Add Audit Events for Impersonation Token Lifecycle

Proposal

Implement new audit event types to track all impersonation token activities

---

Problem

Currently, GitLab provides the user_impersonation audit event that tracks when an administrator starts or stops impersonating a user. However, there is a significant gap in audit logging for impersonation tokens themselves. Organizations need comprehensive audit trails for security and compliance purposes, but cannot track the complete lifecycle of impersonation tokens.

---

Current State

• ✅ Audit event exists for user impersonation actions (user_impersonation)
• ❌ No audit events for impersonation token creation
• ❌ No audit events for impersonation token revocation
• ❌ No audit events for impersonation token deletion
• ❌ No audit events for impersonation token usage

---

Proposed Solution

Implement new audit event types to track all impersonation token activities:

1. impersonation_token_created
   • Triggered when an impersonation token is created
   • Should log: token creator, target user, token name, expiration date, scopes
2. impersonation_token_revoked
   • Triggered when an impersonation token is revoked
   • Should log: who revoked it, token ID, token owner
3. impersonation_token_deleted
   • Triggered when an impersonation token is deleted
   • Should log: who deleted it, token ID, token owner
4. impersonation_token_used
   • Triggered when an impersonation token is used for authentication
   • Should log: API endpoint accessed, source IP, timestamp

---

Use Cases

1. Security Compliance: Organizations need to maintain complete audit trails of all privileged operations for compliance with regulations
2. Incident Investigation: Security teams need to investigate potential unauthorized access or token misuse
3. Access Reviews: Periodic reviews of who created tokens and for what purpose
4. Anomaly Detection: Identify unusual patterns in token usage or creation

---

Benefits

• Enhanced security visibility and compliance capabilities
• Complete audit trail for all impersonation-related activities
• Better incident response capabilities
• Improved accountability for administrative actions

---

Implementation Considerations

• Ensure audit events capture sufficient detail for forensic analysis
• Ensure events are searchable and filterable in the audit events UI

---

References

• Current audit events documentation: https://docs.gitlab.com/user/compliance/audit_event_types/#user-management