When adding or removing users from an Administrative role (role = Service Desk Master Policy) I do not find this action logged to the sourcetype: rsa:securid:system:syslog, rsa:securid:runtime:syslog, or rsa:securid:syslog. I would like this action to be logged to splunk. Is this possible?
Associating a user with an Admin Role puts a record with Action ID 10024 in the Administrative Activity Log; disassociating a user from an Admin Role puts a record with Action ID 10025 in the same Log.
Here is what they look like in an Admin Activity Report on my test system:
2020-06-02 14:19:59
INFO
10024
Associate principal with administrative role
Administrator “admin.id” attempted to associate principal “user.id”, stored in identity source “Internal Database” and managed in security domain “SystemDomain”, with administrative role “Auth Mgr Help Desk” managed in security domain “SystemDomain”
Success
2020-06-02 14:22:48
INFO
10025
Disassociate principal from administrative role
Administrator “admin.id” attempted to disassociate principal “user.id”, stored in identity source “Internal Database” and managed in security domain “SystemDomain”, from administrative role “Auth Mgr Help Desk” managed in security domain “SystemDomain”
Success