Users unexpectedly lost access rights that they had previously. After looking into this further, it was determined that the access rights were lost due to do the groups granting these access rights being deleted.
How do we determine how these groups were deleted?
As there is no audit trail for the deletion of groups in PPM, the app-access logs can be used to help determine when and by who the groups were deleted.
The app-access logs would contain actions related to the deletion of groups such as 'action=nmc.groupDeleteConfirm' and 'action=nmc.deleteGroup'.
...|POST /niku/nu?uitk.vxml.form=1&action=nmc.groupDeleteConfirm&uitk.navigation.location=Workspace&uitk.navigation.parent.location=Workspace&uitk.navigation.last.workspace.action=nmc.groups HTTP/1.1|200|4489|72|12345678__1A2BC3D4-5678-90EF-G100-23456HI9J01K
...|POST /niku/nu?uitk.vxml.form=1&action=nmc.deleteGroup&uitk.navigation.location=Workspace&uitk.navigation.parent.location=Workspace&uitk.navigation.last.workspace.action=nmc.groupDeleteConfirmPage HTTP/1.1|200|7586|3136|12345678__1A2BC3D4-5678-90EF-G100-23456HI9J01K
Where the '12345678__1A2BC3D4-5678-90EF-G100-23456HI9J01K' towards the end is the session ID of the user performing the action. Using the session ID, the CMN_SESSIONS and CMN_SESSION_AUDITS tables can be queried to find the associated user. If the Clean User Sessions job has run since the time that the action was completed, the session will no longer exist in these tables. When the session no longer exists in these tables, another way to determine what user the session belonged to is to review other actions performed by this same user session in the app-access log, in addition to other logs, such as the app-ca logs.