I'm working on an RFP for a new client who will go live on 15.1. Part of their requirements is full logging with attribution of security changes. Specifically, they need to capture every time:

• A login is added or removed.
• Password, disabled flag, enable date, expire date, module access levels are changed. (Logging the hashed password is sufficient and optional.)
• User is added or removed from a role.
• Permissions are granted or removed from a user or role.
• Keywords (legacy iMIS) are changed for a user.
• Keywords are changed for an area of iMIS.
• Security-related configuration items are changed. (E.G. things along the lines of "allow delete from palette".

With each event, they need to capture date/time and the iMIS user (when known) who made the change. If a change is made outside of iMIS, it must still be logged using the Windows or SQL credentials.

I know how to do all this on the legacy iMIS tables using triggers, since under Model 2 JSMITH_imis_i maps to iMIS user JSMITH. With the app server in the mix, I can only tell the SQL credentials for changes coming from iMIS, but hopefully iMIS logs what I need with UpdatedByUserKey in the right places. Fortunately, they will follow best practices on the SQL side: each user will have their own login, and none will use "sa".

My questions:

1. How much of this will iMIS log automatically? Where can I get to it?
2. Since I need to cover the not-through-iMIS scenario, it sounds like I will still need triggers. What tables should I look at to determine when a user is added/removed from a role?
3. Where do I look to see permissions added/removed for a role?
4. Where do I capture security-related configuration changes?

This is a critical item for this client.