From version 2020.10 application security change auditing has been made available.
This auditing is not enabled by default. Should a client wish to enable auditing please contact product support. Prior to enabling, it will be necessary to perform a review of your existing security configuration to check proper application configuration.
The security auditing allows tracking of the permissions that were available to users at any given point in time. At the time that the auditing is enabled a snapshot of the application permissions are taken and from that point in time onwards, all changes are tracked and logged.
It is an important aspect of compliance that this auditing be enabled.
The security audit change enhancements can be broken down into four general areas:
- Tracking of user security role changes. This tracks user application level security role membership and any changes made. For example if a user was configured as a system administrator, the date and time the change is logged.
- Tracking of security matrix changes. This tracks any changes made to the application security matrix. The security matrix governs the job level permissions that users in a particular role can undertake. For example if the user role had the ability to view payments changed, the date and time the of the change is logged.
- Tracking of standalone job security roles. Users can be added to jobs in standalone job security roles. If users are added or removed from these roles, the date and time of the change is logged.
- Tracking of work team member changes. Users can be added and removed from security work teams. If users are added or removed from work teams, the date and time of the change is logged.
- Tracking of work team link changes. If work teams are linked to or unlinked from jobs, the date and time of the change is logged.
- Tracking of security checks. Each time the application checks to see whether a logged in user has permission to perform a particular action, the system will log the check. The system can be configured to log all checks or to only log checks where access was not allowed by the application.