diff --git a/src/agreements_api.go b/src/agreements_api.go
index 7f6e1af9..44e86607 100644
--- a/src/agreements_api.go
+++ b/src/agreements_api.go
@@ -200,7 +200,7 @@ func (e mainEnv) agreementWithdraw(w http.ResponseWriter, r *http.Request, ps ht
 	if selfService == false {
 		// user can change consent only for briefs defined in self-service
 		if len(authResult) == 0 {
-			if e.enforceAdmin(w, r) == "" {
+			if e.enforceAdmin(w, r, event) == "" {
 				return
 			}
 		}
@@ -237,11 +237,7 @@ func (e mainEnv) agreementWithdraw(w http.ResponseWriter, r *http.Request, ps ht
 
 func (e mainEnv) agreementRevokeAll(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	brief := ps.ByName("brief")
-	authResult := e.enforceAdmin(w, r)
-	if authResult == "" {
-		return
-	}
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	brief = normalizeBrief(brief)
diff --git a/src/audit_api.go b/src/audit_api.go
index 248f98b0..45c0e3e3 100644
--- a/src/audit_api.go
+++ b/src/audit_api.go
@@ -40,7 +40,7 @@ func (e mainEnv) getAuditEvents(w http.ResponseWriter, r *http.Request, ps httpr
 }
 
 func (e mainEnv) getAdminAuditEvents(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	var offset int32
diff --git a/src/expiration_api.go b/src/expiration_api.go
index c8e1cfc5..7f35b9b2 100644
--- a/src/expiration_api.go
+++ b/src/expiration_api.go
@@ -162,7 +162,7 @@ func (e mainEnv) expStart(w http.ResponseWriter, r *http.Request, ps httprouter.
 	event := audit("initiate user record expiration by "+mode, identity, mode, identity)
 	defer func() { event.submit(e.db, e.conf) }()
 
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, event) == "" {
 		return
 	}
 	userTOKEN := e.loadUserToken(w, r, mode, identity, event)
diff --git a/src/lbasis_api.go b/src/lbasis_api.go
index b5c6aa2b..3635fc09 100644
--- a/src/lbasis_api.go
+++ b/src/lbasis_api.go
@@ -12,7 +12,7 @@ import (
 
 func (e mainEnv) createLegalBasis(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	brief := ps.ByName("brief")
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	brief = normalizeBrief(brief)
@@ -82,7 +82,7 @@ func (e mainEnv) createLegalBasis(w http.ResponseWriter, r *http.Request, ps htt
 
 func (e mainEnv) deleteLegalBasis(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	brief := ps.ByName("brief")
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	brief = normalizeBrief(brief)
@@ -98,7 +98,7 @@ func (e mainEnv) deleteLegalBasis(w http.ResponseWriter, r *http.Request, ps htt
 }
 
 func (e mainEnv) listLegalBasisRecords(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	resultJSON, numRecords, err := e.db.getLegalBasisRecords()
diff --git a/src/pactivities_api.go b/src/pactivities_api.go
index 6e27a341..16932368 100644
--- a/src/pactivities_api.go
+++ b/src/pactivities_api.go
@@ -12,7 +12,7 @@ import (
 
 func (e mainEnv) pactivityCreate(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	activity := ps.ByName("activity")
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	activity = normalizeBrief(activity)
@@ -70,7 +70,7 @@ func (e mainEnv) pactivityCreate(w http.ResponseWriter, r *http.Request, ps http
 
 func (e mainEnv) pactivityDelete(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	activity := ps.ByName("activity")
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	activity = normalizeBrief(activity)
@@ -87,7 +87,7 @@ func (e mainEnv) pactivityDelete(w http.ResponseWriter, r *http.Request, ps http
 func (e mainEnv) pactivityLink(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	activity := ps.ByName("activity")
 	brief := ps.ByName("brief")
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	activity = normalizeBrief(activity)
@@ -122,7 +122,7 @@ func (e mainEnv) pactivityLink(w http.ResponseWriter, r *http.Request, ps httpro
 func (e mainEnv) pactivityUnlink(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	activity := ps.ByName("activity")
 	brief := ps.ByName("brief")
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	activity = normalizeBrief(activity)
@@ -146,7 +146,7 @@ func (e mainEnv) pactivityUnlink(w http.ResponseWriter, r *http.Request, ps http
 }
 
