Subject: Grouper Users - Open Discussion List
- From: Chris Hyzer <>
- To: Scott Koranda <>
- Cc: "" <>
- Subject: RE: [grouper-users] auditing point in time
- Date: Thu, 10 Dec 2009 09:51:29 -0500
- Accept-language: en-US
- Acceptlanguage: en-US
> Grouper group now (a composite group). We want to be able to
> write a WS query that will give us all people in that group on
> a specific date.
I plan on this being in scope for point in time. We can expose it over web
> In the event of a security incident, we would like to be able
> to go back and determine who was in (or not in) a particular
> group at some point in time.
> Will the auditing and change log capabilities that will be in
> Grouper 1.5 allow us, if necessary, to comb through the SQL
> tables and discern the group membership at a particular point
> in time? We would only do this in the event of an incident,
> and not routinely.
Im assuming you wont keep the change log around for too long if you have a
lot of updates. If you keep it around forever, you might be able to work
back from the present state to a past state. Basically you query the
membership_all view for the group, then you query the change log for all
changes to the group (which includes immediate/effective/etc). And you work
If you don't keep the change log forever (common usage), then you have the
user audit logs. If you do simple changes to grouper (adding/removing people
to/from groups), then you can do a similar algorithm. However, if you are
adding a group to another group, then it will be difficult to know who
exactly was added, since only the high level action is audited.
- auditing point in time, Scott Koranda, 12/09/2009
Archive powered by MHonArc 2.6.16.