If you dig a fence post hole with a backhoe, you will upset more dirt than you probably wanted.
My three-year-old son is a big Bob the Builder fan, and he's always reminding me to use the right tool for the job. The same principal can be applied to System i management in finding simple and effective solutions. System integrity and security is important, but you must take great care while implementing solutions in that area to limit the chances of adverse effects.
There are many ways to track data-related activities on your system, such as object auditing and trigger programs. In V5R3, IBM introduced the exit point Open Database File, otherwise known as QIBM_QDB_OPEN. When a job opens a file on your system, other than files located in a few excluded libraries, this exit point is called. By attaching a custom program, called an exit program, to the exit point, you can gather some valuable information, such as the following:
- The opened database file and the user profile that opened it
- The method of access used to open the file (i.e., Query, interactive SQL, other SQL-based interfaces, etc.)
- The job name and number
- The input operation (reading, updating, adding, or deleting)
Hold On, There's a Catch…
It's pretty nifty, but every tool has benefits and disadvantages. The danger with running an exit program attached to this particular exit point lies in the granularity of execution. Your custom exit program will be called every time the exit point is called for every file on your system, other than those included in libraries QTEMP, SYSIBM, QRECOVERY, QSYS, QSYS2, QRCL, QRPLOBJ, and QSPL.
Please read that last paragraph again and pay close attention to the italicized items.
There is no ability to filter what libraries are excluded from being processed by your custom program. You would have to handle that within your program. For example, the pseudo code would work like this during run time:
- The program receives the data structure and an array of all files being opened, along with the who, what, and how information.
- For each file being opened, you check the library name.
- If that library isn't a library you care to monitor, then move on to the next file.
- If the library is flagged as an "auditable" library (ERP, payroll, etc.), then continue on with your program logic to trap the data and do something useful with it.
What I'm getting at here is that, if you use this exit point, it's best to keep your code as clean and concise as you can, because it's going to be running a whole lot. Every time any file is opened, your program is going to kick off. I just can't stress that enough. You may experience performance problems, depending on the hardware and software configuration of your system, the number of files being opened, and the number of programs that are doing the opening. If you've got a high-performance model, chances are you have a reason for it (i.e., heavy workload). Let's just hope your box was sized for growth! Perhaps that big workload you planned for on your last box swap hasn't been implemented yet.
Weigh the Pros and Cons of All Your Options
Don't get me wrong here; this is a very powerful auditing tool. You can do awesome things like physically limit database file opens by specific interfaces. This gives you lots of granularity by closing windows into your system that aren't specifically defined by the IT department as legitimate. Say you want only interactive 5250 access to your payroll library and you want to disallow things like interactive Query or SQL. You can do this!
Depending on what you're trying to accomplish, using this exit point may be the right solution for you. I'd suggest you look at object auditing or triggers as well. Weigh the pros and cons with each method. Perhaps there are only 10 or 20 files on which you want to track read operations. Trigger programs would be great in that instance and would offer much less overhead than exit points or object auditing.
The key here is to properly define the job at hand. Then find the right tool.
LATEST COMMENTS
MC Press Online