Re: User transactions tracking in BPCS v4 -- BPCS-L

Al,
thanks for your input. I am going to try to be more specific on the needs I have
and explain the context.
In fact I am IT auditor and I would like, during audits, to be able to know for
certains critical transactions (like posting invoices, creating customers...)
who has created the document (like who has posted the invoice number 999999 the
22/09/1999...).
Now in case of fraud for instance, it is not possible to find out who keyed the
transactions in BPCS.
What I would like to work out is a tracking mecanism that would add a user ID to
the document created for critical transactions, and that would not be too much
resource consuming.
Any idea on how to do that? Thanks for your help.

Regards,
- Zahouani.




From: macwheel99@aol.com on 09/21/99 06:58 PM

Please respond to bpcs-l@midrange.com

To:   bpcs-l@midrange.com
cc:    (bcc: Zahouani Saadaoui-Z/PGI)
Subject:  Re: User transactions tracking in BPCS v4




>From Al Macintyre 405 CD on AS/436 V4R3

> Subj:  User transactions tracking in BPCS v4
>  From:    saadaoui.z@pg.com (Zahouani Saadaoui-Z)
>
>        Hi,
>
>        I am looking for a solution that would enable the tracking of users
>        transactions in BPCS v4 (which is not possible in that system).

Some tracking is built-in ... take a look at the layout of the BPCS files.
Either DSPFFD ITH to *PRINT
or WRKMBRPDM QDDSSRC BPCS405CDS or wherever your base source is

We have query reports like totals only - who did what types of transactions
last month - certain people are supposed to be doing certain types of
transactions as part of their job & others on an exception basis ... if we
find a sudden or rapid rise in cycle count adjustments by someone whose job
is other than doing cycle count adjustments for example, then there is a
review of the scenario with that person to make sure they did not find an
unauthorized short cut to resolving a scenario that should be done some other
way.

BPCS V4 security has some holes.  We are a multi-faciilty company in which
some users are authorized to do a wide range of transactions at the facility
at which they are based, and are authorized to LOOK at data in other
facilities but not update anything there.  We have not figured out how to
enforce that, but we can query on the user-id within inventory history ...
running a total only number of transactions by user by facility each month,
to catch any no-nos, after the fact.

Not all transactions have a history that includes the name of the user who
keyed in that transaction - FLT labor for example has who did the factory
labor, not who keyed in the reporting.  But many files have fields that we
are not using for any purpose, and could use for some other purpose & in fact
we are doing so, in which we used the literals sub-system to re-label the
field on the BPCS screens & reports (this does not work automatically on uses
of external files outside BPCS like Query ... we have to massage that a bit).

>        If you have worked on that kind of add ons to BPCS,

I worked on that kind of thing in BPCS/36 using internally described files
... that system had some "dead space" at the end of most files & we plugged
in stuff that is native to BPCS/400 & some stuff not yet invented in
BPCS/400.  For example we were particularly interested in changes to customer
orders ... who was the last person to change this order & when did they do it
with what program?

This was because of a scenario that we have since resolved outside of BPCS,
involving too many cooks working at cross-purposes ... the sales dept has
been reorganized so that now certain people are in charge of the data for
certain groups of customers.

However the 400 has changed the landscape on what is easy / pain in neck to
muck with - I have zero current interest in changing the layout of BPCS/400
files, like adding any fields.  If I was persuaded to do any such tracking
today, I would probably do it with a separate file ... I am in fact doing
something similar, by adding members whose naming convention does not
conflict with BPCS native naming conventions, in which a member in a logical
points to a member of the same name in a physical.

>  or if you know
> other solutions to easily track user transactions in the system, please let
> me know.
>
>        Cheers,
>
>        - Zahouani

It depends on the level of detail you need.

If you want to know which users were on the computer system today, but don't
much care what they were doing, check out DSPJOB F4

If you want to know who is in ORD500 INV500 etc. RIGHT NOW then check out
http://www.precosis.com.au/piu1.htm = Display Active BPCS Jobs

Many jobs generate some kind of audit trail of what was changed, like ORD500
INV100 etc. ... we generally delete ours without printing ... you could
transfer yours to a PC, clean out a lot of data & just save what you need to
track which customer orders were updated today & by whom, and by item # who
was the last person to update it.

Have you been to IBM/400 classes with "DB2" in the title?  Business rules can
be established at the file level ... Any time ANYONE updates this file by ANY
means (BPCS program, DFU, interactive SQL, you name it) capture some
particulars about who is doing what.

Hope I have been somewhat helpful - perhaps you could be a bit more explicit
on what you are looking for, so answers can be a bit less vague.

Al Macintyre
+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---






+---
| This is the BPCS Users Mailing List!
| To submit a new message, send your mail to BPCS-L@midrange.com.
| To subscribe to this list send email to BPCS-L-SUB@midrange.com.
| To unsubscribe from this list send email to BPCS-L-UNSUB@midrange.com.
| Questions should be directed to the list owner: dasmussen@aol.com
+---