Auditing Object Changes

Objects can be changed by users and this is a potential cause of havoc. To allow you to trace and easily revert changes, the Active Auditing Module was introduced. The Active Auditing Module allows you to set up rules which will either trace changes on objects only, referred to as Diff only, or trace changes and revert, referred to as Full auditing.

The deletion of audited objects will always be audited at Full auditing level. This allows you to revert all deletions. Note, also, that the deleted objects that have an audit rule are displayed in the Trash Can.

note

The Active Auditing Module requires the Module.Auditing license key to be present in your license.

Object auditing does not apply when the system makes a change.

Examples of where the system makes a change are:

• Automatically submitted process definitions, with wait events for example
• Changes to configuration as the result of running system processes like System_Mail_Configure or SAP_ImportCcmsMonitors for example

note

The default auditing rule on audit objects cannot be modified. It is there to audit all changes to auditing objects, so nobody can escape auditing. You cannot change an audit object and not get caught.

tip

Auditing all triggers and process definitions is highly recommended.

Tabs & Fields

The following table illustrates the fields of each tab of Audit Rules editor dialogs.

Tab	Field	Description
Audit Rule	Rule Object Type	Type of object to audit.
Audit Rule	Level	The level of the auditing, can be Diff Only or Full Audit; Full Audit allows you to undo changes and uses more space in the database.
Audit Rule	Name Pattern	The name pattern to match objects to be audited.
Audit Rule	Name Pattern Match Type	The type of match (GLOB or regular expression) in case-sensitive or insensitive mode.
Audit Rule	Application Rule	Rule that allows you to match objects based on their Application. All Objects - Will match an object if it has an application or not Any Object In An Application - Will match an object, if it has an application Exact Application - Will match objects which have the application specified (for this option, the Application field is mandatory) No Application - Will match an object, if it has no application Sub Application - Will match an object, if its application is a child application of the application specified in the Application field (for this option, the Application field is mandatory).
Audit Rule	Application to Match	Name of the application to match.
Audit Rule	Partition Pattern	The partition name pattern to match objects to be audited.
Audit Rule	Partition Pattern Match Type	The type of match (GLOB or regular expression) in case-sensitive or insensitive mode.
Audit Rule	Enabled	Enable or disable the audit rule.
Security	*	This is where you can specify who can access/change/remove the audit rule.

Context-Menu

Audit Rules support the following context-menu actions:

Action	Description
Edit Security	Edit the security of the audit rule.
Delete	Delete the audit rule.
Export > Export	Export the audit rule into a CAR file.
Export > Export with related objects	Export the audit rule into a CAR file including referenced objects.
Promote > Promote to system	Promote the object to a remote system.
Promote > Edit further then promote	Edit the export rule set prior to promoting.
Promote	Promote the audit rule to another Redwood Server instance.
Edit	Edit the audit rule.
Disable	Disable the audit rule.
Show permalinks	Show links that can be used from third party audit rules to link to the object.
New audit rule	Create a new audit rule.
Filter > New Filter	Create a new audit rule filter.
Filter > Edit Filter	Edit current audit rule filter.
Filter > Delete	Delete current audit rule filter.
Filter > Duplicate Filter	Create a copy of the filter.
Filter > Export Filter	Export the filter into a CAR file.
Filter > Add to navigation bar	Add the filter to a navigation bar.
Filter > Create filter from search	Create a filter from the current IntelliSearch query.

The actions are available for audit entries in the Audit Trail:

Action	Description
Restore to before change	Undo the selected and all subsequent changes.
Restore to after change	Undo all subsequent changes to the object; in other words restore the object to the state it was after the selected change.
Expand All	Expand all audit trail entries in the current filter.
Filter > New Filter	Create a new audit trail filter.
Filter > Edit Filter	Edit current audit trail filter.
Filter > Delete	Delete current audit trail filter.

Finding Audit Entries

You can search for audit entries using the Search Audit Entries box located under your username on the top right-hand side of the user interface. This is known as IntelliSearch and allows you to specify complex queries in a simple way using prefixes. Prefixes are used to specify which property you are searching in and have short as well as long syntaxes. For example, if you want to display all audit entries created between 2:05 PM and 2:06 PM, you would use the search criteria as follows:

t:14:05-14:06

You can search more than one property, as follows:

t:14:05-14:06 u:jdoe

note

No spaces should be entered before or after the colon (: ).

