Aller au contenu principal
Petanque Life

Audit Log & Compliance Retention

F16.09 8 fonctionnalités Planifié

En bref

Append-only structured audit logging across the entire petanque platform: 13 domain categories unified in one searchable collection, extended trails for discipline and finance domains, full-text search via auto-generated search_text, indefinite retention for compliance on the GDPR Art. 6(1)(f) basis, GDPR data-export integration, right-to-erasure anonymisation that preserves the audit row and per-field PII classification with a public schema endpoint.

Comment ça fonctionne

Every meaningful action in the platform routes through a central write_audit_log service that persists to a unified AuditLog collection. The schema is fixed: domain (one of 13 categories — IDENTITY, LICENSE, COMPETITION, FINANCE, DISCIPLINARY, CAPABILITY, ...), action, entity_type, entity_id, actor_id, tenant_id, timestamp, IP, user-agent, details payload and an auto-generated search_text field. The contract is append-only and immutable — there is no update or delete endpoint and the underlying collection has no expireAfterSeconds TTL — so a forensic investigator can trust the trail end to end.

Reads go through GET /audit-log/ with filters, plus dedicated entity-trail and actor-trail endpoints that list every action against a record or by a user. The /audit-log/search?q= endpoint runs a Cosmos-DB-compatible regex case-insensitive query over search_text with domain and date filters and cursor pagination, so an admin looking for everything that touched a contested license number gets it without writing a query.

Discipline and finance get extended trails layered on top of the central write. DisciplinaryAuditEntry adds IP, user-agent and entity_type plus a 30-action enum spanning case lifecycle, hearing, sanction, appeal, ADR and CAS escalation; write_discipline_audit dual-writes to both the extended store and the central log so cross-domain queries still work. write_finance_audit covers all 80+ FinancialAuditAction types with enriched amount/currency in details. Retention is unlimited (AUDIT_LOG_RETENTION_DAYS=0) on the legal basis of GDPR Art. 6(1)(f); a validate_retention_policy service flags any tenant trying to set non-compliant policies.

GDPR integration runs on top: export_audit_logs_for_user collects every entry where the user is actor and surfaces them through GET /me/data-export (Art. 20). For Art. 17 erasure, anonymise_audit_logs_for_user replaces PII in place — actor_id → null, IP → 0.0.0.0, UA → ANONYMISED, marked PII keys in details → ANONYMISED — and sets is_anonymised, never deleting the row so the audit trail's integrity stays intact. PII fields are classified per-field through a PIICategory enum (identity / network / behavioural / contextual) with json_schema_extra tags, an AuditLog.pii_fields() classmethod, ANONYMISATION_RULES and a public schema endpoint at /audit-log/pii-schema.

Capacités clés

  • Unified AuditLog collection with 13 domain categories and append-only immutable contract
  • Central write_audit_log service plus dedicated entity-trail and actor-trail read endpoints
  • Full-text search via auto-generated search_text and Cosmos-compatible regex query
  • Extended discipline trail with 30-action enum and IP/UA enrichment, dual-written to central log
  • Extended finance trail covering 80+ action types with amount and currency details
  • Indefinite retention with validate_retention_policy guard against non-compliant tenant configs
  • GDPR Art. 20 data-export integration that includes the user's audit trail
  • GDPR Art. 17 erasure via in-place anonymisation that preserves the audit row
  • Per-field PII classification with PIICategory enum and public PII-schema endpoint

En pratique

A federation receives an Art. 15 access request from a former player. Support runs GET /me/data-export against the user's account; the export bundles their profile, license history, payment trail and 1 247 audit-log entries where they were the actor, signs the URL for seven days and emails the link. A month later the same user files an Art. 17 erasure request with email confirm.

After the 30-day grace, the deletion job anonymises the player's profile and runs anonymise_audit_logs_for_user across all 1 247 entries — actor_id nulls out, IPs zero out, UA strings replace, PII keys in details strings replace with ANONYMISED, is_anonymised flips true. Discipline and compliance still see that an action happened, when, in which domain — but no longer who.

