System Admin Activity Audit Report

joeuser · ‎07-15-2019

I have a requirement to have a report that shows actions that system admins take on various scripts e.g. business rules, client scripts etc in production instance. The report should only contain scripts which were changed directly in production and not moved from other instances.

As I understand, the audit may help in it but I am looking for a. if there is any OOB way to get a report b, if not, how to make script audit logs read-only to admin users i.e. they cannot modify logs of their changes without affecting system performance (here my understanding is admins can delete system logs and audit records.)

The main purpose of this report is to satisfy an audit requirement where changes made by admins can be reported (if any) and compared against change requests.

I would be interested in knowing how system admins are handling such audit questions.

Other information:

I was told that OOB Salesforce has read-only access for their admins and it does not let them modify logs for changes made by admins. I am much interested in finding such an OOB functionality in ServiceNow.

Waleska · ‎07-15-2019

So I didn't build a report on this, but there is a Customer Updates table ['sys_update_xml.list' in the navigation search] that I have used to track what updates were made. I created a filter on this table to show updates done "This week" on Type of "Business Rule" or "UI Policy" etc and created a favorite from it. All admins have access to this table to view updates made to the instance so I believe this is OOB without any special auditing features needed.

Also, these are all items that are tracked automatically whenever a change is made. It actually includes changes imported from a Developer Instance from what I've seen and which update set it came from.

joeuser · ‎07-15-2019

Thanks, Waleska. Though as an admin I can delete records from Customer Updates table, it would be a good option to explore further.

Waleska · ‎07-16-2019

You can potentially create an ACL and call it something like superadmin and restrict delete to superadmins on that table. Just make sure that there is someone with the superadmin role in the event something needs to be deleted.

joeuser · ‎07-16-2019

I think all the roles can be managed by an admin except 'maint'. This is what we're thinking of using if it works as excepted. Thanks for your inputs.