According to http://www.novell.com/developer/sentinel_taxonomy.html we

- Create a user session: The establishment of a processing environment to
service an end user, e.g. authentication or logging in
- Authenticate user: In most cases this is part of the login process, but in
some environments the authentication happens separately from the creation of
the session.

Now if we have an application that generates authentication events (LOGIN)
separately from session creation events (CONNECT), an XDAS_AE_CREATE_SESSION
event with an outcome of XDAS_OUT_SUCCESS does not necessarily mean that a
user logged in successfully. That kind of defeats the use of a taxonomy to
specify queries in a device independent fashion.

So what would be the correct taxonomy to query for all successful user