Is there a way to log the assignment of security roles to users such that each time a new role is granted or revoked for a given user, the affected user, role, date/time and the user who assigned/revoked that role is logged?
I've tried implementing this through the database log by enabling insert and delete operation logging for the Security User Role Association table but this doesn't have any effect.
Oddly, enabling database logging for the User Role Organization Assignment table does work for instances where I add a role to a user for a specific legal entity, but I get no data in the database log for roles that apply across all legal entities. Digging deeper, I find that the Security User Role Association table is a kernel table whilst the User Role Organization Assignment table is a normal table and I can only assume that the Database Log feature doesn't work for kernel tables.
This seems like a fairly standard thing to want to be able to do. Is there a feature elsewhere that can provide the data that a security audit might require in order to answer questions like /What rights did user X have on some date?/?
1
Share
Report
All responses (
Answers (
