search

cap-js / audit-logging

CDS plugin providing integration to the SAP Audit Log service as well as out-of-the-box personal data-related audit logging based on annotations.
https://cap.cloud.sap/docs/guides/data-privacy
Apache License 2.0
4 stars 3 forks source link

Missing IDs when deleting a data subject details entity with renamed key names #76

Closed ck518 closed 8 months ago

ck518 commented 8 months ago

Hi!

When I delete an entity that is marked as DataSubjectDetails-entity the data modification message does not contain the ID information of the entity as soon as the key is renamed. Second issue: as soon as you rename all attributes nothing is logged at all.

Here's the example entity definition:

DB entity definition:

namespace mydb;

entity MainEntities {
    key ID          : UUID;
        name        : String;
        subEntities : Composition of many SubEntities
                          on subEntities.mainEntity = $self;
}

entity SubEntities {
    key ID         : UUID;
        name       : String;
        mainEntity : Association to MainEntities;
}

annotate MainEntities with @PersonalData: {
    EntitySemantics: 'DataSubject',
    DataSubjectRole: 'MainEntity',
} {
    ID   @PersonalData.FieldSemantics   : 'DataSubjectID';
    name @PersonalData.IsPotentiallyPersonal;
}

annotate SubEntities with @PersonalData    : {
    EntitySemantics: 'DataSubjectDetails',
    DataSubjectRole: 'MainEntity'
} {
    mainEntity @PersonalData.FieldSemantics: 'DataSubjectID';
    name       @PersonalData.IsPotentiallyPersonal;
}

In my service definition I have renamed the key of entity SubEntities from ID to renamedID: Service definition:

using {mydb as mydb} from '../../../db/mydb';

service MyAPI {

    entity RenamedMainEntities as projection on mydb.MainEntities;

    entity RenamedSubEntities as projection on mydb.SubEntities {
        key ID as renamedID,
        name,
        mainEntity
    };

}

annotate MyAPI with @(AuditLog.Operation: {
    Read  : false,
    Insert: true,
    Update: true,
    Delete: true
});

Now I send a DELETE request for a RenamedSubEntities entity. The resulting audit log message looks like this:

      [audit-log] - PersonalDataModified: {
        data_subject: { role: 'MainEntity', type: 'MyAPI.RenamedMainEntities' },
        object: { type: 'MyAPI.RenamedSubEntities', id: {} },
        attributes: [ { name: 'name', old: 'SubName1' } ],
        uuid: '61926fa9-5ef2-4342-ad74-8e83be927df2',
        tenant: 'anonymous',
        user: 'my-user',
        time: 2024-01-22T16:10:50.448Z
      }

The IDs of the data subject and the object are missing.

If I remove the renaming of key ID of the entity RenamedSubEntities the log is written as expected:

      [audit-log] - PersonalDataModified: {
        data_subject: {
          id: { ID: 'ebe91e1f-0be8-4d46-94f3-fa8a9ec9408e' },
          role: 'MainEntity',
          type: 'MyAPI.RenamedMainEntities'
        },
        object: {
          type: 'MyAPI.RenamedSubEntities',
          id: { ID: '22bb9fa8-84cd-4640-a291-e6551ef9acc6' }
        },
        attributes: [ { name: 'name', old: 'SubName1' } ],
        uuid: '43ba2244-00d1-482f-be44-494f5ef65ccf',
        tenant: 'anonymous',
        user: 'my-user',
        time: 2024-01-22T16:13:36.215Z
      }

Regarding the second issue: If you rename also the name attribute in the sub entity, nothing is logged at all:

service MyAPI {

    entity RenamedMainEntities as projection on mydb.MainEntities;

    entity RenamedSubEntities as projection on mydb.SubEntities {
        key ID as renamedID,
        name as renamedName,
        mainEntity as renamedMainEntity
    };

}

With this definition nothing is written into the audit log.

Could you please have a look into these two issues with the automatic logging of DELETE actions?

Thanks and best regards, Christian

sjvans commented 8 months ago

hi @ck518

thanks for reporting, we'll take a look asap.

best, sebastian