Task #2615
closed
Change of a confidential value (e.g. system credentials) isn't always recorded in the audit
100%
Description
Tested on 10.4.3 and 10.6.3
When changing some confidential attribute - typically credentials for a connected system, or some confidential application property - then the change isn't sometimes visible in the audit of IdM. If the last modifier of the value is different from the current modifier, it appears in the audit, otherwise it doesn't.
This is troublesome when solving some support incidents - we can't depend on the info in the audit if any change was made (and when).
The exact value shouldn't be audited of course, because it's confidential, but we need some way to record the change in the audit.
Note: After consultation with Ondra, the column "modified" is changed in the corresponding record of type IdmConfiguration and IdmConfidentialStorageValue, but changing this column isn't audited mainly for some other good reason - updating sync token during synchronization. So this task may be difficult to solve.
Related issues
Updated by Alena Peterová over 3 years ago
- Subject changed from Change of confidential attribute isn't always recorded in the audit to Change of a confidential value (e.g. system credentials) isn't always recorded in the audit
Updated by Radek Tomiška over 3 years ago
Value is not audited, so no change is made from audit point of view. The only solution can be add some atrifitial "value" (e.g. digest), which will be changed together with confidential value.
Updated by Radek Tomiška over 2 years ago
- Status changed from New to In Progress
- Target version set to 12.0.0
Updated by Radek Tomiška over 2 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Ondrej Husník
- % Done changed from 0 to 90
Feature is implemented. Revision date is filled into eav form value to be shown in audit.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/4de7723f8205f1d7da6e6e06df742114543c734a
Could you provide me a feedback, please?
Updated by Radek Tomiška over 2 years ago
- Related to Feature #2942: Audit: Add filter by owner added
Updated by Radek Tomiška over 2 years ago
I redesigned the feature to support audit of configuration properties. Eav form date value is not abused now - random value is filled into value, when eav or configuration confidential valu is changed. Asterix are still visible on FE only.
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/51265d2d499fccabae4647d51dd3df257b22d2aa
Updated by Tomáš Doischer over 2 years ago
- Assignee changed from Ondrej Husník to Tomáš Doischer
Updated by Tomáš Doischer over 2 years ago
- Status changed from Needs feedback to Resolved
- Assignee changed from Tomáš Doischer to Radek Tomiška
- % Done changed from 90 to 100
This is great, thank you. LGTM.
Updated by Radek Tomiška over 2 years ago
- Status changed from Resolved to Closed