Dataset for SOX Security Audit

BABWMajorDOMO
BABWMajorDOMO 🟡
in Ideas Exchange

Hello,

 

We would like a dataset giving visibility into the users, groups, pages, cards, and datasets for SOX auditing.  

 

I need to show which users have access to each dataset.  It would be useful to have a dataset that shows users that are members to each group, page and cards that those users and groups have access to, and which dataset each card is built off of.  Today the best I can do is take hundreds of screenshots to satisfy our audit.

 

Thanks!

5
Up
5 votes

· Last Updated

Comments

  • DJ46
    DJ46

    This is a great idea for SOX auditing. Taking screen shots for hundreds of people is NOT an ideal experience.

  • product_John
    product_John ⚪️

    Thank you for submitting this idea @BABWMajorDOMO.  I am assigning to our product manager @alexpeay for review.

  • alexpeay
    alexpeay
    Alex Peay
    Product Manager
    Domo
  • alexpeay
    alexpeay

    @BABWMajorDOMO would the audit need to know which cards a user has access to or is it more about the underlying DataSet?

     

    We can look into the card  aspects but I know with SOX they they are very explicit and I want to make sure we focus down on the area where we can make the biggest imapact. My operating assumption is that the card being a vizualization of the data will end up meaning that the key access to be controlled is the data, is that a correct assumption?

    Alex Peay
    Product Manager
    Domo
  • BABWMajorDOMO
    BABWMajorDOMO 🟡

    @alexpeay Hi Alex, thanks for the follow up.

     

    You're correct that the control would be the data itself.  So we will be responsible for categorizing what type of data is within each dataset on our end, although having the dataset description would be useful in this audit dataset.

     

    The ultimate goal is to be able to prove which user has access to what types of data, and when access for that user was added or removed.  For DOMO, I envision this as a dataset with Group->User->Page->Card->Dataset (including dataset descr)->Date->AccessType (add/remove).  To cover all bases, it might be good to have the descriptions of each card as well since that would add more context to what type of data is being made available to the user.

     

    If you can think of an elegant way to add in the PDP or Publication Group filters for that user, I'm sure that would be of great use as well!

  • alexpeay
    alexpeay

    @BABWMajorDOMO Thanks for the additional information. When it comes to SOX access audits are you also need to know not just who has access today but who has had access before.

     

    So for example if John had access for the month of April, but his access was removed on April 30 and the audit happens on May 30, you need to report that John had access in April even though he does not have access today. Is that correct?

    Alex Peay
    Product Manager
    Domo
  • BABWMajorDOMO
    BABWMajorDOMO 🟡

    Yes, I would need to know who had access in the past as well.  A current snapshot would not be enough (although it would be better than nothing).

     

    Our auditors are asking for all users that were granted access during a quarter, as well as those who had access removed during that quarter.

  • Unknown
    Unknown
This discussion has been closed.

Categories