Entries should be made only when statement execution fails because the user did not have the privilege set necessary to perform the request.
DENIALS is applied to only those actions listed in the BEGIN LOGGING request that contains it.
For example, two BEGIN LOGGING requests can specify the same object, user, and action, but different frequency and DENIALS options. This allows the user to log all denials, but only the first successful use of a privilege.
If this option is not specified, a log entry is made if the privilege check either fails or succeeds.
You cannot log DENIALS for DELETE, INSERT, SELECT, or UPDATE operations on row-level security-protected tables because the inability of users to access a row is due to row-level security enforcement by the constraint UDF rather than being the result of a normal database privilege check.
Also see the row-level security section for the operation variable later in this table.