Project

General

Profile

Actions

Task #447

closed

Audit log - add filter for user, find relations, translate IDs

Added by Alena Peterová over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ondřej Kopr
Category:
Audit
Target version:
-
Start date:
05/26/2017
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Audit log -> Entity history
We need filter, where you can put the login of the user, e.g. "johndoe". The table then must show following records:
  • changes of this identity (IdmIdentity records)
  • changes of the contracted positions for this identity (IdmIdentityContract records)
  • changes of the permissions (roles) for this identity (all records that hold this information)
  • changes of the extended attributes of the identity

We need to see the name of the changed role or the contract, not only its ID, because ID tells me nothing.

Currect logs would be hard to use in production, solving support incidents would be complicated and time-consuming.

------------------------------------------------
Use-case (long version):

Typical support incident is "Identity xyz can't login to IdM, or AD,.... Their attributes/roles/block status/... are wrong. Explain why IdM did this!"
You don't know when, you don't know who, you don't know why the identity has wrong settings. You need to find ALL changes that happened on this specific identity during last weeks, months or even years. Then you can find the reason (which can be really anything, e.g. administrator made mistake, a personalist made some typo in HR system and contract went inactive, manager accidentally resetted password or disabled the user, approver denied approval task for role even if he thought he approved it, synchronization didn't handle the user in last few weeks, personal processes started something unexpected,...) and you can prove that IdM works as it should.
Therefore you need to be able to filter all changes and relations for one specific identity historically. Even for contracts that are no longer active, roles that are no longer used,...


Related issues

Related to IdStory Identity Manager - Task #512: Audit for users is slowClosedOndřej Kopr06/15/2017

Actions
Related to IdStory Identity Manager - Task #519: Filtering of audit log for entities - feedbackClosedRadek Tomiška06/19/2017

Actions
Actions #1

Updated by Alena Peterová over 7 years ago

More feedback on the GUI for audit logs is also in #387

Actions #2

Updated by Alena Peterová over 7 years ago

  • Description updated (diff)
Actions #3

Updated by Alena Peterová over 7 years ago

  • case insensitive search, fulltext, ignore diacritic - for all agendas
  • add IdmAccount to audit logs for users
  • deleted entities (roles, contracts) in detail - show name of the entity before it was deleted (when the audit event happened)
  • delete user - this record should be seen when filtering all changes on the user
  • role requests - instead of "Žadatel" use something like "Pro koho je žádáno" ("Žadatel" is misleading)
  • check: when renaming the user from OldName to NewName, filter audit logs for "OldName" and see the change of the name
  • question: When identity is renamed, which name should be seen in older audit record details - actual name, or original name? I think we should see original name. (Same for role names, contracts,...)
Actions #4

Updated by Alena Peterová over 7 years ago

Ideas we discussed with other developers:
  • the "Audit" tab in the detail of an identity should use this new audit log for identity, it would be nice and helpful
  • when using case insensitive search (everywhere in IdM), please make sure that indexes in Postgres are really used for case-insensitive search - use opsclass, e.g.
    CREATE INDEX idx_ops_identities_last_name ON identities USING btree (last_name varchar_pattern_ops);
    
  • renaming identity from "OldName" to "NewName": most consistent behaviour would be: A) when filtering by "OldName", we get all records for "OldName" and last record would be the change from "OldName" to "NewName", B) when filtering by "NewName", we get all records for "NewName" and first record would be the change from "OldName" to "NewName".
    Currently in the case A) we see all records for "OldName", but in B) we see all records both for "NewName" and "OldName". That could be a little confusing, but it is not such big problem. Please just document the resulting behaviour in the admin guide or in Help.
  • re-using logins: Identity 1 used login "johndoe". then it was deleted. Later, new identity 2 was created and got the same login "johndoe". What happens in audit log for identity, when I filter by user name "johndoe"? Can I see all records for both identities?
Actions #6

Updated by Alena Peterová over 7 years ago

Alena Peterová wrote:

  • when using case insensitive search (everywhere in IdM), please make sure that indexes in Postgres are really used for case-insensitive search - use opsclass, e.g.
    [...]

