Auditing Admin Events

I am a part of a fairly large team. I am dealing with an issue where my account has been involved with the deactivation of other users. I am an admin on our shotgrid and have a few more controls than an average user. I am fairly new to this tool, but I do know how to check metadata. Unfortunately, the metadata doesn’t tell me who the admin user was using my account. it only says “human user” but it doesn’t give me enough to figure out who was using my account. We have about 10-ish admins across all of our departments. now, this could easily probably be a bug with shotgrid, but I would like to get to the bottom of why my account was used to deactivate another user. Are there any ways to look deeper into the meta data or check any code to figure out if in fact one of the admins used my account (by accident or otherwise) or if this was simply an error with the software?

Hi @Josh

First, change your password immediately. Then, if not done already, check off the Admins Can Perform Actions As box for your user in the People page. This way, it is not possible for someone else to impersonate you in the GUI or via the API. And any existing script that would use your credentials will stop being able to authenticate.

In the Event Log Entry List page, look for actions that you want to audit and see if there is a sudo_actual_user value in the Meta Data. This will indicate who really did the action…

If your site was in dual-mode, and you turned off ShotGrid-based sign-in without inviting everyone, you will effectively disable all the users that were not sent an invitation.

Is there anything common about the users that were de-activated ? Timing, context, etc.? Can you find the events related to the login of your user ?

It is software, so a bug is always a possibility… But AFAIK we have nothing in our backlog regarding this type of issue or vulnerability. So the current info available in the event log entries should be accurate.

I do not know your specific context, so it is difficult to speculate more. You may need to open a ticket to have one of my colleague investigate further.

Good luck in your search,

-Patrick

2 Likes

Thank you Patrick for the response,

I changed my password as soon as I noticed the issue. and set up 2-factor authentication.

We have one main person within our studio that pretty much handles most of the account setups.
We have a handful of admins that occasionally set up vendors or accounts but for the most part, it is done by one person.

This happened with all 3 events on shotgrid:

  1. This admin user set up an account for a vender
  2. A few days later, it was noticed that the new venders account was deactivated
  3. My name/account was the account to deactivated, even though I never did such a thing.
  4. The metadata says “human-user” with no name associated with the event.

as far as timing, context and all that. I don’t even think I was on the site much that day.

We did notice that this happened once we switched over to the Autodesk log in. However, I don’t believe that would have caused my account to deactivate 3 of our vendors.

I will discuss it with my team and we will see if we need to submit a ticket to Autodesk about this issue. So far, I have not seen it happen again.

Are there any recommendations on how to track metadata better in shotgrid to hold those accountable for actions while using the software?

Thanks

Hi @Josh

Just to clarify something:

  • were you the one that completed the last step in the migration tool ?
  • were those 3 users created prior to turning off ShotGrid authentication on the last phase of the migration ?
  • if so, after their creation, were they sent invitation from the migration tool ?

That is a very important step : this is where the existing user accounts are linked to the corresponding Autodesk Identity user. If invites are not sent at that time, uninvited users will be disabled when the ShotGrid authentication is turned off.

While the site is in dual mode, new users created also need to be invited… A 2 steps process, required only during that phase.

-Patrick