[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17455100#comment-17455100 ] Pierre Smits commented on OFBIZ-12391: -- I too agree that globally recording changes to records in the EntityAuditLog entity is not a good thing to have OOTB. The performance aspects in a PROD environment are is impacting as the registrations in Visit/Visitor/ServerHit/ServerHitBin entities, as we have seen in the past (via postings in our MLs) and why we decided to have some modifications in the codebase for that, if not more. A more configurable solution for recording the record changes in the EntityAuditLog entity would therefor be more preferable. But we need to keep in mind that even such a solution will not be enabled by default by our users, given the performance impact. So, most often, it will be enabled after the user feels that something is done out of the ordinary vis-a-vis the use of OFBiz (as it will be shown in table entries in the underlying (r)dbms). This should be the subject of a new ticket. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17453443#comment-17453443 ] Michael Brohl commented on OFBIZ-12391: --- Thinking more about it and reading the past comments as well as David's comment in http://markmail.org/message/z636khdspccjs7fa I agree that global recording audit information for all entities will not be used quite often, if ever. In my own experience from almost 20 years of OFBiz projects, we also did not have a single requirement to record those informations. In the contrary, we had discussions with customers to disable the recording of the user names who made the changes for the entities who have this configured, because it makes tracking of employee performance possible. With enable-audit-log, we already have a mechanism which can be used for detailed audit logging for fields/entities of interest. The technical transaction log fields createdStamp and lastUpdatedStamp are already covering the timestamp part of the requirement As a side note, those are technical fields. They are created implicitly and do not belong to the business data model. The proposed fields for audit logging are covering a business logic and belong to the entity definitions (the paradigm). I think it is not reasonable to force the creation and use of those additional personalising fields for every user which would be the case if it is hard-coded in ModelEntity as proposed here. Interested parties could apply the patch for it in their own forks, it's easy to do and does not affect everyone else. It is also not too much work to run an XSL transformation or search / replace to add enable-audit-log attributes to the fields. For the audit log itself, it could be enhanced to have it configurable on the entity level to record the changing user and timestamp for a whole entity instead/additionally of/to the single fields, which would cover the requirement of this issue perfectly with the ability to retrieve every change and not only the last state. This can also be logged to EntityAuditLog, without filling the changedFieldName field. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452853#comment-17452853 ] Pierre Smits commented on OFBIZ-12391: -- This auditing (via enable-audit-log functionality) is not an easy issue. Currently, it is defined at field level (see the xsd). We should give Michael the time to form his thoughts around a configurability regarding that. If not addressed carefully, we could see the same issue arising as we had in the past with visit registrations. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452828#comment-17452828 ] Jacques Le Roux commented on OFBIZ-12391: - Thanks Scott, That's pragmatic usages, I concur. I remember working 4 years on a big project and having few months revolved logs history, was quite helpful. Actually the reason why I stayed alone so long on that project. It helped DB admins and other related external services more than once. +1 for bq. IMO allowing an administrator to turn on/off entity audit logging in the webtools UI would be more beneficial and flexible > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452797#comment-17452797 ] Pierre Smits commented on OFBIZ-12391: -- Hi Scott, Thanks for sharing your insights and experiences. IMO, we should now take this to dev ml, as this starts getting much bigger than just improving a small portion of the code. