TraceBook Access Model¶
TraceBook is DotID’s unified audit trail — analogous to AWS CloudTrail.
It records API activity from all platform services (DotID, TrustMint,
NovaBell, etc.) and lets users review events through a searchable
timeline at console.flexgalaxy.com/tracebook/.
This page describes who can access what in TraceBook and how access scope is determined.
Access Scopes¶
TraceBook defines three access scopes, determined by the caller’s identity and organizational role:
Scope |
Who |
What they see |
|---|---|---|
|
Root user of an account, or IDC user with |
Audit events for their own account only |
|
Root user of a management account, or root user of an
account that has been registered as a delegated administrator
for the |
Audit events for every account in the organization |
|
IDC user without a qualifying permission set, or a user whose account cannot be resolved |
No audit events (access denied) |
Who Can Use TraceBook¶
Account-Level Access (OWN_ACCOUNT)¶
Any of the following users can view audit events within their own account:
Root user — the user whose Keycloak subject owns the account. Root users are account administrators by definition and always have TraceBook access.
IDC user with AdministratorAccess, IAMFullAccess, or AuditReadAccess — an Identity Center user who has been assigned one of these permission sets for the account. Other permission sets (e.g.
ReadOnlyAccess,DeveloperAccess) do not grant TraceBook access.
Organization-Wide Access (ORG_WIDE)¶
The following users can view audit events across all accounts in the organization:
Root user of the management account — the management account is the account that created the organization. Its root user automatically has full visibility into every member account’s audit events.
Root user of a delegated administrator account for
audit— an organization administrator can designate a member account as a delegated administrator for theauditservice namespace. Once registered, the root user of that delegated account gains org-wide read access to audit events.POST /api/v1/organizations/{orgId}/delegated-admins { "service_name": "audit", "account_id": "<member-account-id>" }See the internal architecture documentation for delegation rules and eligibility.
Access Decision Flow¶
When a user opens TraceBook, the frontend calls the /audit-api/v1/audit/me
endpoint. The audit service determines scope using the following logic:
1. Extract the caller's realm and subject from the JWT token.
2. If the realm is NOT an IDC realm (i.e. a root user):
a. Look up the account owned by this subject.
b. If the account is a management account → scope = ORG_WIDE.
c. If the account is a delegated admin for "audit" → scope = ORG_WIDE.
d. Otherwise → scope = OWN_ACCOUNT (own account only).
3. If the realm IS an IDC realm (i.e. an IDC user):
a. Read the permission set from the "ps" URL parameter or
session context.
b. If the permission set is AdministratorAccess, IAMFullAccess,
or AuditReadAccess → scope = OWN_ACCOUNT.
c. Otherwise → scope = NONE (no access).
4. Return { scope, accounts[] } to the frontend.
- OWN_ACCOUNT → accounts contains only the caller's account.
- ORG_WIDE → accounts contains all member accounts in the org.
- NONE → accounts is empty, frontend shows access denied.
Comparison with AWS CloudTrail¶
Concept |
AWS CloudTrail |
FlexGalaxy TraceBook |
|---|---|---|
Account-level access |
IAM users with |
Root user or IDC user with admin/audit permission set |
Organization trail |
Management account creates an organization trail |
Management account root user has automatic org-wide scope |
Delegated access |
CloudTrail delegated administrator |
|
Cross-account visibility |
Organization trail delivers events to a central S3 bucket |
|