You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Pierre Smits (Jira)" <ji...@apache.org> on 2021/12/02 10:37:00 UTC
[jira] [Commented] (OFBIZ-12391) Trustworthy OFBiz - audit capabilities
[ https://issues.apache.org/jira/browse/OFBIZ-12391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17452298#comment-17452298 ]
Pierre Smits commented on OFBIZ-12391:
--------------------------------------
Bonjour Jacques,
My apologies for not reacting in more detail regarding your comments earlier in this ticket.
The 'enable-audit-log' attribute as defined in entitymodel.xsd, makes it a requirement (for the OFBiz implementing organisation) to change each individual field in the entity definition (in the various entity-model.xml files), when that organisation needs to have insights (via [https://demo-trunk.ofbiz.apache.org/webtools/control/entity/find/EntityAuditLog)] in changes effected to those defined fields.
This would be a process way to time consuming (as you know there currently 1000s of field definitions) regarding implementation: evaluating each entity and each field defined therein and subsequently enhancing those field definitions (and bringing it into the production environment). Also, as David mentioned in the thread you referenced, in a production environment it could prove to be consuming to0 much resources (CPU, IO, storage which in a cloud environment could become very costly).
The least costly approach (and easiest to implement) to this is to enhance modelentity.java to add the basic audit-trial (investigation) fields, as we currently have on some entities, as shown in PR 351 (including clean-up). Making such by default available and filled through entity services, we ensure that each implementing organisation can see (via web-tools) for each record who created/modified it and when. Which is considered a basic requirement vis-a-vis trust and audit/investigation.
> Trustworthy OFBiz - audit capabilities
> --------------------------------------
>
> Key: OFBIZ-12391
> URL: https://issues.apache.org/jira/browse/OFBIZ-12391
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL COMPONENTS, framework/entity
> Affects Versions: Trunk
> Reporter: Pierre Smits
> Assignee: Pierre Smits
> Priority: Major
> Labels: audit, entity, investigation, mvp, trust, usability
>
> When potential adopters want to use OFBiz as their primary solution for business critical ERP (and related) processes, they (or at least their auditors) want to be sure that they can see:
> # who created the record in the underlying rdbms,
> # when that record was created,
> # who was the last one to modify the record
> # when the modification happened.
> Currently out of the 800+ entities defined in the various entity model files, only a fraction of the entities have fields defined for
> * createdDate (23)
> * createdByUserLogin (30)
> * lastModifiedDate (24)
> * lastModifiedByUserLogin (29)
> which means that for crucial entities (for a business) in OFBiz entities records can be created and changed (for nefarious reasons) without auditors and other investigators being able to state anything regarding the above 4 points.
> Currently there are over 600 entity-auto services invoking 'create', and approximately the same amount of services that invoke 'update', that could automatically set the fields listed above. However it is not done, because these have not been defined.
>
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)