Does anyone audit who views various information in Lawson like pay rates or disciplinary actions? I know we can see who made changes using Lawson's basic audit, but how does everyone else audit who views sensative information?

There is no way under 8.0 technology to do that - at least not internal to Lawson

Speaking as a programmer, one way to add an audit trace is to add custom code in the COBOL behind the screen. Create a custom audit file. In the PD, use CRT-USER-NAME to save the userID in the audit file. I've done it, it works.

Caveat: If you're using an AIX system with RPL, you probably could do the same thing, however I have never done anything with it.

Are there any tools within Oracle that allow a DBA to monitor SELECT statements or Lawson calls to the database for specific columns. I'm a SQL Server person by trade and am not familiar with all of the capabilities with Oracle. I found an article on the Oracle web site about Fine-Grained Auditing (FGA) in Oracle. It sounds promising, anyone know much about it. Does anyone have a tool in place for SOX compliance with auditing?

Oracle does have this type of auditting capability, but most Lawson shops use a single Oracle service account to connect to their database. Ask your DBA whether you are using database authentication or operating system authentication with mutiple users. I'll bet that you are using databse authentication with a single account, so that Oracle auditing would do you little good. About the only use that it would have would be to determine whether privileged accounts or any ODBC accounts that you might have created are being used to view this data.

If you use Portal exclusively, and you don't need to audit the viewing of specific records, you may be able to do what you want. You could report from your web server logs on which users are making DME and IDA requests for the tables that you are concerned about, and which are making Xpress requests for tokens that use these tables. (AGS, which is used to request a token transaction, uses an HTTP post, so that your web server logs are unlikely to have the data about which token was used.)

We implemented MachenSoft last fall in an attmpt to compensate for Lawson's lack of auditing features. You can set the software to track views, changes, adds, deletes, etc, by token. We currently have ours set to only track adds, changes, and deletes on specified forms. Tracking views can be a real resource hog.