[Freeipa-devel] "Commit comments log" functionality in IPA

Dmitri Pal dpal at redhat.com
Thu Nov 6 21:11:50 UTC 2008 

Matthew Booth wrote:
> Dmitri Pal wrote:
>   
>> Yes I am talking about the situations when a change requires a formal
>> process. I was surprised when I faced the reality: big companies
>> especially banks do not do any changes until it has been approved,
>> scheduled, verified etc. It is a complex process. This is the situation
>> when the "commit log" feature is mostly valuable.
>> Put it differently it is for the environment where the administrator is
>> not allowed to do the changes to the system when and how he thinks
>> appropriate but rather has to follow a special procedure.
>> There are a lot of such companies.
>>     
>
> This is an excellent suggestion, Dmitri. This information can be crucial
> to auditors. In general, Windows does this much better than we do, and
> the auditors appreciate it.
>
> You make a critical point in the above, which is that the primary
> purpose of this feature is to integrate with an existing corporate
> change management solution. Given this, it would be quite exceptionally
> useful to be able to include site-specific, custom, structured data in
> the log, which can be correlated against an existing corporate system.
> For example, if a customer uses HP's ServiceDesk, the ServiceDesk
> reference number would be invaluable. This will contain the complete log
> of change request, to discussion to authorisation. There are a great
> many such systems in wide use, so the ability to integrate effectively
> with any of them would be a powerful feature.
>
> Matt
>   
Thank for support. I think the main argument was not about the need of 
such information but rather where it belongs.
Ultimately it belongs in good robust audit subsystem fully integrated 
into IPA. Here I agree with John. But we are not there yet.
The only other reasonable place to put was to leave it in DS and that is 
where the whole argument started. I think that this is a really simple, 
fast, interim solution with a lot of benefits.
I would be interesting to see if this argument is important from the 
perspective of the user of the IPA or not?

Thanks
Dmitri

More information about the Freeipa-devel mailing list