 func (e mainEnv) pactivityList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	resultJSON, numRecords, err := e.db.listProcessingActivities()
diff --git a/src/requests_api.go b/src/requests_api.go
index db9a8de2..7d12b3a5 100644
--- a/src/requests_api.go
+++ b/src/requests_api.go
@@ -95,7 +95,7 @@ func (e mainEnv) getUserRequest(w http.ResponseWriter, r *http.Request, ps httpr
 	if len(userTOKEN) != 0 {
 		event.Record = userTOKEN
 	}
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, event) == "" {
 		return
 	}
 	change := getStringValue(requestInfo["change"])
@@ -148,7 +148,7 @@ func (e mainEnv) approveUserRequest(w http.ResponseWriter, r *http.Request, ps h
 	if enforceUUID(w, request, event) == false {
 		return
 	}
-	authResult := e.enforceAdmin(w, r)
+	authResult := e.enforceAdmin(w, r, event)
 	if authResult == "" {
 		return
 	}
diff --git a/src/sessions_api.go b/src/sessions_api.go
index ad233a9c..d94f4086 100644
--- a/src/sessions_api.go
+++ b/src/sessions_api.go
@@ -24,7 +24,7 @@ func (e mainEnv) createSession(w http.ResponseWriter, r *http.Request, ps httpro
 		//returnError(w, r, "bad session format", nil, event)
 		return
 	}
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, event) == "" {
 		return
 	}
 	expiration := e.conf.Policy.MaxSessionRetentionPeriod
@@ -77,7 +77,7 @@ func (e mainEnv) deleteSession(w http.ResponseWriter, r *http.Request, ps httpro
 		//returnError(w, r, "bad session format", nil, event)
 		return
 	}
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, event) == "" {
 		return
 	}
 	e.db.deleteSession(session)
@@ -86,7 +86,6 @@ func (e mainEnv) deleteSession(w http.ResponseWriter, r *http.Request, ps httpro
 	fmt.Fprintf(w, `{"status":"ok"}`)
 }
 
-
 // the following function is currently not used
 func (e mainEnv) newUserSession(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
 	identity := ps.ByName("identity")
diff --git a/src/users_api.go b/src/users_api.go
index 8c10c0c7..7e9194cf 100644
--- a/src/users_api.go
+++ b/src/users_api.go
@@ -166,7 +166,7 @@ func (e mainEnv) userGet(w http.ResponseWriter, r *http.Request, ps httprouter.P
 }
 
 func (e mainEnv) userList(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
-	if e.enforceAdmin(w, r) == "" {
+	if e.enforceAdmin(w, r, nil) == "" {
 		return
 	}
 	if e.conf.Generic.ListUsers == false {
diff --git a/src/utils.go b/src/utils.go
index b534cc34..e58265f8 100644
--- a/src/utils.go
+++ b/src/utils.go
@@ -477,11 +477,14 @@ func (e mainEnv) enforceAuth(w http.ResponseWriter, r *http.Request, event *audi
 	return ""
 }
 
-func (e mainEnv) enforceAdmin(w http.ResponseWriter, r *http.Request) string {
+func (e mainEnv) enforceAdmin(w http.ResponseWriter, r *http.Request, event *auditEvent) string {
 	if token, ok := r.Header["X-Bunker-Token"]; ok {
 		authResult, err := e.db.checkUserAuthXToken(token[0])
 		//fmt.Printf("error in auth? error %s - %s\n", err, token[0])
 		if err == nil {
+			if event != nil {
+				event.Identity = authResult.name
+			}
 			if len(authResult.ttype) > 0 && authResult.ttype != "login" {
 				return authResult.ttype
 			}