Hi all, I need some help with keeping track of changes to the security configuration in our apps.... We're using Websphere 5.1 with Active Directory. If we add users to groups in AD this is done using the standard company procedures, but we may also need to change the mapping of groups to roles (rare I know, but our business users want this flexibility). I know how to do the actual mapping change, but what I don't know is how this change gets logged in WebSphere. I find it hard to believe that a product as big as WebSphere doesn't keep a log of such a change, but where is it? Very grateful for any ideas. Cheers, Louise
Joined: Aug 10, 2001
Actually, Louise, we don't log this. In general we don't log any administrative changes because that's just the way the application server operates -- it's normal behavior and not an exceptional condition.
Configuration changes to anything in the console or WSAdmin (including the group/role mapping) are made by changing the master copy of the appropriate XML files in the configuration respository and then transferring those files out to the individual nodes. After the nodes have been updated there is no record of the change.
You might be able to create a log of the type you want by turning on application tracing for that subsystem on the Deployment Manager, though. You'd just have to filter out the entries from the DMgr trace log that you wanted. Sounds kind of expensive, though...
Thanks for the quick response Kyle. I get the impression that logging this type of change isn't standard procedure - you only give administrator access to people you trust to do things properly. I'll see if I can get our users / security folks to agree that this concept, plus Change request documentation detailing the required mapping changes will be suffiecient control. Failing that I'll be filtering trace logs...