Skip to content
DeviceFlow Validation

URS-003 · Audit Log Tracking of All User Actions

Status: PASS  ·  Duration: 59s  ·  Run Date: April 21, 2026

Test Scenarios

Section titled “Test Scenarios”

Step 1: Rep login

Section titled “Step 1: Rep login”
PASS

Step 1: Rep login

Step 2: Create order

Section titled “Step 2: Create order”
PASS

Step 2: Create order

Step 2: Create order

Step 2: Create order

Step 2: Create order

Step 3: Edit order item

Section titled “Step 3: Edit order item”
PASS

Step 3: Edit order item

Step 3: Edit order item

Step 3: Edit order item

Step 4: Rep denied admin access

Section titled “Step 4: Rep denied admin access”
PASS

Step 4: Rep denied admin access

Step 5: Admin login

Section titled “Step 5: Admin login”
PASS

Step 5: Admin login

Recordings

Section titled “Recordings”

step 01 rep login

Section titled “step 01 rep login”

step 02 create order

Section titled “step 02 create order”

step 03 edit order

Section titled “step 03 edit order”

step 04 rep admin denied

Section titled “step 04 rep admin denied”

step 05 admin login

Section titled “step 05 admin login”

Database Validations

Section titled “Database Validations”

audit_events table has the expected schema

Section titled “audit_events table has the expected schema”
PASS

Table public.audit_events should expose at least: id, organization_id, user_id, event_type, action, object_id, payload, created_at

SELECT column_name
                 FROM information_schema.columns
                 WHERE table_schema = 'public' AND table_name = 'audit_events'
column_name
id
organization_id
user_id
contact_id
event_type
action
object_id
secondary_object_id
payload
route
trace_id
created_at
url

rep login was audited (Bob)

Section titled “rep login was audited (Bob)”
PASS

Bob logging in should produce at least one user_log row with action=user:login.

SELECT id, action, event_type, user_id, organization_id, payload, created_at
                 FROM audit_events
                 WHERE created_at >= $1
                   AND user_id = $2
                   AND event_type = 'user_log'
                   AND action = 'user:login'
                 ORDER BY created_at ASC
idactionevent_typeuser_idorganization_idpayloadcreated_at
019dae25-9b29-7375-b0e9-270606119161user:loginuser_log17b8c9d0-e1f2-3456-1234-567890123456b2c3d4e5-f6a7-8901-bcde-f12345678901[object Object]2026-04-21T03:46:33.392Z
019dae25-b285-7470-b25b-785b7a5bb74cuser:loginuser_log17b8c9d0-e1f2-3456-1234-567890123456b2c3d4e5-f6a7-8901-bcde-f12345678901[object Object]2026-04-21T03:46:39.412Z
019dae26-0047-7bb4-b649-bf71438a1c07user:loginuser_log17b8c9d0-e1f2-3456-1234-567890123456b2c3d4e5-f6a7-8901-bcde-f12345678901[object Object]2026-04-21T03:46:59.304Z
019dae26-4579-7318-aaea-ad44cc55a248user:loginuser_log17b8c9d0-e1f2-3456-1234-567890123456b2c3d4e5-f6a7-8901-bcde-f12345678901[object Object]2026-04-21T03:47:17.001Z

admin login was audited (Dan)

Section titled “admin login was audited (Dan)”
PASS

Dan logging in should produce at least one user_log row with action=user:login.

SELECT id, action, event_type, user_id, organization_id, payload, created_at
                 FROM audit_events
                 WHERE created_at >= $1
                   AND user_id = $2
                   AND event_type = 'user_log'
                   AND action = 'user:login'
                 ORDER BY created_at ASC
idactionevent_typeuser_idorganization_idpayloadcreated_at
019dae26-630a-7f95-b75d-5e8ac6ee6b9cuser:loginuser_logc3d4e5f6-a7b8-9012-cdef-123456789012b2c3d4e5-f6a7-8901-bcde-f12345678901[object Object]2026-04-21T03:47:24.562Z

update_order_request_item decision was audited for Bob

Section titled “update_order_request_item decision was audited for Bob”
PASS

Editing an order item should produce a decision audit_events row with action=update_order_request_item for the acting user.

SELECT id, action, event_type, user_id, object_id, payload, created_at
                 FROM audit_events
                 WHERE created_at >= $1
                   AND user_id = $2
                   AND event_type = 'decision'
                   AND action = 'update_order_request_item'
                 ORDER BY created_at DESC
idactionevent_typeuser_idobject_idpayloadcreated_at
019dae26-246a-7996-b36b-eb312de664d9update_order_request_itemdecision17b8c9d0-e1f2-3456-1234-567890123456019dae25-e6b1-79d8-bd11-809a605559a4[object Object]2026-04-21T03:47:08.471Z

audit rows for Bob have required fields populated

Section titled “audit rows for Bob have required fields populated”
PASS

Every audit_events row for Bob during the run should have non-null event_type and organization_id. (created_at is NOT NULL by schema constraint.)

SELECT id,
                        (event_type IS NULL)        AS missing_event_type,
                        (organization_id IS NULL)   AS missing_org
                 FROM audit_events
                 WHERE created_at >= $1
                   AND user_id = $2
                   AND (
                     event_type IS NULL OR
                     organization_id IS NULL
                   )

No rows returned.

no audit rows leaked to other organizations (test actors only)

Section titled “no audit rows leaked to other organizations (test actors only)”
PASS

Audit rows written during the run by the test actors (Bob, Dan, Ryan) must belong to one of the demo organizations (ZuriMED or StellarTech).

SELECT id, organization_id, user_id, event_type, action, created_at
                 FROM audit_events
                 WHERE created_at >= $1
                   AND user_id = ANY($2::uuid[])
                   AND organization_id <> ALL($3::uuid[])

No rows returned.

Downloads

Section titled “Downloads”

Feedback

Section titled “Feedback”