[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452334#comment-17452334 ]
Michael Brohl commented on OFBIZ-12391: --------------------------------------- Please have in mind that audit functions are problematic in many companies as they allow to retrieve a footprint of the people working with the system (when, how fast etc.). At least here in Germany, it is often not allowed or extremely restricted. I can image this is true also in other countries. I think we should NOT have a core functionality in the entity core which automatically creates a huge number of table fields which might be not used ever. I can think of doing it automatically for a table which has the enable-audit-log set to true. It would be fully configurable and also does not need to put the field definitions in every entity definition. > Trustworthy OFBiz - audit capabilities > -------------------------------------- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity > Affects Versions: Trunk > Reporter: Pierre Smits > Assignee: Pierre Smits > Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)