I'm working on an RFP for a new client who will go live on 15.1. Part of their requirements is full logging with attribution of security changes. Specifically, they need to capture every time:
- A login is added or removed.
- Password, disabled flag, enable date, expire date, module access levels are changed. (Logging the hashed password is sufficient and optional.)
- User is added or removed from a role.
- Permissions are granted or removed from a user or role.
- Keywords (legacy iMIS) are changed for a user.
- Keywords are changed for an area of iMIS.
- Security-related configuration items are changed. (E.G. things along the lines of "allow delete from palette".
With each event, they need to capture date/time and the iMIS user (when known) who made the change. If a change is made outside of iMIS, it must still be logged using the Windows or SQL credentials.
I know how to do all this on the legacy iMIS tables using triggers, since under Model 2 JSMITH_imis_i maps to iMIS user JSMITH. With the app server in the mix, I can only tell the SQL credentials for changes coming from iMIS, but hopefully iMIS logs what I need with UpdatedByUserKey in the right places. Fortunately, they will follow best practices on the SQL side: each user will have their own login, and none will use "sa".
- How much of this will iMIS log automatically? Where can I get to it?
- Since I need to cover the not-through-iMIS scenario, it sounds like I will still need triggers. What tables should I look at to determine when a user is added/removed from a role?
- Where do I look to see permissions added/removed for a role?
- Where do I capture security-related configuration changes?
This is a critical item for this client.