Records Management Feature: Auditing

I hope that the last few posts on various aspects of the "business side" of records management have been of value to everyone. In the next few posts, we're going to get back to introducing you to the Records Management features of Office SharePoint Server 2007.  In this post, we're going to examine a critical capability for both records management and regulatory compliance -- Auditing.

For many organizations, especially those in regulated industries like the life sciences, records management requires more than just the long-term management of record "content"... they are also required to retain information about the lifecycle of those records, such as who contributed to the creation of each record, who approved  or signed off on it, who viewed it before it was published, etc. And these requirements don't apply solely to regulated companies: "audit trails" about certain types of records may also be valuable for organizations if a record’s authenticity is  ever challenged.

For these reasons, we've made the 2007 release of the Microsoft Office system an auditable system of record -- audit policies can be configured for documents and items in Office SharePoint Server 2007 to specify which events will be audited for each Content Type, via the Information Management Policy capabilities mentioned in our earlier posts.


As you can see in the image above, audit policies can be configured to automatically record user actions that affects the lifecycle of document & record content, such as when items are edited, viewed, versioned, published, and deleted.  Additionally, custom solutions built on top of the Office SharePoint Server 2007 can also add relevant entries to the audit log, such as when an approval workflow is completed.

Office SharePoint Server 2007 can also be configured to automatically audit "site level" events that may be relevant for regulatory compliance, including searches queries made anywhere in the site, changes made to security settings, and changes made to the metadata schemas of document libraries and Content Types.

And while users of collaborative spaces can be given full rights to active content, the audit log is tightly restricted. Only administrators (or users who are granted sufficient privileges) are able to view the audit history, using Microsoft Office Excel-based reports. And no user can selectively edit or delete individual audit entries.

Auditing of the records management program

In addition to allowing records managers & administrators to specify how user actions on content will be audited, Office SharePoint Server 2007 also automatically audits the enforcement of the organization's records management program: events such as the disposition of content, the creation or modification of Information Management Policies, applying & managing holds, are always audited. So in the event that your records management processes are themselves ever disputed, there will be a reliable audit trail for those processes as well.

Thanks for reading,
- Ethan Gur-esh, Program Manager.

Comments (29)
  1. ilovejolly says:

    Very sorry to interrupt you.

    This problem has puzzled me so long and I don’t know who else I can ask for help except you.

    I deployed the site to Form Authentication and I want to let the users to register on the site.After the user input the information I want the system add the user account to the site group so that all go on automatically.

    I have three ideas:

    1 Put a webpart including a CreateUserWizard control into the MOSS 2007 site’s default page.

    2 Build a ASPNET website in the MOSS2007 site(something like"http://ServerName:PortNumber/_layouts/MyWeb") including a registering page with a CreateUserWizard control.

    3 Build a individual ASPNET website.

    And I put the Group.Add method in the CreateUserWizard_CreatingUser event.

    In the first or second condition,the site will display 401 error

    or turn to the Login page of the sps site directly.(when I logon the site with a appropriate account and this will be done with no problem)

    In the third condition, I can’t manage to let the user logon the site automatically because the registering page has not been  associated with the sps site.

    Any ideas?

    With many many thanks.


  2. Des Russell says:

    Where are currently evaluating the RM functions within SP 2007, although the more detailed auditing can be configured e.g. site level events in a RM enviroment the auditing/activity on a object in a system is crucial and i have yet to see how SP can easily deliver that type of reporting. I am sure that as we progress out evaluation this may be more apparant.

  3. James says:

    I have configured auditing for a document library but I can’t find the audit log. Where is this available?

    Thanks :),

  4. Here is an assortment of various 2007 Microsoft Office SharePoint Server Documentation / Reference Materials…

  5. @ Dezo:

    It’s great to hear to you’re evaluating the capabilities of the 2007 release. Have you already joined the Office 2007 beta program? (

    Also, can you elaborate a bit on what kind of reporting capabilities you’re looking for? We’d love to make sure that we understand your needs and have the right features in place to address them.


    – Ethan Gur-esh.

  6. @James:

    Here is where you can find the reporting capabilities for the audit log.

    1) Go to the main page of the root site in your site collection, and click on the "Settings" link.

    2) In the "Site Collection Administration" section, click on the "Audit log reports" link.

    You will now see a page called "View Auditing Reports". You can click on the "Run a custom report" link to manually specify the parameters for a report, or click on any of the pre-defined reports to generate a Microsoft Office Excel-based report of the audit log data.

    Hope this helps,

    – Ethan Gur-esh.

    P.S.: If after step 1 you don’t see an "Audit Log Reports" link, you may need to take the following step:

    1) Go to the main page of the root site in your site collection, and click on the "Settings" link.

    2) In the "Site Collection Administration" section, click on the "Site collection features" link.

    3) Locate the Feature called "Reporting" in the list of features, and click its "Activate" button.

    Once you’ve completed these steps, the audit reporting features will be available. (This is a work-around to a bug in the beta build that will be fixed for the next beta.)

  7. @ Joy:

    This is a Records Management blog, and as such I’m not sure this is the right forum to answer this question. That said, I’ll follow up with you offline to help track down an answer for you.

    And if any of our usual blog readers want to be included in that resolution, please send me an e-mail and I’ll keep you in the loop as well.


