |
|---|
REMOTE_EVENT_LOGIN_SUCCESS |
REMOTE_EVENT_USER_ADDED_TO_GROUP |
REMOTE_EVENT_USER_REMOVED_FROM_GROUP |
REMOTE_EVENT_USER_ADDED_TO_RESOURCE |
REMOTE_EVENT_USER_REMOVED_FROM_RESOURCE |
REMOTE_EVENT_GROUP_ADDED_TO_RESOURCE |
REMOTE_EVENT_GROUP_REMOVED_FROM_RESOURCE |
REMOTE_EVENT_RESOURCES_CREATED |
REMOTE_EVENT_RESOURCE_READ |
REMOTE_EVENT_RESOURCES_DELETED |
REMOTE_EVENT_GROUPS_CREATED |
REMOTE_EVENT_GROUPS_DELETED |
REMOTE_EVENT_GROUP_USED |
Updated 4 days ago