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452613#comment-17452613 ] Scott Gray commented on OFBIZ-12391: A few points here from my perspective: - createdDate and lastModifiedDate appear to duplicate what is already provided by createdStamp and lastUpdatedStamp, am I missing something? - Personally I haven't found much use over the past 15 years for tables which do carry the createdBy/lastModifiedBy fields. So much can happen between a record being created and its last modification that knowing these two data points has only limited benefit. For example if one user incorrectly updates a row and another user fixes it, you no longer have the information about who made the incorrect change. Also if one user changes column "A" and then another user changes column "B" and then you could easily assume incorrectly that the second user made both changes. - Typically when I do need to identify which user made a specific change, I use the logs to determine this. I ensure every request logs a session id or other similar identifying information and then I narrow in on requests which would have caused the change in the time range I believe it would have occurred based on other events in the system which would have begun after the change. Once I've found the request, I can use the Visit table to determine who the user was based on the session id. - When I do need to record every change for a given data-point, I either turn on entity-audit logging or I create a custom audit table which is essentially a clone of the original table that records the state of each row before each change. More often than not though, this is for debugging rather than auditing. - In my experience very few tables are interesting enough to be audit worthy and what those tables might be is largely dependent on the business using the system IMO allowing an administrator to turn on/off entity audit logging in the webtools UI would be more beneficial and flexible > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452436#comment-17452436 ] Pierre Smits commented on OFBIZ-12391: -- No worries, [~mbrohl]. Take your time. For sure, there are multiple ways to get to Rome. And I rather collaborate than butt heads, when it comes to improving OFBiz for all.. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452423#comment-17452423 ] Michael Brohl commented on OFBIZ-12391: --- To make my position more clear: I see that this is a valid requirement and that we have to find a good solution for both users who have a need for the audit fields and who have not. I just don't see the initial solution as sufficient/valid and try to find a collaborative way for a more comprehensive solution which fits both needs, is easily configurable and avoids hard coding. I thought about it more deeply during my midday run and need some time to write down my thoughts and answers to your responses. I will come back to you at the end of the week latest. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452357#comment-17452357 ] Pierre Smits commented on OFBIZ-12391: -- [~mbrohl], Your initial argument(s) did't hold merit, and the new one don't either. The paradigm you say it breaks is not there (unless you refer to the paradigm of inconsistency). Initially (and still), the code comes with functionality of fields being added to tables, without explicit definition in entities (the transaction fields). These fields are the same, falling under that paradigm: applicable to all entities. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[
https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452349#comment-17452349
]
Pierre Smits commented on OFBIZ-12391:
--
Additionally, [~mbrohl], enhancing modelentity.java with the change under PR
351 does NOT make these fields visible to every user. Access to record data in
webtools is under the constraint of permissions, like access to the underlying
(r)dbms is.
And these fields (like the others defined via modelentity functionality), do
NOT show up in grid/forms when those have following
{code:java}
{code}
included in the definition.
> Trustworthy OFBiz - audit capabilities
> --
>
> Key: OFBIZ-12391
> URL: https://issues.apache.org/jira/browse/OFBIZ-12391
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS, framework/entity
>Affects Versions: Trunk
>Reporter: Pierre Smits
>Assignee: Pierre Smits
>Priority: Major
> Labels: audit, entity, investigation, mvp, trust, usability
>
> When potential adopters want to use OFBiz as their primary solution for
> business critical ERP (and related) processes, they (or at least their
> auditors) want to be sure that they can see:
> # who created the record in the underlying rdbms,
> # when that record was created,
> # who was the last one to modify the record
> # when the modification happened.
> Currently out of the 800+ entities defined in the various entity model files,
> only a fraction of the entities have fields defined for
> * createdDate (23)
> * createdByUserLogin (30)
> * lastModifiedDate (24)
> * lastModifiedByUserLogin (29)
> which means that for crucial entities (for a business) in OFBiz entities
> records can be created and changed (for nefarious reasons) without auditors
> and other investigators being able to state anything regarding the above 4
> points.
