Topic
  • 6 replies
  • Latest Post - ‏2013-07-15T16:29:39Z by frisalde
mark99
mark99
26 Posts

Pinned topic logging account changes

‏2013-06-13T07:52:49Z |

I have been working a while with ITIM 5.1 and for audit purposes I want a log of all account changes on an attribute level. For account changes executed from within the gui I see a full report of which attributes were changed specifying the new and old value. But I started noticing that there are a number of scenarios when account details are not logged. I can find the change request and see that the account was changed but I cannot find out which attributes were changed. Even when looking directly in the PROCESS and PROCESSLOG tables I could not found this information.

Some of the scenarios are
* account is create as a result of  a policy enforcement
* account changes triggered by "change policy enforcement action"

I was thinking about change the account operations to provide this extra logging or are there better solutions

 

 Mark

Updated on 2013-06-14T07:38:04Z at 2013-06-14T07:38:04Z by mark99
  • franzw
    franzw
    405 Posts
    ACCEPTED ANSWER

    Re: logging account changes

    ‏2013-06-13T08:59:18Z  

    This is almost a FAQ.

    There is to my knowledge no supported way to ensure this - but you can use this unsupported JavaScript extension to perform the logging into the audit log :

    Add this to your account create/modify/delete extension postscript : 

    WorkflowRuntimeContext.logActivityData(<entity>',false);

    Where entity should be substituted with the correct property - normally 'Account' or 'entity' - remember the quotes....,

    HTH

    Regards

    Franz Wolfhagen

  • franzw
    franzw
    405 Posts

    Re: logging account changes

    ‏2013-06-13T08:59:18Z  

    This is almost a FAQ.

    There is to my knowledge no supported way to ensure this - but you can use this unsupported JavaScript extension to perform the logging into the audit log :

    Add this to your account create/modify/delete extension postscript : 

    WorkflowRuntimeContext.logActivityData(<entity>',false);

    Where entity should be substituted with the correct property - normally 'Account' or 'entity' - remember the quotes....,

    HTH

    Regards

    Franz Wolfhagen

  • mark99
    mark99
    26 Posts

    Re: logging account changes

    ‏2013-06-14T07:36:51Z  

    thanks Franz for this elegant answer just what I needed.

    It is certainly not an frequently answered question especially the way you did. This is not described in the IBM documentation. Support could not give me the answer I needed. Google does not know about this.

    Where can i learn such arcane things

     

  • frisalde
    frisalde
    73 Posts

    Re: logging account changes

    ‏2013-06-17T16:10:04Z  
    • franzw
    • ‏2013-06-13T08:59:18Z

    This is almost a FAQ.

    There is to my knowledge no supported way to ensure this - but you can use this unsupported JavaScript extension to perform the logging into the audit log :

    Add this to your account create/modify/delete extension postscript : 

    WorkflowRuntimeContext.logActivityData(<entity>',false);

    Where entity should be substituted with the correct property - normally 'Account' or 'entity' - remember the quotes....,

    HTH

    Regards

    Franz Wolfhagen

    That's great. Working in a RBAC model where the authorisations are granted by means of adding roles to the users, it was not able to know what account modification was being done, except having a look into the adapter log. Using the WorkflowRuntimeContext.logActivityData function, at last it can be known .

    Franz, let me two questions regarding this function:

    • Is it supposed can be audit any of the Relevant Data, ie 'account', 'entity' 'service', 'owner', ...?
    • what does the second parameter mean?

    Thanks again.

  • franzw
    franzw
    405 Posts

    Re: logging account changes

    ‏2013-06-17T17:50:48Z  
    • frisalde
    • ‏2013-06-17T16:10:04Z

    That's great. Working in a RBAC model where the authorisations are granted by means of adding roles to the users, it was not able to know what account modification was being done, except having a look into the adapter log. Using the WorkflowRuntimeContext.logActivityData function, at last it can be known .

    Franz, let me two questions regarding this function:

    • Is it supposed can be audit any of the Relevant Data, ie 'account', 'entity' 'service', 'owner', ...?
    • what does the second parameter mean?

    Thanks again.

    I believe this can be used on any data item in the properties - I have not had this need myself - but I know others have used it this way.

    The second parameter I believe is boolean - as being unsupported this is difficult to say with 100% certainty - but why false is the one that actually logs the data must probably be because logging is default off (true)...

    I do not know more than this - as I mentioned this is unsupported territory - I doubt IBM Support will/can answer these questions - but you may try :-)

    I learned this trick many many years ago - I believe it was documented in some supplementory documentation around the 4.4 or 4.5 (may be 4.3) releases. 4.4 was the first IBM release IIRC from 2003 - go figure...

    Regards

    Franz Wolfhagen

  • TiborB
    TiborB
    20 Posts

    Re: logging account changes

    ‏2013-06-18T23:41:10Z  
    • franzw
    • ‏2013-06-17T17:50:48Z

    I believe this can be used on any data item in the properties - I have not had this need myself - but I know others have used it this way.

    The second parameter I believe is boolean - as being unsupported this is difficult to say with 100% certainty - but why false is the one that actually logs the data must probably be because logging is default off (true)...

    I do not know more than this - as I mentioned this is unsupported territory - I doubt IBM Support will/can answer these questions - but you may try :-)

    I learned this trick many many years ago - I believe it was documented in some supplementory documentation around the 4.4 or 4.5 (may be 4.3) releases. 4.4 was the first IBM release IIRC from 2003 - go figure...

    Regards

    Franz Wolfhagen

    Franz,

    I believe the second parameter can be set to true if your relevant data is indexed (that is, a List). In this case, the last item in the list is taken and only that one is audited.

    Regards,

       T

  • frisalde
    frisalde
    73 Posts

    Re: logging account changes

    ‏2013-07-15T16:29:39Z  
    • franzw
    • ‏2013-06-17T17:50:48Z

    I believe this can be used on any data item in the properties - I have not had this need myself - but I know others have used it this way.

    The second parameter I believe is boolean - as being unsupported this is difficult to say with 100% certainty - but why false is the one that actually logs the data must probably be because logging is default off (true)...

    I do not know more than this - as I mentioned this is unsupported territory - I doubt IBM Support will/can answer these questions - but you may try :-)

    I learned this trick many many years ago - I believe it was documented in some supplementory documentation around the 4.4 or 4.5 (may be 4.3) releases. 4.4 was the first IBM release IIRC from 2003 - go figure...

    Regards

    Franz Wolfhagen

    Franz,
    you are right. 4.4 was the first release once enrole product was rebranded as Tivoli on 2003. I have had a look some 4.4 documentation but I am not able to find a description regarding the mentioned function. :-(

    Thanks again for your valuable information.

    Regards.