Logged activities in the Sitecore Cloud Portal

Note

To start forwarding audit logs to your external system, use the Webhook REST API to create a webhook.

Sitecore Cloud Portal activities always use the EUW region (https://mesh-management-api-euw.sitecorecloud.io).

The Sitecore Common Audit Log records when a team member has a role assigned or removed. This includes both organization roles and app roles, so you can also see when a team member joins or is removed from an organization.

It also records when a Sitecore support engineer logs in to your organization or app to help resolve a technical issue.

Here's a list of all the activities that Sitecore Common Audit Log records for Sitecore Cloud Portal entities:

Activity	Description
roles_assigned	Team member has one or more roles assigned, or a person joins the organization.
roles_removed	Team member has one or more roles removed, or a team member is removed from the organization.
user_login	Sitecore support engineer (who is not a member of the organization) logs in to your organization or app to help resolve a technical issue.

Example

In the following example, we'll show the audit logs that are created when an organization admin, Jane, performs certain actions in a Sitecore Cloud Portal organization.

Jane invites John to the Sitecore Cloud Portal organization, assigning him the Organization User role and the user role in a CDP app.

When John accepts the invitation to join the organization, the following log is recorded:

RequestResponse

[
  {
    "action": "roles_assigned",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization User",
          "scope": "Organization"
        },       
        {
          "tenantId": "fake1D2321-4324vdvsd3-44",
          "role": "User",
          "scope": "CDP"
        }
      ],
      "eventId": "1234567891011121314151617181920"
    },
    "time": "2025-05-27T11:20:16.216+00:00"
  }
]

Jane then assigns John the Admin role in an XM Cloud app:

RequestResponse

[
  {
    "action": "roles_assigned",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "tenantId": "fake1Dxmc21-4324vdvsd3-44",
          "role": "Admin",
          "scope": "XMCloud"
        }
      ],
      "eventId": "1234567891011121314151617181921"
    },
    "time": "2025-05-28T11:20:16.216+00:00"
  }
]

John doesn't need to use CDP anymore, so Jane removes his CDP app access:

RequestResponse

[
  {
    "action": "roles_removed",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "tenantId": "fake1D2321-4324vdvsd3-44",
          "role": "User",
          "scope": "CDP"
        }
      ],
      "eventId": "12345678910111213141516171819212"
    },
    "time": "2025-06-02T11:20:16.216+00:00"
  }
]

John needs to create webhooks and deploy XM Cloud environments, so Jane assigns him the Organization Admin role:

RequestResponse

[
  {
    "action": "roles_assigned",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization Admin",
          "scope": "Organization"
        }
      ],
      "eventId": "123456789101112131415161718192123"
    },
    "time": "2025-06-03T11:20:16.216+00:00"
  }
]

Which also removes his Organization User role:

RequestResponse

[
  {
    "action": "roles_removed",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization User",
          "scope": "Organization"
        }
      ],
      "eventId": "123456789101112131415161718192161"
    },
    "time": "2025-06-03T11:20:17.216+00:00"
  }
]

After a long and exciting career at the company, John decides to retire. It's a sad day for everyone, as Jane removes him from the organization:

RequestResponse

[
  {
    "action": "roles_removed",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization Admin",
          "scope": "Organization"
        },
        {
          "tenantId": "fake1Dxmc21-4324vdvsd3-44",
          "role": "Admin",
          "scope": "XMCloud"
        }
      ],
      "eventId": "90020250509113832745797000000000000001223372119995312709"
    },
    "time": "2055-05-27T11:20:16.216+00:00"
  }
]

Detailed activity properties

The following table describes the fields of each activity in the Sitecore Cloud Portal:

Entity	Activity	Field descriptions
support_user	`user_login`	`entity.id` - email address of the support engineer. `extensions.clientId` - ID of the app where the engineer logged in. `extensions.eventId` - ID of the event. `extensions.reason` - reason for logging in. `extensions.tenantId` - ID of the tenant where the engineer logged in. `sourceSystemUserContext.id` - email address of the support engineer. `time` - When the event occurred.
user	`roles_assigned` `roles_removed`	`entity.id` - email address of the user that had roles assigned or removed. `extensions.eventId` - ID of the event. `extensions.roles` - object containing the collection of assigned or removed roles. `extensions.roles.tenantId` - ID of the tenant where the user had a role assigned or removed. `extensions.roles.role` - the role assigned or removed. `extensions.roles.scope` - when you assign or remove an app role, `scope` is the name of the product or capability. When you assign or remove an organization role, `scope` is `Organization`. `sourceSystemUserContext.id` - the email address of user that performed the activity. If the activity was not performed by a user (for example, when Sitecore performs user migration), the value is `Automation`. `time` - When the event occurred.

Do you have some feedback for us?

If you have suggestions for improving this article,