When adding a member to a group, Grouper stores the action in the audit log with ACT_AS_MEMBER_ID field as the logged in user. However, removing a user will store the entry with ACT_AS_MEMBER_ID as the GrouperSystem subject. In both cases, the LOGGED_IN_MEMBER_ID field is the logged in user.
The recent activity page in the UI queries the act_as_member_id to populate its list of recent actions. Thus, membership adds show up under the user's recent activity, but deletes show up under GrouperSystem's.
UiV2Group::removeMembers performs member removals as GrouperSystem, with the source code comment "subject has update, so this operation as root in case removing affects the membership". So the audit logging is working as designed. However, it is unexpected for the users, who can see member adds but not deletes.
- Load the sample quick start data
- Log in as GrouperSystem
- Create test group qsuob:test:AdminAccess
- Grant admin to "babe" (Barry Benson)
- In tomcat, add "babe" to the tomcat-users.xml if needed
- In a different browser, login as "babe"
- Go to qsuob:test:AdminAccess
- Add bawi (Barry Windsor) as member
- Remove Barry Windsor as member
- Go to Recent Activity
- Recent activity for Barry Benson shows: Added Barry Windsor as a member of the AdminAccess group.
- Recent activity for GrouperSystem shows: Deleted Barry Windsor as a member of the AdminAccess group.