Your application can supplement the default information that PRPC maintains in the history of certain data classes or rule types, identifying which fields a user changed and the current value of the fields.
Benefits
For example, you can record the name of the application rule that is referenced in an access group, each time a user updates the Access Group form and adds, changes, or deletes an application rule. For another example, see these PDN articles:
This capability, known as security auditing, supports change auditing for sensitive fields on selected rule or data objects.
The details of each change appear on the History Details display and are summarized through several standard reports.
How security auditing works
When enabled, each save operation on a rule instance or data instance (whether through a form or through an activity) triggers execution of a standard activity. The activity compares the current values of the tracked properties with their previous values, and writes a history detail instance for each value added, deleted, or updated. The history detail identifies
For aggregate properties:
pagelist(1).pagelist(1).property
), only one level of nesting is supported. Nested PageGroup mode properties are not supported.BUG-58219For rule changes, the system saves this information as an instance of the History-Rule class. For changes to data instances, the information is saved in an instance of a subclass of the History-Data- class. For example, the system records changes to access groups (Data-Admin-Operator-AccessGroup) in instances of the History-Data-Admin-Operator-AccessGroup class.
How to enable
Complete these steps for each data class or rule type that is to support security auditing. Place these two rules in a RuleSet that is available to the users to be audited.
Single Value
and aggregate properties. For aggregate properties, only one level of nested Page
mode structure is supported (for example, pagelist(1).pagelist(1).property
).Set
actions to set the properties to be tracked. For each row:
Value List
or Value Group
properties, enter an arbitrary subscript to identify one value. For Page
mode properties, enter a reference to a scalar property within the page structure. BUG-58219 and email thread from UBALDSaved
for the Trigger when field. Select TrackSecurityChanges for the activity name, and Immediately
for the Execute field.Viewing and reporting security audit details
From the History tab of a rule or data form, click History Details to see the detailed memo text created by this instance.
For a broader view of changes, run the standard list view rules:
Enter from and to values for a date range to restrict the results of these reports.
You can create custom reports or export this data. The pyLabel property identifies the property modified. The pyMemo property contains the text description of the change.
Customizing memo text
Using field value rules, you can customize or localize the memo text presented on the History Details reports for a property:
For example, to provide custom text for changes to the property pyDefaultAppName on the access group form, the Localized Label text:
Updated the application from {1} to {2}.
At run-time, this produces a memo similar to:
Updated the application from Mortgage to ConsumerLoan.
Tracking changes to aggregate properties
For aggregate properties:
When creating a field value rule for a message for a Page List
or Page Group
property:
For an example, examine the standard data transform Rule-Access-Role-Obj.pyTrackSecurityChanges. This data transform sets the property .pyPrivilegeList(1).pyPrivilege, which causes the system to track all additions and removals to pyPrivilegeList property. The Source field in the row for that property is blank, which causes the system to retrieve field value rules for the memo text. Because pyPrivilegeList is a Page List
property with a PageClass of Embed-Access-Privilege, the field value rule that tracks when a privilege is added is named:
Embed-Access-Privilege.pyPrivilege.TrackSecurityChange_Add
The Localized Label of that field value rule refers to properties for a single privilege instance:
Added privilege {.pyPrivilege} level {.pyPrivilegeLevel}.
History- base class | |
How to complete the History tab of a data form
Working with the rule History Detail display About Declare Trigger rules About Field Value rules |