Security Audit

A security audit table tracks the changes in user permissions caused by certain security changes in M3 Business Engine. Programs used for security audit purposes are 'Security Audit. Display' (SES510), 'Security Audit. Print' (SES511), and 'Security Audit. Archive/Delete' (SES590).

Display security audit records in (SES510)

If there are modifications in the authorization setup for any user, (SES510) allows traceability of the security changes on a company level.

These are some of the triggers for tracing security changes:

Note: Audit entries are only recorded if there is a movement in 'Authorization per User. Display' (SES401), or when autojob SES900 is started. Also, security changes made using 'Authorization per User. Re-create' (SES990) are not covered by this functionality, and are not logged in the security audit table.

On (SES510/E) the authorization values are displayed before and after the security change was made. Specifically, it displays the change in permissions for all options and function keys for a specific user and in which program, company, and division.

On (SES510/F), further details of the transaction are displayed.

This table describes each field on that panel:

Field heading Description
Changed by The field indicates the change ID of the user who created the audit transaction.
Trans program The field indicates the transaction program used to trigger the permission change.
Op Code

The field indicates how to classify the type of change that has been made.

Note: The first two (2) digits identify the type of record where the transaction was performed:
  • 01 - Role
  • 02 - Role/User
  • 03 - Role/Function
  • 04 - User/Company/Division
  • 05 - User.

The third digit identifies the type of transaction:

  • 0 - Auto-create permissions
  • 1 - Create or copy
  • 2 - Change
  • 4 - Delete.
Changed role

The field indicates the role that has been modified by the transaction, if any.

Note: Field is blank if no role was used.
Changed fnc

The field indicates the function modified to trigger the transaction, if any.

Note: Field is blank if no function was used.
Changed user

The field indicates the user record that has been modified to trigger the transaction, if any.

Note: Field is blank if no user record was used.

Also, SES510MI is used to handle API transactions such as get security audit and list security audit. The first transaction is used to return a single security audit record while the latter returns a list of records matching the input data. The input data used are transaction date (TRDT), transaction time (TRTM), user ID (USIU), company (CONU), division (DIVU), and name of the changed program (PRGNU).

Printing security audit records in (SES511)

'Security Audit. Print' (SES511) is used to generate print file SES512PF for the audit records in (SES510). Criteria for the printing selection can be specified. For example, the transaction dates covered, operation code, and change ID.

You can also specify if the printout should include records with changes in the basic options, related options, function keys, or a combination. In summary, there is one selection field for each of the three. Each field can be set to 'YES', 'NO', or '-BLANK'.

For example, set field selection for 'basic options' to 'YES' if the printout should include audit records with changes in basic options. If it is set to 'NO', only the audit records without any change in basic options are included. If the field is set to '-BLANK', all audit records are included in the printout.

Archive or delete security audit records in (SES590)

'Security Audit. Archive/Delete' (SES590) is used to archive and delete records from the security audit table.

On (SES590/E), criteria for archiving can be selected. For example, transaction date, operation code, and change ID. If a selection field is left blank, it is not considered for filtering of the records when the archiving job SES590Sbm is run.

A list of archived records can also be printed as printer file SES593PF if the 'Print changes' check box has been enabled on (SES590/E). If the records have been permanently deleted, the printout only contains the primary key values of the record. All the other information has been removed from the database.

Related topics