When you enable the Asset Management sandbox, changes made directly in the Asset management forms pass through the sandbox and the reconciliation process to get applied to BMC.ASSET. All good. However as far as I can see in this case, we lose the ability to track the user id making the requested change, since the last modified user is reported as the Recon. Engine service owner in the final update to BMC.ASSET after the merge (typically Remedy Application Service).
The record in the asset sanbox dataset DOES show the userid of the person making the change I believe (as the created by), however this record only exists for a few seconds until the merge completes and is typically deleted by the Asset Sandbox recon job.
Even if you are doing CMDB audits, it doesn't help here unless you want to start trawling through the audit records for the asset sandbox dataset entries for this update - the BMC.ASSET entries in the audit log don't help.
1. Amend the workflow for the Sandbox copy functionality to preserve the real last modified user in the reconciled BMC.ASSET record, or
2. Create a new attribute at Base Element level to record the last AST form user to update the record, which needs to be used only when the Sandbox functionality is enabled. If we enable audit on this we will always see the full update user history. At worst, without audit enabled for the field, we can still see the most recent modifier.
This is a significant audit compliance issue for us at present.