Logged activities in the Sitecore Cloud Portal

Note

To start forwarding audit logs to your external system, use the Webhook REST API to create a webhook.

Sitecore Cloud Portal activities always use the EUW region (https://mesh-management-api-euw.sitecorecloud.io).

The Sitecore Common Audit Log records when a user has a role assigned or removed. This includes both organization roles and app roles, so you can also see when a user joins or is removed from an organization.

It also records when a Sitecore support engineer logs in to your organization or app to help resolve a technical issue.

Here's a list of all the activities that Sitecore Common Audit Log records for Sitecore Cloud Portal entities:

Activity	Description
`roles_assigned`	User has one or more roles assigned, or a person joins the organization.
`roles_removed`	User has one or more roles removed, or a user is removed from the organization.
`user_login`	Sitecore support engineer (who is not a member of the organization) logs in to your organization or app to help resolve a technical issue.

The following example shows the audit logs that are created when an organization admin, Jane, performs certain actions in a Sitecore Cloud Portal organization:

Jane assigns various roles to John based on his shifting job responsibilities, and then later she removes him from the organization.

Jane invites John to the Sitecore Cloud Portal organization, assigning him the Organization User role and the user role in a CDP app.

When John accepts the invitation to join the organization, the following log is recorded:

[
  {
    "action": "roles_assigned",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization User",
          "scope": "Organization"
        },       
        {
          "tenantId": "fake1D2321-4324vdvsd3-44",
          "role": "User",
          "scope": "CDP"
        }
      ],
      "eventId": "1234567891011121314151617181920"
    },
    "time": "2025-05-27T11:20:16.216+00:00"
  }
]

Jane then assigns John the Admin role in a SitecoreAI app:

[
  {
    "action": "roles_assigned",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "tenantId": "fake1Dxmc21-4324vdvsd3-44",
          "role": "Admin",
          "scope": "XMCloud"
        }
      ],
      "eventId": "1234567891011121314151617181921"
    },
    "time": "2025-05-28T11:20:16.216+00:00"
  }
]

John doesn't need to use CDP anymore, so Jane removes his CDP app access:

[
  {
    "action": "roles_removed",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "tenantId": "fake1D2321-4324vdvsd3-44",
          "role": "User",
          "scope": "CDP"
        }
      ],
      "eventId": "12345678910111213141516171819212"
    },
    "time": "2025-06-02T11:20:16.216+00:00"
  }
]

John needs to create webhooks and deploy SitecoreAI environments, so Jane assigns him the Organization Admin role:

[
  {
    "action": "roles_assigned",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization Admin",
          "scope": "Organization"
        }
      ],
      "eventId": "123456789101112131415161718192123"
    },
    "time": "2025-06-03T11:20:16.216+00:00"
  }
]

Which also removes his Organization User role:

[
  {
    "action": "roles_removed",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization User",
          "scope": "Organization"
        }
      ],
      "eventId": "123456789101112131415161718192161"
    },
    "time": "2025-06-03T11:20:17.216+00:00"
  }
]

After a long and exciting career at the company, John decides to retire. It's a sad day for everyone, as Jane removes him from the organization:

[
  {
    "action": "roles_removed",
    "entity": {
      "id": "[email protected]",
      "type": "user"
    },
    "sourceSystemUserContext": {
      "id": "[email protected]"
    },
    "extensions": {
      "roles": [
        {
          "role": "Organization Admin",
          "scope": "Organization"
        },
        {
          "tenantId": "fake1Dxmc21-4324vdvsd3-44",
          "role": "Admin",
          "scope": "XMCloud"
        }
      ],
      "eventId": "90020250509113832745797000000000000001223372119995312709"
    },
    "time": "2055-05-27T11:20:16.216+00:00"
  }
]

Detailed activity properties

The following table describes the fields of each activity in the Sitecore Cloud Portal:

Entity	Activity	Field descriptions
support_user	`user_login`	`entity.id` - email address of the support engineer. `extensions.clientId` - ID of the app where the engineer logged in. `extensions.eventId` - ID of the event. `extensions.reason` - reason for logging in. `extensions.tenantId` - ID of the tenant where the engineer logged in. `sourceSystemUserContext.id` - email address of the support engineer. `time` - when the event occurred.
user	`roles_assigned` `roles_removed`	`entity.id` - email address of the user that had roles assigned or removed. `extensions.eventId` - ID of the event. `extensions.roles` - object containing the collection of assigned or removed roles. `extensions.roles.tenantId` - ID of the tenant where the user had a role assigned or removed. `extensions.roles.role` - the role assigned or removed. `extensions.roles.scope` - when you assign or remove an app role, `scope` is the name of the product or capability. When you assign or remove an organization role, `scope` is `Organization`. `sourceSystemUserContext.id` - the email address of the user that performed the activity. If the activity was not performed by a user (for example, when Sitecore performs user migration), the value is `Automation`. `time` - when the event occurred.

If you have suggestions for improving this article, let us know!