The following authentication/authorization related events should be defined as catalog events:
- User logs in
- User logs out
- User updates password (mostly relevant to private security realm)
- User updates API key/keys
- User created (again, mostly relevant to private security realm)
Each of these events should be able to use common audit attributes. The actual password or API key should not be logged.