    – Ethan Gur-esh.

  8. Rick says:

    Thanks for the audit info!

    Do you know if it is possible to hook directly into the audit event so that more elaborate security can be applied?  By this I mean, I want to check that a user can only share information with specific other groups.  Unfortunatley, we have to do this for regulatory compliance.

    We don’t know of any other way to *prevent* someone who owns a site from inviting inappropriate members.  I know we can audit after the fact, but we’re told we need to prevent it in the first place.

    Thanks, Rick

  9. @Rick:

    Rick, here’s an answer to your question courtesy of James Sturms of the SharePoint product team.

    Hope this helps,

    – Ethan Gur-esh.


    There is no way to lock a SharePoint site down to only a specific set of groups, but there is a way to do the opposite: lock down a SharePoint site to *exclude* a specific set of groups.

    The feature that supports this is called Security Policy and it is configured from SharePoint Central Administration.  The administrator can set a policy on the web application to either grant or deny a group of users permissions everywhere within that web application.

    There are four classic scenarios for security policy:

    • Super Admin – you want to create a class of user who can see and update all content on all sites.

    • Super Reader – you want to create a class  of user who can read all content, e.g. a search crawler, an auditor, or a legal discovery search

    • Deny All – you want to lock a specific group completley out of a web application, e.g. an investment banking site would need to lock out the research and traders groups to be legally compliant with SEC laws.

    • Deny Write – you want to cap a specific group of user’s permissions at the read level, e.g. you want to make sure that no one can change content via the extranet, but they may still be able to read data.

    There are no security change events in SharePoint.

  10. RickH says:

    Thanks!  I’ll look into using the Deny to meet our needs.  -Rick

  11. Arno Nel 2.0 says:

    Planning Plan document management Chapter overview: Plan document management What is document management?

  12. ians555 says:

    Has anyone tried accessing the SPAuditEntryCollection? There’s also an SPAuditQuery class which looks suspisiously like the data entered in a custom report, but can’t find out where it all hangs off?

  13. @ians555:

    These types of questions are better posed to the Office Beta newsgroups — see for a list of these newsgroups. We’re trying to focus this blog on the broader aspects of the Records Management functionality in the 2007 release.

    But since you asked, here’s a short answer to how to query the audit log programmatically:

    – The first step to querying the audit log is to create a new instance of the SPAuditQuery class. The constructor for this site takes a SPSite (which represents a "Site Collection" in SharePoint) as its input.

    – You can then specify the query you with to run to any combination of: specific events (using the "AddEventRestriction" method), specific lists or items (using the "RestrictToList" and "RestrictToListItem" methods, respectively), specific date ranges (using "SetRangeStart" and "SetRangeEnd"), or users (using "RestrictToUser").

    – Once you have your query defined, you can retrieve the collection of events matching that query by calling the "SPSite.Audit.GetAuditEntries" method, which takes the query as input. This method returns a "SPAuditEntryCollection", which is simply a collection of audit events that can be accessed by using the object model for that class.

    Hope this helps. If you have any further questions, please post them to the newsgroups or use the "Contact" form on the blog to follow up with me.

    – Ethan Gur-esh, Program Manager.

  14. In some of our first posts, we talked about the high costs of litigation & discovery. And our…

  15. housewrightba says:

    What permissions are required to run the audit log reports?

  16. @ Housewrightba:

    A user must be a “Site Collection Administrator” to run audit log reports for that site collection.

    For more information about SharePoint’s security model (including the definitions of the various permission levels), see .

    Hope this helps,

    – Ethan Gur-esh, Program Manager.

  17. Security is always important. I wanted to pull together a collection of all of the different security

  18. karenzhe says:

    Is auditing a feature only designed for MOSS 2007 or also for WSS3.0?

    If it is also designed for WSS3.0, how can we enable it?

  19. marquard says:

    How do you leverage the SharePoint built-in audit trail with custom events in your own event handler or custom workflow?

    I simply need to write to the audit trail – but cannot locate which list to write to.

  20. marquard says:

    A little more research pointed me to the SPAudit object as well as the whitepaper

    Also – search for ItemAuditing on google – that will explain you the details…

  21. Starting from auditing , expiration, ( information management policies ) content types , to the pivot

  22. databaseguy says:

    1.       Who, if anyone, owns the audit log for a document? Is it the Information Stewart? Is there a concept of owner for an audit log?

    2.       How long are they kept? For as long as the document is alive? And when the document is destroyed is the audit log destroyed?

    3.       If one were to request an audit log for a particular document, who would you ask?

  23. Document and Records Management Definition Document Management According to Wikipedia : "A document

  24. says:

    I tried using Audit log feature of Sharepoint 2007. It works fine in windows Authentication environment, but in Form-based Authentication when user is in member group of any web-site , at that time user’s activity on any document library is not recorded.

    If form-based user is in owner group of any web-site then his/her activitoies are recorded.

  25. 2007 MOSS Resource Links (Microsoft Office SharePoint Server) Here is an assortment of various 2007 Microsoft

  26. Satisfy Me says:

    Wonder what to do when you’re waiting for Outlook on one computer to move several thousand messages,

  27. Arno Nel 2.0 says:

    Document and Records Management Definition Document Management According to Wikipedia : "A document

Comments are closed.

Skip to main content