SecurityListener should be notified when an ACL check is denied. If it can be done efficiently, it should also be notified when an ACL check is granted. This would allow a listener to determine which permissions are being used by whom on what.

          [JENKINS-21402] Log/notify ACL grant or deny events

          Jesse Glick added a comment -

          I.e., logging when a AccessDeniedException is thrown (mainly from ACL.checkPermission), and/or caught at top level (ExceptionTranslationFilter.handleException).

          Jesse Glick added a comment - I.e., logging when a AccessDeniedException is thrown (mainly from ACL.checkPermission ), and/or caught at top level ( ExceptionTranslationFilter.handleException ).

            Unassigned Unassigned
            jglick Jesse Glick
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: