Feature request: Security log

Skip to first unread message

Fernando Najera

Aug 5, 2021, 6:26:53 AMAug 5
to scmmanager

Is there any way to keep a log of all the changes related to permissions?

In our instance of SCM Manager we keep some repositories which have sensitive code and therefore should be properly access-protected.

It would help us immensely - in case we discover that the permissions are somehow changed - if SCM Manager could keep a log of any change that could ultimately lead to a user having more (or less) access to the system or to any repository.
For example:
- adding / removing users to groups
- adding / removing global permissions to users/groups
- adding / changing role/permissions / removing users to repositories
- adding / changing role/permissions / removing groups to repositories
- ...

We don't need to log the _effect_ of each change  - we understand that this is something the system doesn't provide just yet. But we would really like to know _the changes_ themselves, when they happened, and who did them.

Ideally, something like:

2021/08/05 10:22:00 user admA grants role WRITE to user UserY to repository RepoZ
2021/08/05 12:13:00 user admB adds group Group1 to repository RepoX

but even a (timestamp + user doing the changes + raw json dump before + raw json dump after the changes) could do:

2021/08/05 10:22:00 user admA changed permissions for repository RepoX from { jsonblob } to { jsonblob }

Is this already possible? If not, what do you think?

Eduard Heimbuch

Aug 5, 2021, 8:01:31 AMAug 5
to scmmanager
Hey Fernando,

nice idea to keep track on security-related actions like permission changes. We do not have something like this implemented yet but it should be definitely possible.

The easiest solution i can think of would be to create a event subscriber which holds a log store and listens to different events regarding permission changes.  Then simply catch each event and add an entry to the log store. You could see the log file in xml format inside your scm-home folder. Or you could even create a new REST endpoint to download the log file directly and maybe even filter it before by date or whatever you like. 

How does this sound to you? Could you describe your specific use case a little more, so we can think about if there is a better implementation?

Best regards,
Eduard Heimbuch
Reply all
Reply to author
0 new messages