Compliance and Audit Trail
Hire2Retire Compliance and Audit Trail provides a robust mechanism to record, store, and access event history associated with each workflow. Event logs can be archived to AWS S3, Azure Blob Storage, and/or a MySQL database, ensuring secure and scalable retention of execution data. These logs mirror the event details shown in the Observe Pane of the associated workflow within the Hire2Retire platform. Please note that all execution timestamps in the Compliance and Audit Trail are currently displayed in GMT.
To enable this feature, you must first configure a default Compliance and Audit Trail setting. This can be done from the User Profile page and will serve as the baseline configuration for all newly created workflows. If needed, you can also define workflow-specific archival settings that override the default configuration. These may include customized settings for AWS, Azure Blob, or S3 destinations.
During workflow deployment, you’ll be prompted to review and configure archival settings specific to that workflow. Additionally, you can modify these settings at any time by selecting the settings icon located at the top right corner of the design page. This flexibility ensures that your compliance and audit requirements are consistently met across all workflows, while also giving you full control over how and where data is archived.
There are three archival methods:
- AWS S3
- Azure Blob
- MySQL
The default archival frequency is every 4 hours.
AWS S3 Archival Settings¶
You will need to create a connection with AWS S3 on the User Profile page. You can do so by clicking the Link AWS S3 Account Account button where you will need to provide the AWS access key and the secret key.
Upon setting up the AWS S3 connection, you can configure the following parameters for the compliance and audit trail.
- S3 Bucket Name
- Folder name within the bucket
The default AWS S3 compliance and audit trail from the User Profile page will be applied to all new workflows. You can also define the flow specific archival configuration by overriding the default AWS S3 archival settings as shown in the image below. Here you can also turn on or off the AWS S3 archival for that specific workflow.
Data from events will be saved in the specified folder within the chosen S3 bucket. The information will be stored as a JSON object named "Hire2Retire_flowName_timeStamp_.json".
Permissions¶
To archive event data to your AWS S3 bucket, you must grant the necessary IAM permissions to the AWS IAM user or role whose credentials are used to connect the S3 account within Hire2Retire.
To configure these permissions, navigate to
IAM > Users or Roles > Select the relevant user/role > Permissions > Choose the policy and add the required permissions in the JSON tab.
Hire2Retire requires the following permissions to ensure proper access and functionality for event archival:
| Scopes | Explanation |
|---|---|
| s3:GetObject | Retrieves an object from Amazon S3 |
| s3:GetBucketLocation | Returns the Region the bucket resides in |
| s3:ListBucket | Returns a list of all buckets owned by the authenticated sender of the request |
| s3:ListAllMyBuckets | Returns a list of all buckets owned by the sender of the request |
| s3:PutObject | Adds an object to a bucket |
Azure Blob Archival Settings¶
Please check this document to understand how to setup Azure application.
Setup Azure Application
After establishing the Azure connection, you can configure key parameters for Compliance and Audit Trail, including.
- Subscription Name
- Storage Account
You can establish a connection with Azure Blob by accessing the User Profile page and selecting the Link Azure Blob Account button. A dialog box will pop up, prompting you to select Entra ID Cloud Instance, enter the tenant ID and client ID, then download and upload the provided certificate to your Azure application. Finally, click the Link Account button to complete the process.
The default Azure Blob Compliance and Audit Trail configuration set on the User Profile page will automatically apply to all newly created workflows. If needed, you can customize archival settings for individual workflows by overriding the default Azure Blob configuration, as illustrated in the image below. Within these flow-specific settings, you also have the ability to enable or disable Azure Blob archival for that particular workflow, giving you greater flexibility and control over how and where your event data is stored.
Event data will be stored in the designated container based on the specific lifecycle event within the selected Azure Blob Storage account. Each record is saved as a JSON file with the naming convention, "Hire2Retire_flowName_timeStamp_.json", ensuring clarity and traceability of archived event logs.
MySQL Archival setting¶
Hire2Retire also supports MySQL as a destination for archiving event history. To enable archival using MySQL, you’ll need to establish a connection through the User Profile page. Simply click on Link MySQL Account where you’ll be prompted to enter the required connection details, including the Hostname, Port, Database Name, Username, and Password. Once configured, this connection will be used to securely store workflow event data in your MySQL database.
Once the MySQL connection is successfully configured, you’ll have the option to copy the DDL (Data Definition Language) SQL query required to create the Compliance and Audit Trail table within your MySQL database, as illustrated in the image below. If you're using the Integration feature, you’ll also be provided with a separate DDL SQL query specifically for Integration event logging, which can be copied and used to set up the corresponding table.
The default MySQL Compliance and Audit Trail configuration set on the User Profile page will automatically apply to all newly created workflows. However, you can customize the archival settings for individual workflows by overriding the default MySQL configuration, as demonstrated in the image below. Within this flow-specific settings panel, you also have the option to enable or disable MySQL archival for that particular workflow, providing flexibility and control over how event history is stored.
Toggle Compliance and Audit Trail for Individual Flows on Manage Page¶
On the Manage page within Hire2Retire, each workflow includes a toggle switch that allows you to activate or deactivate the Compliance and Audit Trail feature for that specific flow.
In the example image below, these toggle switches are highlighted in red to indicate their location and function
