Report User Login Statistics

[msymons]

Current Behavior:

Dependency-Track v3.5.1 provides two screens that display user statistics: "LDAP Users" and "Managed Users". These screens provide useful information on (say) the count of the number of teams that each user belongs to. However, there is no information on login information. All that one can infer is that a user who is listed in ""LDAP Users" has succefully logged in at least once.

This is a problem when one has users whose job role requires that they make use of Dependency-Track. But you have no idea if they are actually doing so.

Proposed Behavior:

Add sortable columns that would display:

• Total Login Count
• Last Login Timestamp

[stevespringett]

Neither of these fields provide much value. They will tell you if the user has ever logged in or not, but they will not provide any indication of usage.

A JWT lasts a long time, so doesn't provide any information about last use. A user may have their own API key. These do not expire. If a user only uses the API and doesn't login, the login count and last timestamp would be very misleading.

While I don't have an issue adding this functionality, I question the usefulness of it when referencing the audit log typically provides a lot more value.

[nscuro]

As of Alpine 2.2.5 (DT v4.11), we track the "last used" timestamp of API keys. Alpine 3.0.0 (DT v4.12) will ship with a change that allows users to customize the TTL of JWT issued by DT.

So while the above concerns are still somewhat valid, I think the new TTL functionality can make login counts more meaningful in the context of the original enhancement request.

We could further adopt the strategy we use for API key usage tracking for this purpose. The tracking has a very minimal footprint, such that we could even track "last authenticated action" (better wording would be required).