cancel
Showing results for 
Search instead for 
Did you mean: 
Security Alert Log4j Security Vulnerability. Click here to know more.
cancel
Showing results for 
Search instead for 
Did you mean: 

Provide Change History for Integrity User & Group Domain

Provide Change History for Integrity User & Group Domain

We really miss a full history concept for Integrity user / group domain area.

 

Please provide a "History"-tab for Integrity domain users and groups:

 

 

  • It is essential to clearly document who modified these objects, when and which user ids have been added / removed - (similar to item history concept).

 

  • Improve traceability -
    A (mandatory) change comment field is required to document the related justification for each individual modification. We manage our user privileges via change managment using Integrity items to document and to approve all user requests. So we need a reliable way to link such an item with a concrete change in our domain groups visible as part of the individual history entry.

 

  • Offer an option to restore a Integrity domain group as it was at a certain point in time  by selecting a previous configuration out of the history entries.

 

  • Remove 4k character limit for Integrity auditlog parameter value.

 

 

Background story:

 

 

Recently one of our administrators updated a Integrity domain group with the intention to add a new user principal. But instead of adding a new principal he replaced the existing 600 principals in that group by accident with that one user principal only. Unfortunately there is no undo nor history available for these admin objects.

 

So we tried to retrieve that information by help of our auditlog to identify the pre-last modification of that domain group. The idea was to use the parameter field value for collecting all required principals which were in that domain group before. This concept works fine for small domain groups with only few members. But as the parameter string is limited to 4K characters it simply cuts the result string at the end:

 

 

"[...] description=, email=NULL, members=[KcaCH:User, XircJ:User, zygj:User, BnzK:User, QerM:User,  [...]"

 

When reaching that limit the output string is simply cut off and 3 dots are added. As a consequence this approach is not applicable for large domain groups with more than 100 members.

All additional user information is simply lost and cannot even be exported via native SQL statements from the DB as it is not stored.

 

 

According PTC technical support there is no alternative solution but to restore that information out of a full DB backup. This is too much effort for such a simple use case.

 

We require at least a reliable way to read the full "Parameter" field value from auditlog without the 4k character limit. Because of this we are not even able to create our own solution as Integrity simply does not store and offer that data.

 

PTC Integrity as a configuration and change management tool shall be capable of tracking administrative changes in a reliable way and shall provide a full change history for all its system administration objects.

3 Comments
vichavan
8-Gravel

This is a huge request to implement. We thought auditing is enough to identify such mistakes, but it seems in your case the parameter string limit is causing a problem. We will look into this. I am not sure what is the correct solution, so we may need to check back on use cases here.

bklitzsch
5-Regular Member

Please contact me in case you need more input. One first improvement would be to store just the delta for each domain group update instead of the full absolute group member list in the audit log. This could help to identify the individual change much easier (you are no longer forced to manually compare it with the previous change) and it would help relax the situation according the 4K string length limit.

ogruhlke
2-Guest

We got the same problem logging groups with more than 100 members like you described. I'm lucky none of our admins made a mistake like yours did.

We tried to implement an own group History based on the audit log but the limitatios on 4k strings prevents us from doing it.

 

I think a history tab on groups is absolutely neccessary! To expand the request the same argumentation refers to a ACL history tab which is similar important.

 

Regarding the limited audit log, you can also divide a long entry into several entrys.