15.10 - operation - Teradata Database

Teradata Database SQL Data Definition Language Syntax and Examples

prodname
Teradata Database
vrm_release
15.10
created_date
December 2015
category
Programming Reference
featnum
B035-1144-151K

The types of SQL requests to be logged.

If you do not specify the ALL option, you must specify one or more operations from the following list to define which privilege checks are logged.

  • ALTER EXTERNAL PROCEDURE
  • ALTER FUNCTION
  • ALTER PROCEDURE
  • CHECKPOINT
  • CREATE AUTHORIZATION
  • CREATE DATABASE
  • CREATE EXTERNAL PROCEDURE
  • CREATE FUNCTION
  • CREATE GLOP SET
  • CREATE MACRO
  • CREATE PROCEDURE
  • CREATE PROFILE
  • CREATE ROLE
  • CREATE TABLE
  • CREATE TRIGGER
  • CREATE USER
  • CREATE VIEW
  • DATABASE
  • DELETE
  • DROP
  • DROP AUTHORIZATION
  • DROP DATABASE
  • DROP FUNCTION
  • DROP GLOP SET
  • DROP MACRO
  • DROP PROCEDURE
  • DROP PROFILE
  • DROP ROLE
  • DROP TABLE
  • DROP TRIGGER
  • DROP USER
  • DROP VIEW
  • DUMP
  • EXECUTE
  • EXECUTE FUNCTION
  • EXECUTE PROCEDURE
  • GRANT (including GRANTs of row-level security administration privileges)
  • INDEX
  • INSERT
  • MACRO
  • PROCEDURE
  • REFERENCES
  • RESTORE
  • ROLLBACK DATABASE
  • ROLLFORWARD DATABASE
  • SELECT
  • TABLE
  • TRIGGER
  • UDTMETHOD
  • UDTTYPE
  • UDTUSAGE
  • UPDATE
  • USER
  • VIEW

The following list of operations applies to row-level security logging.

If the log rule is for row-level security enforcement (a FOR CONSTRAINT constraint_name specification), but you do not specify an operation type, Teradata Database includes all of the row-level security operation types in the logging specification.

  • DELETE
  • INSERT
  • OVERRIDE DELETE
  • OVERRIDE DUMP
  • OVERRIDE INSERT
  • OVERRIDE RESTORE
  • OVERRIDE SELECT
  • OVERRIDE UPDATE
  • SELECT
  • UPDATE

If you do not want to log all of these operation types (excluding OVERRIDE DUMP and OVERRIDE RESTORE, which are not logged by default), you must specify the each operation type you want to log in the BEGIN LOGGING request.

The system enters one row in the log for each affected operation. Individual refusals of row access are not logged.

If you specify the logging of row-level security operations, then the only valid object types you can specify are row-level security tables, databases or users.

  • If you specify a database or user, then Teradata Database logs all of the tables contained within the specified database or user that contain the constraint specified by constraint_name.
  • If you specify a table, then that table must contain a row-level security column that matches constraint_name.
  • If you do not specify an object, the system logs privilege checks on the specified operations for all tables in which the constraint_name appears.

When you specify DENIALS for one of the OVERRIDE privileges, Teradata Database generates a log entry only if a user attempts to select from a row-level security-protected table, under the following conditions:

  • The user does not have a session constraint value for the audited constraint.

    and

  • The users does not have the OVERRIDE SELECT CONSTRAINT privilege.

The effects of OVERRIDE DELETE, INSERT, and UPDATE are similar.

If you submit the following request,

     BEGIN LOGGING DENIALS
     ON EACH OVERRIDE DUMP CONSTRAINT
     FOR CONSTRAINT levels;

Teradata Database generates a log entry if the user does not have the OVERRIDE DUMP CONSTRAINT privilege and tries to archive a row-level security table that has the audited constraint.

The same applies to RESTORE and not having the OVERRIDE RESTORE CONSTRAINT privilege.