Example: Column-Level Discretionary Access Control and Row-Level Security Audit Logging - Analytics Database - Teradata Vantage

SQL Data Definition Language Syntax and Examples

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-10-04
dita:mapPath
jco1628111346878.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
mdr1472255012272
lifecycle
latest
Product Category
Teradata Vantage™

Suppose you want to audit any attempt by user TomSmith to insert a row into the emp_record table because such an attempt is a violation of the discretionary access control security policy at your site.

The request to do this auditing looks like this.

     BEGIN LOGGING DENIALS WITH TEXT 
     ON EACH INSERT BY TomSmith 
     ON emp_record;

Suppose you would also like to know whenever a user attempts to insert a row that violates the row-level security policy for the target table, which is maintained by a row-level security constraint named group_membership.

You cannot execute DENIALS logging for DELETE, INSERT, SELECT, or UPDATE FOR CONSTRAINT requests. Denials as a result of insufficient security credentials to execute a DML request on an row-level security-protected table are not treated as an access denial.

If you attempt to execute a DML request, but do not have the required row-level security privilege, that request is considered to be a DENIAL.

For example, if you attempt to insert a value into a constraint column, you do not have a default session constraint value, and you do not do not have the OVERRIDE INSERT CONSTRAINT privilege on the table, that attempt would be considered a denial.

For example, Vantage generates an audit row if logging is enabled by the following request.

     BEGIN LOGGING DENIALS
     ON EACH OVERRIDE INSERT
     FOR CONSTRAINT group_membership
     ON TABLE securedb.emp_record;