Requested feature: Auditing
Moderator: SourceGear
Requested feature: Auditing
As far as I can tell, there is no means to determine when a user got latest on a file or folder. For security and auditing purposes, this would be useful information to have.
Re: Requested feature: Auditing
Your options currently would be to:
1) Turn on debug level logging and have something watch the log file for users performing a Get. Or, if you only really need to see the logins, then you could leave the level at Quiet and see the logins.
2) Turn on Notifications. It won't say when you perform a Get, but it can tell when a person logs in.
1) Turn on debug level logging and have something watch the log file for users performing a Get. Or, if you only really need to see the logins, then you could leave the level at Quiet and see the logins.
2) Turn on Notifications. It won't say when you perform a Get, but it can tell when a person logs in.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Requested feature: Auditing
I understand that you are providing workarounds for achieving the equivalent using the existing tools. However, neither of those solutions are ideal. Natively we have a record of check-ins. It seems logical to want a list of Gets.Beth wrote:Your options currently would be to:
1) Turn on debug level logging and have something watch the log file for users performing a Get. Or, if you only really need to see the logins, then you could leave the level at Quiet and see the logins.
2) Turn on Notifications. It won't say when you perform a Get, but it can tell when a person logs in.
Re: Requested feature: Auditing
I can put in a feature request, but so that we understand better what is needed, can you explain how this would be used?
You mentioned Security, but it would be possible to have you see what all users' rights are for either the repository or folders. In addition, a logged in user could view data without actually running the Get command.
You mentioned Security, but it would be possible to have you see what all users' rights are for either the repository or folders. In addition, a logged in user could view data without actually running the Get command.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support
Re: Requested feature: Auditing
How can a logged-in user view the data without pulling the data? They can obviously view what they have already pulled from source. To be clear, what I'm seeking is an audit of every request to pull a file to be viewed/edited. I presume this is the Get Latest command. The scenario is that there is a suspicion that a developer has connected to the source control system after they were released. We can obviously use the Windows logs to determine if they logged into AD but if we determine they were, the next question is "to what did they have access and what did they actually access?" It is this later question to which I'd like to be able to answer.Beth wrote:I can put in a feature request, but so that we understand better what is needed, can you explain how this would be used?
You mentioned Security, but it would be possible to have you see what all users' rights are for either the repository or folders. In addition, a logged in user could view data without actually running the Get command.
Re: Requested feature: Auditing
It does pull the data down, but it's not actually performing a Get Latest. I guess it might be possible to see all data requested by a user machine instead of just what happens in the Get Latest command. Either way, I can put in a feature request for this.
What you can do right now to help your situation is:
1) Immediately make the developer inactive. This should be one of the steps performed either before the actual notice or within seconds of receiving notice. That is performed by going into the Vault admin web page, click on users, then click on the user name, and change the setting from Active to Inactive. Then the user can no longer login or access anything. If you need to use that user's login for something, it can be dealt with by changing the user's login name and password, though really, all stuff can be dealt with without that user being active.
2) If you use Active Directory logins, then the user should be disabled in Active Directory as well. If using AD logins with Vault, then when their AD login fails, the user can't get into Vault.
3) If the user had access to admin passwords, change the admin passwords.
4) Besides seeing if the user logged in with the AD logs, you can see if the user logged in with the Vault server logs. Check logs for logins after the user was released.
5) Vault security reports will indicate to you what the user had access to. You can additionally remove all access for that user's username. In the Vault admin web page where you can view the list of all the users are links to View Access Rights. Click that to see what the user had access to. You can then go to each repository under Source Control Repositories and click on Repository Access and set the user to No Access.
What you can do right now to help your situation is:
1) Immediately make the developer inactive. This should be one of the steps performed either before the actual notice or within seconds of receiving notice. That is performed by going into the Vault admin web page, click on users, then click on the user name, and change the setting from Active to Inactive. Then the user can no longer login or access anything. If you need to use that user's login for something, it can be dealt with by changing the user's login name and password, though really, all stuff can be dealt with without that user being active.
2) If you use Active Directory logins, then the user should be disabled in Active Directory as well. If using AD logins with Vault, then when their AD login fails, the user can't get into Vault.
3) If the user had access to admin passwords, change the admin passwords.
4) Besides seeing if the user logged in with the AD logs, you can see if the user logged in with the Vault server logs. Check logs for logins after the user was released.
5) Vault security reports will indicate to you what the user had access to. You can additionally remove all access for that user's username. In the Vault admin web page where you can view the list of all the users are links to View Access Rights. Click that to see what the user had access to. You can then go to each repository under Source Control Repositories and click on Repository Access and set the user to No Access.
Beth Kieler
SourceGear Technical Support
SourceGear Technical Support