Spira v8.2 Released: Auditability and Traceability Enhancements for Administration

23-Jul-2024 by Adam Sandman Product News

We are pleased to announce the release of the latest version (v8.2) of our award-winning test management SpiraTest system, application lifecycle management SpiraTeam platform, and enterprise agile planning platform - SpiraPlan. This new version includes major enhancements that improve the auditability of administration actions in the system. This is particularly important for enterprise customers working in High Assurance industries.

Background

Spira has always included strong audit support for changes made to artifacts in the products and programs that comprise the system For example, if you make changes to a requirement or test cases, or even change the relationship between the artifacts, the changes are logged in the system:

This allows the product manager and program manager to be able to audit all changes in the system.

In this latest version of Spira, we have now included the same level of auditability to key system administration tasks:

  • Changes to a user's profile
  • Changes to the definition of a product role, including the defined permissions
  • Changes to the role that a user has on a product (membership)

Why Is This Functionality Important?

Keeping an audit log of all changes to user roles and permissions in a product management system is crucial for a number of compelling reasons:

  1. Security Assurance: By tracking every change made to user roles and permissions, we ensure that any unauthorized or malicious modifications are quickly identified. This is our first line of defense against security breaches, giving us the visibility needed to protect sensitive information.

  2. Accountability and Responsibility: An audit log records every change along with who made it and when it was done. This creates a culture of accountability, where users with administrative privileges are aware that their actions are being tracked, discouraging improper modifications.

  3. Regulatory Compliance: In many industries, compliance with regulations and standards is non-negotiable. Our audit logs help you meet these stringent requirements by providing a detailed record of all access control changes, ensuring you’re always audit-ready.

  4. Effective Troubleshooting: When something goes wrong, an audit log becomes invaluable. It allows us to trace back and identify if recent changes to roles and permissions are at the root of access problems or unexpected system behavior, enabling faster and more accurate troubleshooting.

  5. Streamlined Change Management: Knowing the history of role and permission changes helps manage transitions smoothly. This ensures changes are made systematically with the necessary oversight, minimizing disruptions and maintaining system integrity.

  6. Incident Response Readiness: In the event of a security incident, having a detailed audit log is critical. It provides a comprehensive timeline of changes, helping investigators understand the incident’s progression and pinpoint the actions that may have contributed to it.

  7. Organizational Transparency: Transparency is key. An audit log allows stakeholders to review changes and ensures role and permission modifications are made openly and in line with company policies.

  8. Simplified User Management: For large organizations, managing user roles and permissions can be a complex task. An audit log helps track these changes over time, making it easier to manage user access and ensure roles are correctly assigned.

  9. Historical Insight: The audit log serves as a historical record, useful for training new administrators, reviewing past decisions, and understanding the context of changes. This historical insight is essential for continuous improvement of access control policies.

  10. Prevention of Privilege Abuse: By maintaining a detailed record of changes, the audit log acts as a deterrent against potential abuse or negligence. Knowing that every action is logged ensures that administrative privileges are used responsibly.

By maintaining a detailed and thorough audit log, you can safeguard your system, streamline your operations, and ensure compliance with confidence.

System Audit Logs in Action!

To see the functionality in action, lets make some common administrative changes. Lets say that we change the permissions on one of our users (Bernard Tyler) to make them a System Administrator:

This user is currently a member of one product as a Developer role:

Lets say we add Bernard to another product as a Tester and also change his role on this product to Manager:

Finally, we decide to change the permissions associated with the Tester role:

With the new administrative auditing functionality we can now see the changes in the System History Log:

First lets look at the user setting change:

You can see clearly that their Admin flag has been changed.

Next lets look at the change of role on the current product:

You can see that the user's role was changed for product PR:1. Similarly, if we click on the product role add change:

When you add a user to a product, it listed as an Addition, with the old role shown as blank, and the new role specified.

Finally, lets look at the changes we made to the Tester product role itself:

When you look at the permissions changes, we show all of the permissions both new and old:

This allows you to see what changes were made to the role.

All of the system audit log entries include the date/time that the change was made, and which user was responsible for making the change/ For further security, these audit log entries cannot be deleted, even by an administrator.