Add Auditable Activity Log for User Roles and Permissions

Problem statement

• At present, Cin7 does not provide a traceable record of who granted, modified, or revoked user roles and permissions. When a user is given admin access or when roles/permissions are changed, it is difficult to determine who performed the change. This hampers investigations and security accountability.

Proposed solution

• Introduce an immutable, timestamped audit log that records all changes to user accounts, including roles and permissions, with the following attributes:
  • Actor: the user who performed the action (user ID, name, and role)
  • Target: the user whose permissions/roles were changed (user ID and current/previous roles)