See the Advanced Object Search for more information.

The following table illustrates the available prefixes for audit entries:

Prefix	Description
t, time	creation time
o, object, objecttype	object type (case sensitive)
k, key, businesskey	business key
a, action	action, specify the code C=Created, M=Modified, D=Deleted
r, reason	reason for the audit entry
u, user	user
l, level	audit level, specify the level 1=Diff only, 2=Full audit
cb, changedbefore	(internal) search for audit entry that changed before a certain ISO-8601 period

There are different ways of searching by time:

• hh:mm - without a range, the default range is +/- 15 minutes.
• hh:mm:ss - without a range, the default range is +/- 1 minute.
• hh:mm-hh:mm or hh:mm:ss-hh:mm:ss - range is from start time to end time.

Reverting a change

You can freely revert a change and, even if this was a mistake, you can revert back to the change again. The following actions have been introduced:

• Restore to before change
• Restore to after change

note

These two actions are also available via scripting via the methods restoreBefore and restoreAfter on the AuditObject object.

These actions are only visible if there is a record for before and after the change respectively:

• Object Created - only Restore to after
• Object Modified - Both before and after
• Object Deleted - only Restore to before

Security

Privilege	Description
AuditingRule.Create	Create auditing rules
AuditingRule.Delete	Delete auditing rules
AuditingRule.Edit	Edit auditing rules
AuditingRule.View	Access auditing rules

You can grant privileges on two levels, Access and Admin; a privilege granted on Admin level allows the grantee to grant the privilege to other users. These privileges can be granted per partition or system-wide.

The Security tab allows you to specify which users can access, edit, and delete the auditing rule.

• Granting and Revoking System Privileges
• Granting or Revoking Object Privileges

Prerequisites

The Active Auditing Module requires the Module.Auditing license key to be present in your license.

Procedure

Create an audit rule

1. Navigate to "Auditing > Audit Rules".
2. Choose New Audit Rule from the context-menu.
3. Select an object type in the Rule Object Type and a Level.
4. Specify optional match criteria, refer to the Values section below.
5. Choose Save & Close.

Revert a change

1. Navigate to "Auditing > Audit Trail".
2. Choose Revert to before change from the context-menu of the audit entry you would like to revert.

Values

Field	Description	Values
Rule Object Type	The type of object you want to audit
Level	The level of auditing you want, full audit allows you to revert changes	Diff Only, Full Audit
Name Reg Ex	(optional) A regular expression pattern that is used to match object names
Application	(optional) The application the object resides in
Application Rule	Rule that allows you to match objects based on their application.	Rule that allows you to match objects based on their Application. All Objects - Will match an object if it has an application or not Any Object In An Application - Will match an object, if it has an application Exact Application - Will match objects which have the application specified (for this option, the Application field is mandatory) No Application - Will match an object, if it has no application Sub Application - Will match an object, if its application is a child application of the application specified in the Application field (for this option, the Application field is mandatory).
Enabled	When this is checked, the rule is enabled.

Example

Revert changes made to a chain definition

1. Navigate to "Auditing > Audit Rules".
2. Choose New Audit Rule from the context-menu.
3. Select Chain Definition (technical name of Chain Definition) as the Rule Object Type and Full Audit as the Level.
4. Fill JCprdFin.* into the Name Reg Ex field.
5. Fill Finance into the Application field.
6. Select Exact Application in the Application Rule drop-down.
7. Choose Save & Close.
8. Navigate to "Definitions > Chains".
9. Choose New Chain Definition, in the new window choose the Chain Definition tab and fill JCprdFinQtrRep into the Name field and select the application named Finance.
10. Choose Save.
11. Leave the editor window without closing it, return to the main window and navigate to "Auditing > Audit Trail". Notice the new entry for for the creation of the chain definition, choose Refresh from the context-menu if you do not see the new entry.
12. Return to the chain definition editor window, add a step and a process with the System_Info process definition.
13. Choose Save & Close.
14. In the main window, notice the new entries in Audit Trail, choose Revert to before change from the context-menu of the Modified entry of the chain definition.
15. Navigate to "Definitions > Chains" and inspect it, notice that the step and the process have vanished.

See Also

• Auditing User Logins
• Default Auditing Rules

AuditTrail