User Auditing

For Grouper 2.5 and above see Get Audit Entries

Groups are often used to control access to resources or to target communications. Group attributes, memberships and privileges may change at any time with potentially important consequences, so simply knowing how a group last changed is insufficient to investigate why, for example, an individual lost access to a resource. An audit log of high level user actions allows administrators to understand the history of groups, group types and stems. Audit entries may be queried by object or the subject responsible for a change.

High level actions are audited.  For example if a group is deleted, all of the related memberships and privileges for that group are deleted as well.  But there will only be one audit entry for the group delete. 

Group admin privilege is required to view the audit log.


Note that User Auditing, described here, is different from point in time auditing which provides the ability to query the state of Grouper in the past.  Point in time auditing allows you to determine all the direct and indirect members that a group had at any point in time, or to determine all the permissions a person had.

For user auditing, the following fields are stored for each user audit entry:

For each action various additional data is stored, e.g. if a group was created, then the group id, group name, etc are stored

You can import/export auditing data, but this is a different file than the normal Grouper export file, with the same command.  You will see two different XML files.