= S3Audit =
[[TOC]]

== Purpose ==

'''S3Audit''' keeps a log of all data access (CRUD actions): who accessed which records how and when. 

The audit trail is stored in the database (table ''s3_audit'').
== Configuration ==

S3Audit can be activated by two deployment settings:

{{{#!python
# Log read access (i.e. list and read methods)
settings.security.audit_read = True
# Log write access (i.e. create, update and delete methods)
settings.security.audit_write = True
}}}

Alternatively, these settings can take a callback function that ''returns'' True or False in order to determine whether the action will be logged or not (True=log the action, False=do not log), thus allowing granular control about which actions are recorded.

The callback function has the signature:
{{{#!python
def audit_callback(method, tablename, form, record, representation):
}}}

||=Parameter=||=Explanation=||
||'''method'''||The access method (create, list, read, update, delete)||
||'''tablename'''||Name of the table accessed||
||'''record'''||The record ID (None for multiple records)||
||'''representation'''||The representation format of the request||


== Logging Actions ==

S3Audit is called during CRUD actions as:
{{{#!python
current.audit(method, prefix, name, record=record, representation=representation)
}}}

||=Parameter=||=Explanation=||
||'''method'''||The access method (create, list, read, update, delete)||
||'''prefix'''||The prefix of the table name||
||'''name'''||The tablename without prefix||
||'''record'''||The record ID (None for multiple records)||
||'''representation'''||The representation format of the request||

== Code ==

S3Audit can be found in modules/s3/s3aaa.py. 

The ''s3_audit'' table is created by the S3Audit class internally on demand (=no separate model).

The ''default/audit'' controller can be used to access the audit trail.