> Currently there are over 600 entity-auto services invoking 'create', and
> approximately the same amount of services that invoke 'update', that could
> automatically set the fields listed above. However it is not done, because
> these have not been defined.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452347#comment-17452347 ] Michael Brohl commented on OFBIZ-12391: --- It is simply a bad (wrong) approach to hard-code this into the core code and create all those fields instead of making it configurable as it is the case for any other entity definition configuration. It breaks this paradigm and has indeed an impact. We should not do that. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452341#comment-17452341 ] Pierre Smits commented on OFBIZ-12391: -- Gutentag Michael, Indeed, I am aware of this has a impact on GDPR policies and procedures of the OFBiz using organisations (in EU countries, and others with their own variants, e.g. US with CCPA). However, given that any OFBiz using organisation needs to have those anyway (especially when processing consumer data), this change doesn't have that great of a technical impact. It is a one-time process, required to be executed when the OFBiz instance is initialising and building the tables (and their fields) in the underlying (r)dbms. Like I said, easiest to implement now. And while we just provide the basic (technical) capability, we also provide a tangent to the integrators to potentially add additional (consultancy) revenues vis-a-vis OFBiz and GDPR implications. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452334#comment-17452334 ] Michael Brohl commented on OFBIZ-12391: --- Please have in mind that audit functions are problematic in many companies as they allow to retrieve a footprint of the people working with the system (when, how fast etc.). At least here in Germany, it is often not allowed or extremely restricted. I can image this is true also in other countries. I think we should NOT have a core functionality in the entity core which automatically creates a huge number of table fields which might be not used ever. I can think of doing it automatically for a table which has the enable-audit-log set to true. It would be fully configurable and also does not need to put the field definitions in every entity definition. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17452298#comment-17452298 ] Pierre Smits commented on OFBIZ-12391: -- Bonjour Jacques, My apologies for not reacting in more detail regarding your comments earlier in this ticket. The 'enable-audit-log' attribute as defined in entitymodel.xsd, makes it a requirement (for the OFBiz implementing organisation) to change each individual field in the entity definition (in the various entity-model.xml files), when that organisation needs to have insights (via [https://demo-trunk.ofbiz.apache.org/webtools/control/entity/find/EntityAuditLog)] in changes effected to those defined fields. This would be a process way to time consuming (as you know there currently 1000s of field definitions) regarding implementation: evaluating each entity and each field defined therein and subsequently enhancing those field definitions (and bringing it into the production environment). Also, as David mentioned in the thread you referenced, in a production environment it could prove to be consuming to0 much resources (CPU, IO, storage which in a cloud environment could become very costly). The least costly approach (and easiest to implement) to this is to enhance modelentity.java to add the basic audit-trial (investigation) fields, as we currently have on some entities, as shown in PR 351 (including clean-up). Making such by default available and filled through entity services, we ensure that each implementing organisation can see (via web-tools) for each record who created/modified it and when. Which is considered a basic requirement vis-a-vis trust and audit/investigation. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17447003#comment-17447003 ] Pierre Smits commented on OFBIZ-12391: -- Hi Jacques, Yes, I was and am aware of that. And the thread too. But thank you for bringing this to the attention of other contributors and readers. > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17446963#comment-17446963 ] Jacques Le Roux commented on OFBIZ-12391: - Also this thread is a complement https://markmail.org/message/w6tqjbvk6kh62a65 and this Jira too: OFBIZ-4844 HTH > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17446962#comment-17446962 ] Jacques Le Roux commented on OFBIZ-12391: - Hi Pierre, Are you aware of the enable-audit-log attribute of the entity-field element in data model? This is maybe more explanating: https://demo-trunk.ofbiz.apache.org/webtools/control/entity/find/EntityAuditLog?noConditionFind=Y > Trustworthy OFBiz - audit capabilities > -- > > Key: OFBIZ-12391 > URL: https://issues.apache.org/jira/browse/OFBIZ-12391 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS, framework/entity >Affects Versions: Trunk >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: audit, entity, investigation, mvp, trust, usability > > When potential adopters want to use OFBiz as their primary solution for > business critical ERP (and related) processes, they (or at least their > auditors) want to be sure that they can see: > # who created the record in the underlying rdbms, > # when that record was created, > # who was the last one to modify the record > # when the modification happened. > Currently out of the 800+ entities defined in the various entity model files, > only a fraction of the entities have fields defined for > * createdDate (23) > * createdByUserLogin (30) > * lastModifiedDate (24) > * lastModifiedByUserLogin (29) > which means that for crucial entities (for a business) in OFBiz entities > records can be created and changed (for nefarious reasons) without auditors > and other investigators being able to state anything regarding the above 4 > points. > Currently there are over 600 entity-auto services invoking 'create', and > approximately the same amount of services that invoke 'update', that could > automatically set the fields listed above. However it is not done, because > these have not been defined. > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
