Jump to content
Wizardry

Can group membership be audited?

Recommended Posts

I have a need to track who is inserting and removing people from groups. There are a number of people who have the rights but some aren't following our policies and I need to figure out who it is. I want to track it in the audit logs. I opened a ticket with CA and they told me grpmem isn't managed so it's not a supported option and while they said I could experiment with the audlog_site.mod file they couldn't provide any support. I've tried the following...

// Add to Grpmem object.
OBJECT grpmem {
    ATTRIBUTES  Group_Member {
        audit_userid LOCAL  SREL cnt TENANCY_UNRESTRICTED {
                                ON_NEW DEFAULT USER;
                                ON_CI SET USER;
                            };

    };
    
    TRIGGERS {
    POST_CI audit_fields_site(persistent_id, audit_userid,
                         manager_flag, notify_flag, member) 52
        FILTER( EVENT("INSERT(NX_AUDIT_INS) UPDATE(NX_AUDIT_UPD) DELETE(NX_AUDIT_DEL)") );
    };
};

The attribute seems to have added correctly and I can see it listed when I run a bop_sinfo against grpmem.

The trigger doesn't error when I start services but when I actually try and test it it does throw errors.

Upon changing the notify_flag, the manager flag or inserting a new record, I get this error in the log

spelsrvr            10256 ERROR        interp.c               559 grpmem::audit_fields_site Unknown message.

Upon delete, the trigger doesn't even fire. No error, No audit log.

Has anyone else ever tried and gotten this to work? Any assistance would be appreciated.

Share this post


Link to post
Share on other sites

Hi GoofyBZ,

I tried to do the same but with role object to register all the modifications about roles. I did the same steps like you and I got the same result. My doubt is this configuration can be used for any object.

Can someone help us?

Thanks and Regards

PMX

Share this post


Link to post
Share on other sites

I have the same requirement and could you please share it here, if there was a solution found? Thank You!

Share this post


Link to post
Share on other sites
1 hour ago, vish said:

I have the same requirement and could you please share it here, if there was a solution found? Thank You!

I would if I could but I still don't have a solution for this.  =(

Share this post


Link to post
Share on other sites

hi,

i'm out of business and havent any env to check this, so check code twice :)

 

This should work in this way:

Algorithm is:

  • get current user, who performs action;
  • create activity for user;
  • create activity for group.

 

Please check cntalg factory, I'm not sure that attribute related to contact/group is called cnt, also you need to fill activity's duration or it will be blank in list.


mod file:

Quote


MODIFY  grpmem POST_VALIDATE z_grpmem_insert() 20001 FILTER(EVENT("INSERT"));

MODIFY  grpmem POST_VALIDATE z_grpmem_delete() 20002 FILTER(EVENT("DELETE"));

 

spl file:

grpmem::z_grpmem_insert(...) {
    logf(SIGNIFICANT, "Adding [%s] to [%s]", member.combo_name, group.last_name);
    uuid who;
    send_wait(0,top_object(), "call_attr", "cnt", "current_user_id");
    who=msg[0];
    // inserting into member's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt", (uuid)member.id, 
        "description", format("Contact added to [%s]", group.last_name));
    // inserting into group's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt", (uuid)group.id, 
        "description", format("[%s] added to this group", member.combo_name));
}

grpmem::z_grpmem_delete(...) {
    logf(SIGNIFICANT, "Deleting [%s] from [%s]", member.combo_name, group.last_name);
    uuid who;
    send_wait(0,top_object(), "call_attr", "cnt", "current_user_id");
    who=msg[0];
    // inserting into member's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt", (uuid)member.id, 
        "description", format("Contact removed from [%s]", group.last_name));
    // inserting into group's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt", (uuid)group.id, 
        "description", format("[%s] removed from this group", member.combo_name));
}

 

Share this post


Link to post
Share on other sites

Hi cdtj,

 

Just tested your code, it works with a little bit of adjustment. It should be "cnt_id" and "type" is needed to insert comment.

Thanks a lot for help out the community.

grpmem::z_grpmem_insert(...) {
    logf(SIGNIFICANT, "Adding [%s] to [%s]", member.combo_name, group.last_name);
    uuid who;
    send_wait(0,top_object(), "call_attr", "cnt", "current_user_id");
    who=msg[0];
    // inserting into member's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)member.id, 
        "description", format("Contact added to [%s]", group.last_name),
		"type", "LOG");
    // inserting into group's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)group.id, 
        "description", format("[%s] added to this group", member.combo_name),
		"type", "LOG");
}

grpmem::z_grpmem_delete(...) {
    logf(SIGNIFICANT, "Deleting [%s] from [%s]", member.combo_name, group.last_name);
    uuid who;
    send_wait(0,top_object(), "call_attr", "cnt", "current_user_id");
    who=msg[0];
    // inserting into member's log
	//send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "chgalg", gl, 0, "change_id", chg_obj.persistent_id, "type", "LOG", "description", now(), "time_spent", (duration)0);
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)member.id, 
        "description", format("Contact removed from [%s]", group.last_name),
		"type", "LOG");
    // inserting into group's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)group.id, 
        "description", format("[%s] removed from this group", member.combo_name),
		"type", "LOG");
}

 

Conan

Share this post


Link to post
Share on other sites

Awesome!   The adjusted version works for me too.  I took it a little further.  I modified the description to include the userID of the contact since that's unique and added the action_desc and time_spent values so they would always be filled in.  My modified version looks like this...

Much much appreciated.  =)

grpmem::z_grpmem_insert(...) {
    logf(SIGNIFICANT, "Adding [%s (%s)] to [%s]", member.combo_name, member.userid, group.last_name);
    uuid who;
    send_wait(0,top_object(), "call_attr", "cnt", "current_user_id");
    who=msg[0];
    // inserting into member's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)member.id, 
        "description", format("Contact added to the group [%s]", group.last_name),
		"action_desc", "Group Membership Updated",
		"time_spent", "0",
		"type", "LOG");
    // inserting into group's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)group.id, 
        "description", format("[%s (%s)] added to this group", member.combo_name, member.userid),
		"action_desc", "Group Membership Updated",
		"time_spent", "0",
		"type", "LOG");
}

grpmem::z_grpmem_delete(...) {
    logf(SIGNIFICANT, "Deleting [%s (%s)] from [%s]", member.combo_name, member.userid, group.last_name);
    uuid who;
    send_wait(0,top_object(), "call_attr", "cnt", "current_user_id");
    who=msg[0];
    // inserting into member's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)member.id, 
        "description", format("Contact removed from the group [%s]", group.last_name),
		"action_desc", "Group Membership Updated",
		"time_spent", "0",
		"type", "LOG");
    // inserting into group's log
    send_wait(0, top_object(), "call_attr", "api", "insert_object", who, "cntalg", NULL, 0, 
        "cnt_id", (uuid)group.id, 
        "description", format("[%s (%s)] removed from this group", member.combo_name, member.userid),
		"action_desc", "Group Membership Updated",
		"time_spent", "0",
		"type", "LOG");
}

 

Share this post


Link to post
Share on other sites

This is a top-notch work and I really appreciate cdtj :) for this great piece of code. Thanks Conan and Wizardry for your support.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Announcements

    • Gregg

      Looking for the wiki content?

      12/20/2015

      Until I can transfer the wiki content over to the new Articles, you can find the old content here: http://www.greggsmith.net/wiki.
    • Gregg

      New site logo

      01/06/2016

      A special thanks to brianshs for creating a new site logo!
×