bradbeckett1
Active Member
We have a sox requirement to track BAs changing data via interactive, but we don't want our sql audit reports to include updates from UBEs. To do this a user running a UBE needs to use a different System user than the interactive session.
I think I have it figured out, but I wanted to see if anyone else agrees.
SQL 2008R2
E9.1, tools 9.1.4.7
We have 2 enterprise servers, ES1 and ES2. ES1 is used only for interactive BSFN, ES2 is batch/ube.
JDEBA and JDEUSER are setup and both work as system users. JDEBA is tracked in our sqlaudit, JDEUSER is not.
First, ES1 and ES2 share a table map, I'll have to split those into unique mappings.
I'll create a "Business Data - PRODBA", for the BA users which is the same data as "Business Data - PROD", I'll make P98OWSEC (and the P980001 passwords mappings) map Default data source to system user JDEUSER and "Business Data - PRODBA" to system user JDEBA. Then in OCM mappings for the System map and ES1 server map, have the BA users default tables in PD910/JPD910 map to "Business Data - PRODBA". ES2 server map will remain the same as now, everyone mapped to "Business Data - PROD" for PROD tables.
Interactive and BSFNs called from interactive should then use system user JDEBA for BA users when updating PROD data.
UBES and the BSFNS called from UBES should map to system user JDEUSER, and not get caught in our SQL audit, assuming they are run on ES2.
Does anyone see holes in this?
I think I have it figured out, but I wanted to see if anyone else agrees.
SQL 2008R2
E9.1, tools 9.1.4.7
We have 2 enterprise servers, ES1 and ES2. ES1 is used only for interactive BSFN, ES2 is batch/ube.
JDEBA and JDEUSER are setup and both work as system users. JDEBA is tracked in our sqlaudit, JDEUSER is not.
First, ES1 and ES2 share a table map, I'll have to split those into unique mappings.
I'll create a "Business Data - PRODBA", for the BA users which is the same data as "Business Data - PROD", I'll make P98OWSEC (and the P980001 passwords mappings) map Default data source to system user JDEUSER and "Business Data - PRODBA" to system user JDEBA. Then in OCM mappings for the System map and ES1 server map, have the BA users default tables in PD910/JPD910 map to "Business Data - PRODBA". ES2 server map will remain the same as now, everyone mapped to "Business Data - PROD" for PROD tables.
Interactive and BSFNs called from interactive should then use system user JDEBA for BA users when updating PROD data.
UBES and the BSFNS called from UBES should map to system user JDEUSER, and not get caught in our SQL audit, assuming they are run on ES2.
Does anyone see holes in this?