Sorry, this should have been 2 indexes for one column:

CREATE INDEX idx_ops_identities_last_name ON identities USING btree (last_name varchar_pattern_ops);
CREATE INDEX idx_ops_low_identities_last_name ON identities USING btree (lower(last_name) varchar_pattern_ops);

Actions #7

Updated by Ondřej Kopr over 7 years ago

  • % Done changed from 0 to 40

Found bug in envers with search deleted entity (https://github.com/spring-projects/spring-data-envers/issues/21). For now is only one solutions - show only entity that envers allow (modification, create).
After new release will be reimplemented all audits (cut off envers!)

Please Vitek can you review this temporary solution and change version for this ticket to diamond. Thank you :)

Commits:
https://github.com/bcvsolutions/CzechIdMng/commit/57ad3872e46200c576230bf8a566162be4442003
https://github.com/bcvsolutions/CzechIdMng/commit/cec46ea3a63d5cd50b99e785030290ff0c1f7df4

Actions #8

Updated by Ondřej Kopr over 7 years ago

  • Status changed from New to Needs feedback
  • Assignee changed from Ondřej Kopr to Vít Švanda
  • Priority changed from High to Normal
Actions #9

Updated by Vít Švanda over 7 years ago

  • Tracker changed from Defect to Task
  • Category set to Audit
  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondřej Kopr
  • Target version set to Citrine (7.3.0)

I think, this it will be changed yet (profiling).

Actions #10

Updated by Ondřej Kopr over 7 years ago

  • Related to Task #512: Audit for users is slow added
Actions #11

Updated by Ondřej Kopr over 7 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Ondřej Kopr to Vít Švanda
  • % Done changed from 40 to 90

Audit for identites was updated in #512, please Vitek could you make review this task and task #512 thank you.

Actions #12

Updated by Vít Švanda over 7 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Ondřej Kopr

Works very well.

Minor issues:

  • Indexs for new columns in IdmAudit missing.
  • Documentation for IdentityAudit missing. (In documentation please explain what I can search and what no and why. )
  • IdmTreeNode: null in UI. - not show null please.
  • Redundant code in AuditListener:
    if (currentEntity instanceof AuditSearchable) {
                AuditSearchable searchableEntity = ((AuditSearchable) currentEntity);
                revisionDto.setOwnerCode(searchableEntity.getOwnerCode());
                revisionDto.setOwnerId(searchableEntity.getOwnerId());
                revisionDto.setOwnerType(searchableEntity.getOwnerType());
                revisionDto.setSubOwnerCode(searchableEntity.getSubOwnerCode());
                revisionDto.setSubOwnerId(searchableEntity.getSubOwnerId());
                revisionDto.setSubOwnerType(searchableEntity.getSubOwnerType());
            } else if (currentEntity instanceof Codeable) {
                revisionDto.setOwnerCode(((Codeable) currentEntity).getCode());
            }
    
Actions #13

Updated by Ondřej Kopr over 7 years ago

  • add indexes as new flyway script,
  • fix FE (show null values),
  • redundant code ins't redundant (consult with VS).

Documentation will be written as soon as possible.

Actions #14

Updated by Marcel Poul over 7 years ago

I guess Alena had some feedback on this issue? If so. Alca, Please comment on this ticket if those issues are not addressed yet. Otherwise ignore this post.

Actions #15

Updated by Ondřej Kopr over 7 years ago

  • Related to Task #519: Filtering of audit log for entities - feedback added
Actions #16

Updated by Radek Tomiška over 7 years ago

  • Target version changed from Citrine (7.3.0) to Diamond (7.4.0)
Actions #17

Updated by Ondřej Kopr about 7 years ago

  • Target version changed from Diamond (7.4.0) to Emerald (7.5.0)
Actions #18

Updated by Vít Švanda about 7 years ago

  • Target version deleted (Emerald (7.5.0))
Actions #19

Updated by Ondřej Kopr about 7 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

Alena and no one else had any other requirements. I close this task.

Actions

Also available in: Atom PDF