Fonctionnalités de ce sous-système

8
ID Status Fonctionnalités
F16.09.01 Livré Strukturerad audit log via Craft Easy — unified cross-domain AuditLog collection with 13 domain categories, central write service (write_audit_log), read endpoints (GET /audit-log/, entity trail, actor trail), append-only immutable contract. Implemented (PL-F1609a): AuditLog model med domain/action/entity_type/entity_id/actor_id/details/search_text, 7 composite indexes, tenant-scoped. ✅ PL-F1609a
F16.09.02 Livré Utökad loggning för disciplin-ärenden — extended DisciplinaryAuditEntry med ip_address, user_agent, entity_type, DisciplinaryAuditAction enum (30 actions: case lifecycle, hearing, sanction, appeal, ADR, CAS), dual-write till central audit log via write_discipline_audit. Implemented (PL-F1609a). ✅ PL-F1609a
F16.09.03 Livré Utökad loggning för ekonomi-mutationer — write_finance_audit service som skriver till både FinancialAuditLog och central AuditLog, enriched details med amount/currency, coverage för alla 80+ FinancialAuditAction typer. Implemented (PL-F1609a). ✅ PL-F1609a
F16.09.04 Livré Audit log search med fritext — search_text fält med auto-genererad sökbar text, regex-baserad case-insensitive sökning (Cosmos DB-kompatibel), GET /audit-log/search?q= endpoint med domain/datum-filter, paginering. Implemented (PL-F1609a). ✅ PL-F1609a
F16.09.05 Livré Obegränsad audit-retention — AUDIT_LOG_RETENTION_DAYS=0 (indefinite), validate_retention_policy service flaggar non-compliant tenant-policies, GET /audit-log/retention endpoint. Inga TTL-indexes, inga expireAfterSeconds. Rättslig grund: GDPR Art. 6(1)(f). Implemented (PL-F1609b). ✅ PL-F1609b
F16.09.06 Livré GDPR-dataexport inkluderar audit logs — export_audit_logs_for_user service samlar alla entries där användaren är actor, integrerat i GET /me/data-export (Art. 20). Implemented (PL-F1609b). ✅ PL-F1609b
F16.09.07 Livré GDPR right-to-erasure (anonymisering) — anonymise_audit_logs_for_user ersätter PII (actor_id→null, ip→0.0.0.0, UA→ANONYMISED, PII-nycklar i details→ANONYMISED) utan radering. is_anonymised-flagga. Integrerat i POST /data-deletion-requests/{id}/process. Implemented (PL-F1609b). ✅ PL-F1609b
F16.09.08 Livré Per-fält PII-klassificering — PIICategory enum (identity/network/behavioural/contextual), json_schema_extra PII-taggar, AuditLog.pii_fields() classmethod, ANONYMISATION_RULES, GET /audit-log/pii-schema endpoint. Implemented (PL-F1609b). ✅ PL-F1609b

Sous-systèmes liés

F02.05
Privacy & Consent
02. Identity & Access Management
F08.06
Prize Money & Awards
08. Finance & Billing
F05.07
Disciplinary Cases per Nation
05. Officials & Judiciary
F16.12
Capability-baserad åtkomstkontroll
16. Platform Operations & Cross-Cutting Concerns
F16.06
Federation Reporting & Compliance
16. Platform Operations & Cross-Cutting Concerns

Parties prenantes qui ont besoin de ce sous-système

Apparaît dans 5 analyses de parties prenantes

Control Table Staff (Graphiqueur)
Gestion des compétitions
Audit Log
Insurance Providers
Médias, technologie et services
Audit Logs
Payment Processors
Médias, technologie et services
Audit Logs
GDPR/Data Protection Officers
Médias, technologie et services
Audit Logs
Legal Advisors
Médias, technologie et services
Audit Logs
Sous-système précédent
F16.07 Stakeholder Feedback & Feature Requests
Sous-système suivant
F16.10 Rate Limiting & DoS Protection