[
https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452613#comment-17452613
]
Scott Gray commented on OFBIZ-12391:
------------------------------------
A few points here from my perspective:
- createdDate and lastModifiedDate appear to duplicate what is already
provided by createdStamp and lastUpdatedStamp, am I missing something?
- Personally I haven't found much use over the past 15 years for tables which
do carry the createdBy/lastModifiedBy fields. So much can happen between a
record being created and its last modification that knowing these two data
points has only limited benefit. For example if one user incorrectly updates a
row and another user fixes it, you no longer have the information about who
made the incorrect change. Also if one user changes column "A" and then another
user changes column "B" and then you could easily assume incorrectly that the
second user made both changes.
- Typically when I do need to identify which user made a specific change, I
use the logs to determine this. I ensure every request logs a session id or
other similar identifying information and then I narrow in on requests which
would have caused the change in the time range I believe it would have occurred
based on other events in the system which would have begun after the change.
Once I've found the request, I can use the Visit table to determine who the
user was based on the session id.
- When I do need to record every change for a given data-point, I either turn
on entity-audit logging or I create a custom audit table which is essentially a
clone of the original table that records the state of each row before each
change. More often than not though, this is for debugging rather than auditing.
- In my experience very few tables are interesting enough to be audit worthy
and what those tables might be is largely dependent on the business using the
system
IMO allowing an administrator to turn on/off entity audit logging in the
webtools UI would be more beneficial and flexible
> Trustworthy OFBiz - audit capabilities
> --------------------------------------
>
> Key: OFBIZ-12391
> URL: https://issues.apache.org/jira/browse/OFBIZ-12391
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS, framework/entity
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: audit, entity, investigation, mvp, trust, usability
>
> When potential adopters want to use OFBiz as their primary solution for
> business critical ERP (and related) processes, they (or at least their
> auditors) want to be sure that they can see:
> # who created the record in the underlying rdbms,
> # when that record was created,
> # who was the last one to modify the record
> # when the modification happened.
> Currently out of the 800+ entities defined in the various entity model files,
> only a fraction of the entities have fields defined for
> * createdDate (23)
> * createdByUserLogin (30)
> * lastModifiedDate (24)
> * lastModifiedByUserLogin (29)
> which means that for crucial entities (for a business) in OFBiz entities
> records can be created and changed (for nefarious reasons) without auditors
> and other investigators being able to state anything regarding the above 4
> points.
> Currently there are over 600 entity-auto services invoking 'create', and
> approximately the same amount of services that invoke 'update', that could
> automatically set the fields listed above. However it is not done, because
> these have not been defined.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
