Hi all,
in several of the last Syncope projects we recently worked on, we faced
a recurring issue: data inconsistency (at business level) and the need
to know who did what on some object.
For "data inconsistency" I do not mean any issue related to database
records or provisioning, but the values of the user attributes at the
business level (identity info, groups or resources assigned, etc.).
Often a sysadmin wonders about "why this attribute has changed?" or "who
did this (wrong) change, how can I recover the previous value?"
Changes I'm referring to can come from automatic tasks (pull, scheduled)
or manual tasks performed by admin or manager users.
Syncope already provides info about last change date, change password
date or last modifier user, but in my opinion are not enough to
understand the history of the record.
This is why I'm proposing to add to Syncope the possibility of
versioning objects. Something similar has been done for connectors and
resources configurations [1]. It is not a simple work I know :)
Here are some requirements that I was thinking of:
* Versioning should be done on all objects, USER, GROUP and ANY.
* Versioning could be heavy for systems with thousands or million of
users, so it should be a feature to enable/disable at each moment of
the project lifecycle. It should also be tunable, e.g. store only
attributes and not resources, groups, etc.
* In a first release I would leave apart all issues related to
provisioning. I would simply version data stored on Syncope database
* User should have the possibility to see a diff of what has changed
like per connectors and resources configurations.
* User should have the possibility to restore a certain value (or the
whole object?)
* User should be able to see, at least (in a first release), an
history of what has changed on data (e.g. name: foo -> bar) and who
did the change and when.
* User should be able to query by changed data like users who are
subject to "name" change in a certain period (not so useful, maybe).
There are some usefu l open source libraries that support objects
versioning like JaVers [2] or [3], but I'm not sure if this last one
fits all the needs above. If you have any other proposal please don't
hesitate to attach it in this thread.
WDYT?
Have a nice day,
Andrea
[1] https://issues.apache.org/jira/browse/SYNCOPE-1145
[2] https://javers.org/
[3]
https://docs.spring.io/spring-data/jpa/docs/current/reference/html/#jpa.auditing
--
Dott. Andrea Patricelli
Tel. +39 3204524292
Engineer @ Tirasa S.r.l.
Viale Vittoria Colonna 97 - 65127 Pescara
Tel +39 0859116307 / FAX +39 0859111173
http://www.tirasa.net
Apache Syncope PMC Member
