# Governance and Auditing
> To enable organizations to provide StudioX to a broad group of users securely, StudioX has automatic logging and controls built in that can enforce organizational policies.
To enable organizations to provide StudioX to a broad group of users securely, StudioX has automatic logging and controls built in that can enforce organizational policies.
Watch the following video for an overview of the governance capabilities available in Studio and a demo of how to use them in StudioX. The video showcases the [file-based governance model](https://docs.uipath.com/studio/standalone/2023.10/user-guide/governance). For an even easier way to manage governance policies, use [Automation Ops](https://docs.uipath.com/studiox/standalone/2023.10/user-guide/introduction).
## Reporting and Auditing
One of the main concerns organizations have regarding broad Citizen Developer deployments is how to track usage, know what automations exist, and what those automations are doing.
If your organization licenses Robots and StudioX through Orchestrator, the Robots and associated StudioX instances are connected to Orchestrator. This means that many common actions are logged by default in the [execution logs](https://docs.uipath.com/orchestrator/automation-cloud/latest/user-guide/managing-logs-in-orchestrator) including every time an automation is executed. The logged events include:
* Windows identity of the user
* Name of the machine
* Name of the process
* Version, and more
This enables your organization to have deep visibility into automation use in the organization.
### Frequently Asked Questions
#### How can we know who is using automations in the organization?
Events in the execution logs include user and machine information. This enables you to build reports from the execution logs showing all the users who ran automations in your organization using supported reporting technologies (direct queries against the logs, [UiPath® Insights](https://docs.uipath.com/insights), etc.).
#### How can we know what automations are used in the organization?
By logging all user and process information in the [execution logs](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/orchestrator-logs#section-orchestrator-execution-logs), you can build reports and know who is running which automations. This enables you to enact organizational policies that ensure all automations are shared with IT and properly documented and understood if needed, avoiding situations where employees build automations that nobody else in the organization knows about.
#### How can we know what users are doing in their automations?
By default, the activities used by StudioX projects record important information in the execution logs with no action required from the user. This gives you a high-level picture into important actions performed by the Robot. For more details on what is logged, see [Audit Logging](https://docs.uipath.com/studiox/standalone/2023.10/user-guide/governance-and-auditing#audit-logging).
#### How can we know which users are using StudioX, Assistant, etc.?
Every execution started event in the [execution logs](https://docs.uipath.com/orchestrator/standalone/2023.10/user-guide/orchestrator-logs#section-orchestrator-execution-logs) includes an `initiatedBy` property that records which product started the automation (Assistant, StudioX, Studio, or Orchestrator). This means that you can build a report from the logs showing who is using which product, and detect patterns such as users running only from StudioX, rather than publishing completed processes and running them from the Assistant.
## Governance Controls
Many organizations want the ability to put guardrails in place to ensure that Citizen Developers follow organizational policies and guidelines. To enable this, StudioX offers the ability to specify policies that control areas such as:
* Settings (for example, Workflow Analyzer)
* Permitted activities package feeds
* Permitted activities and packages
* Applications and URLs that can be automated
* Preventing production runs from StudioX
* Source control settings in StudioX
* Filtering settings in the Activities Panel
### Frequently Asked Questions
#### How do we configure and deploy a governance policy to our users?
You can enforce governance policies by using either:
* **Automation Ops**, a web application available in Automation Cloud that enables administrators to quickly set up and deploy policies in the organization. For more information, see the [Automation Ops Guide](https://docs.uipath.com/studiox/standalone/2023.10/user-guide/introduction).
* A file-based governance model that consists of creating a JSON policy file and deploying the file via a registry key or via Orchestrator. You place this file in a read-only location accessible from your users' machines, such as a network share or blob storage, and then set a registry key either via your install script or Windows group policy. Alternatively, you can paste the contents of the file or add the file path in specific assets in Orchestrator. StudioX loads the policy when it starts and behaves as defined by the policy. For more information, see [Governance](https://docs.uipath.com/studio/standalone/2023.10/user-guide/governance) in the Studio Guide.
#### How can we place limits on which applications and/or websites can be automated?
StudioX includes an **App/URL Restrictions** Workflow Analyzer rule. To limit which applications and/or URLs users may automate, you can choose to either prohibit specific apps/URLs or allow only those from a specific list (both options are supported). To block any non-compliant workflows from being run or published:
* In the policy, enable the **Enforce Analyzer before Run** and **Enforce Analyzer before Publish** options (for the file-based model, set the **AnalyzeOnRun** and **AnalyzeOnPublish** properties to `true`). This will require automations to pass a Workflow Analyzer check prior to being run or published.
* Configure the [App/URL Restrictions](https://docs.uipath.com/activities/docs/ux-sec-010) rule using either the prohibited or allowed lists per your organization's requirements, and set the **Default action** to **Error**.
#### How can we make sure users perform production runs from Assistant and not from StudioX?
You can limit the number of runs allowed from StudioX for projects that have no changes. After the limit is reached for a project, running it from StudioX is no longer allowed, the user is prompted to publish the project, and optionally, an event is logged in an Orchestrator queue of your choice. To set this up, for the file-based model, configure the parameters in the **RequireUserPublish** section of the [governance file](https://docs.uipath.com/studio/standalone/2023.10/user-guide/governance#settings-users-cannot-configure-from-studio).
#### What Workflow Analyzer rules are included in StudioX?
See [About Workflow Analyzer](https://docs.uipath.com/studiox/standalone/2023.10/user-guide/about-workflow-analyzer) for a full list of rules.
#### Can we create custom Workflow Analyzer rules for StudioX?
You can create custom Workflow Analyzer rules for StudioX in the same way as you do for Studio. To make a rule available in the StudioX profile, an additional property must be defined. For more information, see [Building Custom Rules](https://docs.uipath.com/activities/other/latest/developer/building-workflow-analyzer-rules).
## Audit Logging
Audit information regarding the data used by activities in automation projects is recorded in execution logs at the **Information** level in messages that begin with `Audit:` (except for the **Use Application/Browser** activity, which has information recorded at the **Trace** level).
In addition, logs also contain an `initiatedBy` property that records where each project execution was initiated: Assistant, StudioX, Studio, or Orchestrator. This enables organizations to keep track of how the tools are used.
Watch the following video for an overview of the governance capabilities available in Studio and a demo of how to use them in StudioX.
The following table lists audit information logged for StudioX activities. For more information about logging, see the [Studio guide](https://docs.uipath.com/studio/standalone/2023.10/user-guide/studio-logs).
Activity
Audit Information Logged
Use Application/Browser
For desktop applications : The name of the target application executable file.
Any arguments passed to the application at startup.
For web browsers : The name of the web browser (IE, Firefox, Chrome, or Edge).
The URL of the targeted web page.
Use Excel File
The name of the Excel file used by the activity.
Use Word File
The name of the Word document used by the activity.
Use Outlook 365 / Use Gmail / Use Desktop Outlook App
The email account used by the activity.
Extract Table Data
URL of the web page from which the data is extracted.
Send Email
Recipients added to the To field.
Recipients added to the Cc field.
Whether the email is sent or saved as draft.
Reply to Email
Recipients added to the To field.
Recipients added to the Cc field.
Forward Email
Recipients added to the To field.
Recipients added to the Cc field.
Use PowerPoint Presentation
The name of the PowerPoint file used by the activity.
Use Google Document / Use Google Spreadsheet / Use Google Drive
The Google account used by the activity.
Use OneDrive & SharePoint
The Microsoft 365 account used by the activity.