We run a secure environment and we have contractual requirements to track and audit who has read/accessed files and projects on our server. I cannot find a way to find out who has read/opened a particular file in PDM. Am I missing something?
I have not seen anything like that in normal settings. I don't think the database keeps history of get-files or checkouts, I find that looking int the history tables is not straight forward. It tracks who currently has the file checked out (locked) but no history of that. BUT, there is clear history of who checked files in, so in read & write you're covered. You just need a log of when people get a version from the archive.
After looking at dispatch for options, I see you could run a cmd on check out, not sure how that helps you as it doesn't mean they changed the file (check in) and it doesn't cover all reads.
Might need a very small PDM add-in with hook on EdmCmd_PreGet and EdmCmd_PostGet to log when a file is copied from archive to user's local drive.
For this to be reliable in situations where there could be multiple users on one PC that when adding the vault view you only allow it for the current user and where ever that vault view root location is set someplace secure. Might also want to use the option: clear cache on logout.
Yeah I need to cover ALL reads, not just checkouts. So if the cmd on checkout wouldn't run when someone just copies a file out thats not-good enough.
That is the requirement, not just checkouts, I need plain read (read only) copies out of the PDM as well.
Kinda need that for real security, Tracking data exfiltration, auditing who has accessed the files etc.
The add in sounds ok as long as we can cook it in to centrally log somehow to satisfy the auditors/compliance folks. If anyone knows of something commercial that would get it done that would be great.
PDM has always been this way. I just havent asked in a couple of years and was hoping for some improvement or someone would have written a commercial add on. Not sure why it works this way, As it is it doesn't even meet even a bare minimum of security best practices... Ah well..
There's a couple "programmers for hire" around here that could do this for you for reasonable cost. I bet one of them will chime in soon.
If I were doing it I'd probably add another Database to the SQL Server (as long as there's performance capability for it) and store the data access as records in there. Record, pdm username, pc name, where it was saved on the pc, time stamp, read only (get) or write (checkout) then add timestamp for when it is checked back in. That's just me, the pro's likely have better ideas.
You may want to check with Stephen Lapic - not sure how they handle that issue..
John, for us it is not an issue. If you have access to the vault and to the specific folder then you can read the files. There is no reason to record who looks at any of these files. Most companies that make commercial equipment and products would probably follow the same process. Military might be different.
I imagine that someone could write a simple API that would record the user name with the date/time and then copy this info into the history of the file or copy user name, date/time, and file name and add this info to a log in a folder that the admin has permission to view.
I dabbled a little with visio but I do not program so I wouldn't be able to help with the specifics.
Not out of the box so I wrote an add-in to do the auditing based on something Joy Garon shared with me.
Hope this helps!
Believe in The Q!
Retrieving data ...