In a nutshell, audit is the process of logging each and every transaction - all authentications and all authorizations, adding and modifying users or data in the system, etc.
Any application dealing with health information has to come to terms with maintaining an audit trail, and those that consider it during the early stages of development fare better. Just like authentication and authorization, the security framework should provide "hooks" for application developers to add log entries. But it gets tricky, and i am not convinced that audit should be built in - it might be better left as a 'third party' extension. Think about a group of audit repositories that wait until their buffer of logs is full before actually sending them to the central repository. This is clearly a very specific implementation of auditing that would probably be better suited for those that _really_ need Big Brother power. But, even if only the notion of auditing is present in a security framework, if it provides the end user a means to add auditing, it will have more value than the JAAS. Try a google search for "authentication authorization audit" and "HIPAA" for LOTS more info. (that's the Health Insurance Portability and Accountability Act of 1996, btw) jeffa --- brian moseley <[EMAIL PROTECTED]> wrote: > On Wed, 31 Oct 2001, Jeff Anderson wrote: > > > I just want to note that JAAS is not JAAAS - > JAAS only > > covers Authentication and Authorization, not > the third A > > - Audit. > > can you talk more about what "audit" means? > __________________________________________________ Do You Yahoo!? Make a great connection at Yahoo! Personals. http://personals.yahoo.com
