Closed brianhks closed 11 years ago
Why?
For an audit trail. We have overly anxious security folks and requirements that access to certain systems is tracked. I'm not really familiar with how php can log. I know I can send messages to the error log but that doesn't seem appropriate for this.
I would say those overly secure folks are crazy to rely on an audit in the application for security. They should have secured/audited their environment otherwise.
On Wed, Jul 3, 2013 at 3:11 PM, Brian Hawkins notifications@github.comwrote:
For an audit trail. We have overly anxious security folks and requirements that access to certain systems is tracked. I'm not really familiar with how php can log. I know I can send messages to the error log but that doesn't seem appropriate for this.
— Reply to this email directly or view it on GitHubhttps://github.com/rasmusbergpalm/jslate/issues/29#issuecomment-20414124 .
When dealing with certain government regulations with regards to client data all systems need to audit their access. I was hoping this would be a trivial task. Just not sure how to go about it in PHP.
It is a trivial task, I just don't want it in the system. It's bloat. It's not the responsibility of jSlate. jSlate is a dashboarding system, nothing more, nothing less. Systems facing those kinds of regulations will need to implement some auditing on top of jSlate, which will be a trivial task for any sysadmin working on those kinds of systems.
On Wed, Jul 3, 2013 at 4:46 PM, Brian Hawkins notifications@github.comwrote:
When dealing with certain government regulations with regards to client data all systems need to audit their access. I was hoping this would be a trivial task. Just not sure how to go about it in PHP.
— Reply to this email directly or view it on GitHubhttps://github.com/rasmusbergpalm/jslate/issues/29#issuecomment-20420052 .
If jslate is doing its own authentication how am I supposed to do auditing of that without modifying jslate? Maybe the solution is to add an option for ldap authentication and push auditing to the that system.
Essentially, users in jSlate does not have anything to do with users in real life, or authentication. They are basically dashboard containers. They could be shared in groups, etc. Any real auth/auditing will need to be implemented on top of jSlate.
I wonder if our vision of where this will be used differs some. Our use case is such that engineers can log in and create dashboards to monitor their applications. They can share those dashboards with team members and upper management. In some cases a dashboard will be made public and put on monitors around the company.
In this use case every user authenticates as themselves to get access to the dashboards (except for public ones). So my end to end solution is to use a cake recipe for adding ldap authentication and for that app to log the access. I would then add a configuration option in jslate to specify either local or ldap authentication.
Can you share with me what your end to end solution would be for such a use case?
This is exactly how I envision it used, and I think it's the most likely usecase.
I still don't think that auditing is a responsibility of this system.
It's simply not a core value proposition of jslateto restrict/audit access to information. Further, if you are in an organization that has a requirement to audit access to information, any auditing that could be implemented in jSlate would not be sufficient: It would not integrate with your model of users, authentication/authorization scheme and it would not integrate with your general auditing/logging framework.
You can use something like openid, http auth, log all the IP's in your webserver, etc.
In my company we use openid to authenticate all access to our jSlate webserver.
Your use sounds similar but I would like to understand how you integrate openid into jslate. Does your openid id translate into jslate user somehow? Or are they completely separate?
The openid authentication is completely seperate from jSlate, we only have one user on jSlate and log him in automatically
I'll close this for now.
Users logging into the system should be logged. I would hope this could just be written to the access.log file.