Closed mike-marcacci closed 3 years ago
This is one possible strategy I've had bouncing around in my head. This mostly answers the question "who has viewed what, and when", although by not reporting which fields of which entity were displayed, it potentially over-reports.
The real challenge here is the volume of requests in access logs. Currently, we keep this kind of information (and much, much more) in systems designed specifically for this purpose (either ELK or Stackdriver, depending on the system).
A better approach may be to simply provide tools and/or guidance on how to effectively use structured logging tools with AuthX to accomplish the goals here.
The main driver of this feature was solved by #72. This issue_does describe some additional functionality that is usually accomplished via logging in the actual implementing app, which could be reintroduced as a new ticket if the needed.
One of the final pieces for AuthX 2.0 is the creation and publication of an audit log. The schema itself already enforces this for writes, but we are currently not tracking reads or failed attempted writes.