RE: db access to iseries from pc's via ?

When you do a
WRKACTJOB SBS(QUSRWRK)
you'll find that IBM changed the default on that screen from JOB user to
CURRENT user. For example, looking at the joblog for
625973/QUSER/QZDASOINIT I see
User CCOOK from client 10.17.9.56 connected to server.
I forget when this default changed.

But this only captures a "point-in-time".

If they updated or changed a row it would show up in the journal
associated with that table. With the full job name, current user, IP
address and much more.
Now, because journals are built into the system and are too easy to use
people sometimes purchase bolt on products instead or desire to roll their
own. Some of these are trigger based. There are some advantages to
trigger based actions including:
- Read based triggers to inform you when someone read the file.
- you can modify the data to hide where you've been illicitly and not have
an audit like you do with journalling. (sarcasm intended, but true)

Another alternative is to either write your own exit point program, or to
purchase another which would log, and/or limit what ODBC operations they
are allowed. I wrote an ftp exit point program which would limit what
statements on what files so I am sure the odbc exit offers the same or
better granularity. My problem with this (other than the cost) is it is
statement based. For example, JOE ran the statement SELECT * FROM *
WHERE*. It wouldn't show you the exact rows retrieved. This makes it
hard to query "who had access to a particular granule of data?".




Rob Berendt