Audit Trail with Hire2Retire Lifecycle Event Archival
Hire2Retire Compliance and Audit Trail allows you to save and archive event history to AWS S3, Azure Blob Storage and/or MySQL database for each workflow. This is the same event information that is available on the Observe Pane on Hire2Retire for the workflow you have setup. Currently in Compliance and Audit Trail we are showing execution time in GMT.
To start using compliance and audit trail feature for each workflow, you need to define a default compliance and audit trail configuration. The default Compliance and Audit Trail configuration can be done on the User Profile page and the value will be applied to all new workflows. You can also define the flow specific archival configuration by override the default AWS, Azure Blob or S3 archival settings. You will be asked to set the flow specific archival configuration on deploying a workflow and you can update the flow configuration anytime using the setting icon on the top right of the design page.
There are three archival methods:
- AWS S3
- Azure Blob
- MySQL
The default archival frequency is every 4 hours.
AWS S3 Archival Settings¶
You will need to create a connection with AWS S3 on the User Profile page. You can do so by clicking the Link AWS S3 Account button where you will need to provide the AWS access key and the secret key.
Upon setting up the AWS S3 connection, you can configure the following parameters for the compliance and audit trail.
- S3 Bucket Name
- Folder name within the bucket
The default AWS S3 compliance and audit trail from the User Profile page will be applied to all new workflows. You can also define the flow specific archival configuration by overriding the default AWS S3 archival settings as shown in the image below. Here you can also turn on or off the AWS S3 archival for that specific workflow.
Data from events will be saved in the specified folder within the chosen S3 bucket. The information will be stored as a JSON object named "Hire2Retire_flowName_timeStamp_.json".
Permissions¶
To archive event data to your AWS S3 bucket, you must grant the necessary IAM permissions to the AWS IAM user or role whose credentials are used to connect the S3 account within Hire2Retire.
To configure these permissions, navigate to
IAM > Users or Roles > Select the relevant user/role > Permissions > Choose the policy and add the required permissions in the JSON tab.
Hire2Retire requires the following permissions to ensure proper access and functionality for event archival:
| Scopes | Explanation |
|---|---|
| s3:GetObject | Retrieves an object from Amazon S3 |
| s3:GetBucketLocation | Returns the Region the bucket resides in |
| s3:ListBucket | Returns a list of all buckets owned by the authenticated sender of the request |
| s3:ListAllMyBuckets | Returns a list of all buckets owned by the sender of the request |
| s3:PutObject | Adds an object to a bucket |
Azure Blob Archival Settings¶
Please refer to the document to setup Azure application.
Setup Azure Application
Upon setting up the Azure connection, you can configure the following parameters for the compliance and audit trail.
- Subscription Name
- Storage Account
You can establish a connection with Azure by accessing the User Profile page and selecting the Link Azure Blob Account button. A dialog box will pop up, prompting you to select Entra ID Cloud Instance, enter the tenant ID and client ID, then download and upload the provided certificate to your Azure application. Finally, click the Link Account button to complete the process.
The default Azure Blob compliance and audit trail from the User Profile page will be applied to all new workflows. You can also define the flow specific archival configuration by overriding the default Azure Blob archival settings as shown in the image below. Here you can also turn on or off the Azure Blob archival for that specific workflow.
Data from events will be saved in the specified container depending on lifecycle within the chosen storage account. The information will be stored as a JSON object named "Hire2Retire_flowName_timeStamp_.json."
MySQL Archival setting¶
Hire2Retire also supports MySQL as a destination for archiving event history. To enable archival using MySQL, you’ll need to establish a connection through the User Profile page. Simply click on Link MySQL Account where you’ll be prompted to enter the required connection details, including the Hostname, Port, Database Name, Username, and Password. Once configured, this connection will be used to securely store workflow event data in your MySQL database.
Creating the Database¶
Before using MySQL archival, you must first create a database in your MySQL environment if one doesn’t already exist. You can do this by executing the following command:
CREATE DATABASE mysql_archival;
Note: The name mysql_archival is just an example — you can replace it with any database name that aligns with your organization’s naming conventions or preferences.
Tables Overview¶
Hire2Retire maintains two separate archival tables in MySQL to better organize and manage different types of event data.
| Table Name | Description |
|---|---|
| robomq_hire2retire_event | Stores all core Hire2Retire events, capturing the lifecycle stages and operations performed on employees as triggered by workflows. It includes detailed metadata such as flow information, lifecycle stages, user or process attribution, execution context, and any changes made to user or system data. |
| robomq_hire2retire_integration_table | Stores child events related to external integrations such as Group Membership, Service Desk, and Access. Focuses on communication with third-party systems, capturing connector details, statuses, error logs, and integration payloads. |
How to create a Table¶
Once the MySQL connection is configured, you can copy the Data Definition Language (DDL) SQL query to create the Compliance and Audit Trail table in your MySQL database, as illustrated in the image below.
For integrations such as Access, Service Desk, and others, a separate DDL query will be provided for Integration Events. This query should also be copied and executed to create the corresponding table in your database.
The default MySQL Compliance and Audit Trail settings configured on the User Profile page will automatically apply to all newly created workflows. However, you can customize these settings for individual workflows by overriding the default configuration during deployment, as shown in the image below. In the flow-specific settings panel, you can choose to enable or disable MySQL archival for that workflow, allowing greater flexibility and control over how event history is stored.
Toggle Compliance and Audit Trail for Individual Flows on Manage Page¶
On Hire2Retire Manage page each workflow contains a toggle button to turn on or off compliance and audit trail for that specific flow.
Refer to the image below where these toggle buttons are marked in red.
