17.00 - Example: Column-Level Discretionary Access Control and Row-Level Security Audit Logging - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - SQL Data Definition Language Syntax and Examples

Advanced SQL Engine
Teradata Database
Release Number
Release Date
September 2020
Content Type
Programming Reference
Publication ID
English (United States)

Suppose you want to audit any attempt by user TomSmith to insert a row into the emp_record table because such an attempt is a violation of the discretionary access control security policy at your site.

The request to do this auditing looks like this.

     ON EACH INSERT BY TomSmith 
     ON emp_record;

Suppose you would also like to know whenever a user attempts to insert a row that violates the row-level security policy for the target table, which is maintained by a row-level security constraint named group_membership.

You cannot execute DENIALS logging for DELETE, INSERT, SELECT, or UPDATE ... FOR CONSTRAINT requests. Denials as a result of insufficient security credentials to execute a DML request on an row-level security-protected table are not treated as an access denial.

If you attempt to execute a DML request, but do not have the required row-level security privilege, that request is considered to be a DENIAL.

For example, if you attempt to insert a value into a constraint column, you do not have a default session constraint value, and you do not do not have the OVERRIDE INSERT CONSTRAINT privilege on the table, that attempt would be considered a denial.

For example, Vantage generates an audit row if logging is enabled by the following request.

     FOR CONSTRAINT group_membership
     ON TABLE securedb.emp_record;