Trigger was the clue
ADDPFTRG FILE(MYLIB/MYFILE) TRGTIME(*BEFORE)
TRGEVENT(*READ) PGM(TRIGGERLIB/MYTRIGGER)
Basically you could log every row read using this.
You have to write the program TRIGGERLIB/MYTRIGGER.
Creating trigger programs - IBM Documentation
In theory a trigger program could cast an error is someone is reading something they shouldn't. However many legacy operations often assume they'll never be an error on a read, or, if there is an error, they assume the error must be some specific condition (like key not found). These won't tolerate a trigger program casting an error.
See also: Row and column access control (RCAC)
https://www.ibm.com/docs/en/i/7.5?topic=administration-row-column-access-control-rcac
------------------------------
Robert Berendt IBMChampion
------------------------------
Original Message:
Sent: Mon April 22, 2024 11:02 AM
From: Andreu Rul
Subject: leave a log trail when reading physical files on IBMi
Hi Akemi,
In the journals normally you have the information about changed data, not about the read operations.
In the audit journal you can record that a file has been read (ZR journal entries, but not the exact record.
Also, before implement something like this is important to understand the use of the file.
What is "view a record"? because if you have a batch process that reads all the records (but nobody views the records) this can generate a large amount of audit data. Those records has been read, not modified but nobody viewed them.
In some cases, a trigger can be an option to record the viewed records.
There is some software also from ISV's that work on this with different approaches.
Best Regards
-------------------------
Andreu Rul
CTO
Telf: +34 663 817 144
Original Message:
Sent: 4/22/2024 1:35:00 AM
From: Akemi Kamiogi
Subject: leave a log trail when reading physical files on IBMi
The customer wants to keep track of who read which field of which record and when, for audit purposes.
Customers use COBOL on IBMi, and in some cases do not use SQL.
- Is it possible to use the audit journal or DB journal to check which records were viewed by which users?
- 2. Is it possible to use the audit journal or DB journal to check who viewed which fields of which records?
If the audit journal or DB journal cannot record, is there a way to obtain logs using IBM's SW Solution or ISV Solution?
thank you.
------------------------------
Akemi Kamiogi
------------------------------