Compared to other ERP, BPCS is not structured to make it easy to figure out
who updated what ... BPCS is embezzler-friendly, under a theory of security
by obscurity, so people who can figure out the loopholes have a great
advantage over people who learn only the BPCS how it works standards.
I know of many of those holes, and embezzlement-friendly features, would
never spell them out in a public forum like this, only in briefings to my
own management and our auditors. Unfortunately I am always kept too busy
with day to day needs to take advantage of optimal strategic protections
from the risks.
Depending on version of BPCS, there are all kinds of histories &
cross-indexing where data in various files can be tracked back to what
records in other files have more information about the activity.
The quality of this is much like IBM Security Auditing, which is easy to
turn on, but you have to have like a Masters Degree in Security from a
thousand hours of IBM classes to figure out what the security log is
telling you, or buy some 3rd party package to interpret the logs for you.
For example, there is inventory history which includes name of user signed
on at what work station who entered the transactions, a system which is
only as good as internal company policies with regards to different people
having their own sign-ons, which can be constrained by the # of users
license for BPCS.
The General Ledger and other applications have a ton of reference fields
which generally do not appear in any standard BPCS reports & inquiries,
which can be used for forensic back tracing analysis, capabilities not
detailed in any documentation delivered to BPCS customers. General Ledger
has business rules which permit different levels of detail tracking
different kinds of transactions. So those transactions where there's
little management interest in GL back tracking, or we have alternative ways
to track, let's not clog up the disk space with detail logging, while in
other areas where we have doubts about the veracity of BPCS integrity,
let's get all the auditable detail we can.
There are also add-ons from 3rd parties that make deciphering the evidence
something that can be done by non-technical management and accounting
auditors without any hassles. What you are describing is an add-on from
UPI where management identifies activities they want to track, like changes
to costs, pricing, engineering, supply chain business rules, whatever,
which determines what gets logged into disk space, in which it does not
matter if the update is done by BPCS software, some IBM utility like DFU,
open source for 400, an authorized user, a hacker ... it tracks who did
what when how for later review.
A later version of the software, not yet released, promises to have
business rules to block certain kinds of unauthorized activity, instead of
the current version where it logs the embezzlement, sabotage, human error
etc. for someone later to see when they review the log.
Al Macintyre
20 year veteran of messing with BPCS
40 year veteran of working on IBM midrange
Does BPCS have an Event log?
By this I mean something in the form of:
Id activity name timestamp user id
for each batch and user transactions.
The Id would be a unique identifier used to trace an instance of an
process from beginning to end
The activity name may be a program name (with different phases - start
cancel end etc).
Any help would be appreciated.
midrange.com
