This week's book giveaway is in the Java in General forum.
We're giving away four copies of Event Streams in Action and have Alexander Dean & Valentin Crettaz on-line!
See this thread for details.
Win a copy of Event Streams in Action this week in the Java in General forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Devaka Cooray
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Paul Clapham
  • Knute Snortum
  • Rob Spoor
Saloon Keepers:
  • Tim Moores
  • Ron McLeod
  • Piet Souris
  • Stephan van Hulst
  • Carey Brown
Bartenders:
  • Tim Holloway
  • Frits Walraven
  • Ganesh Patekar

auditing security changes

 
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I need some help with keeping track of changes to the security configuration in our apps....
We're using Websphere 5.1 with Active Directory.
If we add users to groups in AD this is done using the standard company procedures, but we may also need to change the mapping of groups to roles (rare I know, but our business users want this flexibility).
I know how to do the actual mapping change, but what I don't know is how this change gets logged in WebSphere.
I find it hard to believe that a product as big as WebSphere doesn't keep a log of such a change, but where is it?
Very grateful for any ideas.
Cheers,
Louise
 
author
Posts: 3892
5
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Actually, Louise, we don't log this. In general we don't log any administrative changes because that's just the way the application server operates -- it's normal behavior and not an exceptional condition.

Configuration changes to anything in the console or WSAdmin (including the group/role mapping) are made by changing the master copy of the appropriate XML files in the configuration respository and then transferring those files out to the individual nodes. After the nodes have been updated there is no record of the change.

You might be able to create a log of the type you want by turning on application tracing for that subsystem on the Deployment Manager, though. You'd just have to filter out the entries from the DMgr trace log that you wanted. Sounds kind of expensive, though...

Kyle
 
louise rochford
Ranch Hand
Posts: 119
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the quick response Kyle.
I get the impression that logging this type of change isn't standard procedure - you only give administrator access to people you trust to do things properly.
I'll see if I can get our users / security folks to agree that this concept, plus Change request documentation detailing the required mapping changes will be suffiecient control.
Failing that I'll be filtering trace logs...

Many thanks again,
Louise
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!