-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
audit log: store relevant id and change #3184
Comments
Hi, I'm not sure what kind of a use case are you thinking here. So first I would have to ask why do you feel a need to track DB changes or a very detailed audit log? Here are some thoughts:
What kind of thoughts do these raise? |
Thank you for the very thorough dive into the thoughts about this. A specific situation that I am not sure can be resolved currently: Alice: Changes Form A Charlie: Fills out Form A and sends it. It is then discovered that the form requests something that is not compliant with the relevant regulation. Alice says Bob did the change in the form, and Bob says Alice did it. Charlie doesn't know. How do we figure out who was responsible for a certain change in an entity? In this case the form. This is needed for a regulatory requirement (translated from Danish to English by me): "logs need to be able to refer to the specific users or systems that have performed an action" |
I agree, I was not suggesting that all request data is logged, just that it should be possible to toggle this for mutations of specific entities/categories of entities/paths. As I believe that would solve the above situation. |
If you take a strict version of the requirement, then you should be able to say who changed what. That is only possible if you track all of the database content, or all requests and responses. It is not enough to track specific entities or paths. How do you understand this? |
Are Alice and Bob owners of the REMS instance who are specifying what needs to be asked in the Form? Compliance of regulation of the form is something that the organization using REMS should handle. These kinds of matters can happen in meetings, at the watercooler etc. It is out of scope of REMS. The only thing REMS can do is to store who has modified Form A. It does this now, just not at the level of each detail in the Form. So far there has been no requirement in our using organizations to know who exactly did what change to the "model". They are officially responsible of course. It would be rather clear, should it become a problem at some point. Usually there is a lot of stuff outside REMS so it can't be the single source of truth to the matter (it could be that the changes are made by an assistant, not the owner of the process).
Such cases are handled case by case. Sometimes in a court of law or an instance where appeals are handled. It would mostly be outside of REMS.
This assumes a case where owners of the organization disagree, or even that one of them is attacking that organization in an "inside job". I think no system can prevent such. So far it has not been necessary to prove who did what exactly.
For the answers, only the applicant can at the moment change any answer in the form. So the responsibility is clear. For the "model", e.g. what needs to be answered, all the owners of that organization or superowners can change the model. These changes are tracked only at a high level. There used to be a field that showed who last modified a thing but it wasn't needed.
I am surprised if the requirements are at this level in the Danish regulations. I would also be surprised if every system is implemented there so that everything is tracked. This is possible of course, but it has far reaching effects. I do not know the context so it would be impossible for me to offer any accurate interpretations of this. At the surface level, REMS audit log, and application log, do answer who performed what. Just not every detail of what data came from which person, only who did changes. |
Absolutely, but specifically how data is changed within REMS, I would argue, is best suited to be logged within REMS. An assistant using a superiors account, would also not be compliant in and of itself, but REMS supports having multiple accounts, which makes that case easily avoidable.
Of course under the assumption that users are who they say they are, but that assertion is most definitely outside the scope of REMS, and falls on the shoulders of the auth infrastructure.
But this will not be able to be determined, even by a court of law. Since there is no evidence one way or the other, a word-against-word disagreement cannot be resolved. This certainly can be handled by external processes, but it strikes me as an over-complicated solution, as opposed to logging it at the point of action.
This is not a general requirement, but a requirement for systems that facilitate administrative decisions (like passing judgement on a REMS application). And while I do not know to what degree this regulation is followed for all current systems, it seems prudent not to introduce a new system that does not follow the regulation. I think that the change needed to support this level of logging is rather minimal, and can be implemented in a way that is fully backwards compatible. As in, additional logging to this level, could be implemented in a opt-in manner, that specifically relates to certain operations. It could be a config line containing a list of routes like |
Issue obsolete after #3187, above situations can be resolved through that implementation. |
Is your feature request related to a problem? Please describe.
I would like to be able to precisely determine what entity was created/changed when querying the
audit_log
table, as well as have the ability to see exactly what was created/changed in that entity.Describe the solution you'd like
I would like the
audit_log
table to have a reference to the table where the change was made, and the id of the relevant entity. I would also like to be able to store the request data, so I can precisely determine the state of an entity at a given time.Additional context
While not really a viable path at this point, it seems like REMS and datomic would've been a match made in heaven wrt. provenance and auditability.
The text was updated successfully, but these errors were encountered: