Account Auditing is a big thing these days. Especially in industries like healthcare where you have HIPPA regulations. You might say some of us have gotten spoiled by the level of detail available to know what user's have done while logged into a system. Well that is the case for me and I would like to see more detail in Orion User activity logging, in general.
Among other similar Feature Requests is .
My headache today is trying to figure out who was logged in when a change was made to an Orion user account that should not have been made. It is great that SolarWinds provides auditing that shows when someone logs in and when they log out. However if they close the window(s) where they were logged in, there is no record in the audit log. While the audit entry could and should be called something different, like <username> session has ended, there should be a record that this occurred.
Let me add that inheriting an Orion environment where the previous "Admin" gave out permissions like candy makes it difficult to rein in those permissions as we all know. Once they have it, it is tough to take it away. So I also want to know when anyone changes anything about any user account. If nothing else, it give me ammunition to explain to management why it needs to be reined in.
I had a situation a while back where a certain permission was removed from all accounts. 3 accounts retained it for Admin coverage reasons. Users were informed of this change and why. Yet one user decided he still needed it and because he had overall Orion Admin privileges, he changed it back. (At this point I had not been able to convince management to allow me to rein in that huge permission.) Of course, since that occurrence, now only a few have overall Orion Admin privileges. But there was nothing in Orion that said who exactly changed the original permission back. Therefore it was more-or-less a guessing game to figure out whodunit. It had been previously made clear that only 3 of use were allowed to make the change. I did check with the other other two and they hadn't changed it. Then it was a guess that the user himself did it since he, technically, had "Allow Admin Rights". We asked and he admitted to it. If he hadn't, it could have been any of the 20 or so others that had that permission. A better audit trail would have left no question and saved time.
Again, in general there need to be improvements in this area. I have mention one here. The permissions post above is another. What else to you see as being needed in this area?
