17.00 - operation - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - SQL Data Definition Language Syntax and Examples

Product
Advanced SQL Engine
Teradata Database
Release Number
17.00
Release Date
September 2020
Content Type
Programming Reference
Publication ID
B035-1144-170K
Language
English (United States)

The types of SQL requests to be logged.

If you do not specify the ALL option, you must specify one or more operations from the following list to define which privilege checks are logged.

  • ALTER EXTERNAL PROCEDURE
  • ALTER FUNCTION
  • ALTER PROCEDURE
  • CHECKPOINT
  • CREATE AUTHORIZATION
  • CREATE DATABASE
  • CREATE EXTERNAL PROCEDURE
  • CREATE FUNCTION
  • CREATE GLOP SET
  • CREATE MACRO
  • CREATE PROCEDURE
  • CREATE PROFILE
  • CREATE ROLE
  • CREATE TABLE
  • CREATE TRIGGER
  • CREATE USER
  • CREATE VIEW
  • DATABASE
  • DELETE
  • DROP
  • DROP AUTHORIZATION
  • DROP DATABASE
  • DROP FUNCTION
  • DROP GLOP SET
  • DROP MACRO
  • DROP PROCEDURE
  • DROP PROFILE
  • DROP ROLE
  • DROP TABLE
  • DROP TRIGGER
  • DROP USER
  • DROP VIEW
  • DUMP
  • EXECUTE
  • EXECUTE FUNCTION
  • EXECUTE PROCEDURE
  • GRANT (including GRANTs of row-level security administration privileges)
  • INDEX
  • INSERT
  • MACRO
  • PROCEDURE
  • REFERENCES
  • RESTORE
  • ROLLBACK DATABASE
  • ROLLFORWARD DATABASE
  • SELECT
  • TABLE
  • TRIGGER
  • UDTMETHOD
  • UDTTYPE
  • UDTUSAGE
  • UPDATE
  • USER
  • VIEW

The following list of operations applies to row-level security logging.

If the log rule is for row-level security enforcement (a FOR CONSTRAINT constraint_name specification), but you do not specify an operation type, Vantage includes all of the row-level security operation types in the logging specification.

  • DELETE
  • INSERT
  • OVERRIDE DELETE
  • OVERRIDE DUMP
  • OVERRIDE INSERT
  • OVERRIDE RESTORE
  • OVERRIDE SELECT
  • OVERRIDE UPDATE
  • SELECT
  • UPDATE

If you do not want to log all of these operation types (excluding OVERRIDE DUMP and OVERRIDE RESTORE, which are not logged by default), you must specify the each operation type you want to log in the BEGIN LOGGING request.

The system enters one row in the log for each affected operation. Individual refusals of row access are not logged.

If you specify the logging of row-level security operations, then the only valid object types you can specify are row-level security tables, databases or users.

  • If you specify a database or user, then Vantage logs all of the tables contained within the specified database or user that contain the constraint specified by constraint_name.
  • If you specify a table, then that table must contain a row-level security column that matches constraint_name.
  • If you do not specify an object, the system logs privilege checks on the specified operations for all tables in which the constraint_name appears.

When you specify DENIALS for one of the OVERRIDE privileges, Vantage generates a log entry only if a user attempts to select from a row-level security-protected table, under the following conditions:

  • The user does not have a session constraint value for the audited constraint.

    and

  • The users does not have the OVERRIDE SELECT CONSTRAINT privilege.

The effects of OVERRIDE DELETE, INSERT, and UPDATE are similar.

If you submit the following request,

     BEGIN LOGGING DENIALS
     ON EACH OVERRIDE DUMP CONSTRAINT
     FOR CONSTRAINT levels;

Vantage generates a log entry if the user does not have the OVERRIDE DUMP CONSTRAINT privilege and tries to archive a row-level security table that has the audited constraint.

The same applies to RESTORE and not having the OVERRIDE RESTORE CONSTRAINT privilege.