This week's book giveaway is in the Jobs Discussion forum.
We're giving away four copies of Java Interview Guide and have Anthony DePalma on-line!
See this thread for details.
The moose likes Websphere and the fly likes auditing security changes Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "auditing security changes" Watch "auditing security changes" New topic

auditing security changes

louise rochford
Ranch Hand

Joined: Apr 04, 2002
Posts: 119
Hi all,
I need some help with keeping track of changes to the security configuration in our apps....
We're using Websphere 5.1 with Active Directory.
If we add users to groups in AD this is done using the standard company procedures, but we may also need to change the mapping of groups to roles (rare I know, but our business users want this flexibility).
I know how to do the actual mapping change, but what I don't know is how this change gets logged in WebSphere.
I find it hard to believe that a product as big as WebSphere doesn't keep a log of such a change, but where is it?
Very grateful for any ideas.
Kyle Brown
Ranch Hand

Joined: Aug 10, 2001
Posts: 3892
Actually, Louise, we don't log this. In general we don't log any administrative changes because that's just the way the application server operates -- it's normal behavior and not an exceptional condition.

Configuration changes to anything in the console or WSAdmin (including the group/role mapping) are made by changing the master copy of the appropriate XML files in the configuration respository and then transferring those files out to the individual nodes. After the nodes have been updated there is no record of the change.

You might be able to create a log of the type you want by turning on application tracing for that subsystem on the Deployment Manager, though. You'd just have to filter out the entries from the DMgr trace log that you wanted. Sounds kind of expensive, though...


Kyle Brown, Author of Persistence in the Enterprise and Enterprise Java Programming with IBM Websphere, 2nd Edition
See my homepage at for other WebSphere information.
louise rochford
Ranch Hand

Joined: Apr 04, 2002
Posts: 119
Thanks for the quick response Kyle.
I get the impression that logging this type of change isn't standard procedure - you only give administrator access to people you trust to do things properly.
I'll see if I can get our users / security folks to agree that this concept, plus Change request documentation detailing the required mapping changes will be suffiecient control.
Failing that I'll be filtering trace logs...

Many thanks again,
I agree. Here's the link:
subject: auditing security changes
It's not a secret anymore!