We are in a SOX audit and I have to demonstrate the separation of duties between the person who develops code and the person who promotes it to production.


We also only have one server and one Baan person (me).


I thought I could do this with different VRCs and train somebody to copy the objects, but the auditor wants some sort of system-generated record to show this has been done, and I don't see that here.



Would PMC work for this? We have never used (except for Infor patches) and it is not set up and seems kind of involved, so i want to see if it will meet the requirement before i try to set it up.

I don't know enough about PMC but we used it to migrate between our servers. So we exported from dev and imported to prd. Our auditors did not like that - I am not sure if a record of what was migrated was actually kept or who did the migration. One of the things that our auditors would trigger on was who owned what objects - since we had several super users in production. We always made sure that BSP was the owner.

We ended up using a change control system like remedy(and I forget what we have now since I don't really have access). The change would be in one persons name(our case our sysadmin) and they would do the migrations. Then we could attach things like approvals and test documents to the changes. And in true emergencies we could still get things fixed for production. So this was a good process that we followed and made the auditors happier.

PS - don't tell the auditors all the work arounds that could be used. I would include some of those, but an auditor might see this. :)

Thanks.

I think the problem is that we have one server and need to "promote" an item by copying it from one VRC to another.
If we had two servers, we could export and import objects in the same VRC and it does look like there are logs for that we could use (in PMC maintenacne history and in $BSE/log)

But I can't figure out if you can export from one VRC and import into another.

Yes you can export from one VRC to another. So in our case we would export from the DEV vrc. We would create a customization then the admin would export it to a directory that was shared between the 2 servers(I think that it was like a data directory or something). Then log into bsp in production and then do the import. So if I recall correctly the customization you build includes the VRC you built the components in. Then you run the export and create the files. I never did an import, but if I recall it included the VRC you were importing into.

I also believe our auditors were okay with the information in the logs, but were not happy with not being able to tell who did it - since we used BSP on both sides to export and import. It has been a while. I also know for our current CMMC audits they really do not like the application - now they want to know everything a super user did and why. Basically our current system is reference only.