15.10 - Example: Column-Level Discretionary Access Control and Row-Level Security Audit Logging - Teradata Database

Teradata Database SQL Data Definition Language Syntax and Examples

prodname
Teradata Database
vrm_release
15.10
created_date
December 2015
category
Programming Reference
featnum
B035-1144-151K

Suppose you want to audit any attempt by user TomSmith to insert a row into the emp_record table because such an attempt is a violation of the discretionary access control security policy at your site.

The request to do this auditing looks like this.

     BEGIN LOGGING DENIALS WITH TEXT 
     ON EACH INSERT BY TomSmith 
     ON emp_record;

Suppose you would also like to know whenever a user attempts to insert a row that violates the row-level security policy for the target table, which is maintained by a row-level security constraint named group_membership.

You cannot execute DENIALS logging for DELETE, INSERT, SELECT, or UPDATE ... FOR CONSTRAINT requests. Denials as a result of insufficient security credentials to execute a DML request on an row-level security-protected table are not treated as an access denial.

If you attempt to execute a DML request, but do not have the required row-level security privilege, that request is considered to be a DENIAL.

For example, if you attempt to insert a value into a constraint column, you do not have a default session constraint value, and you do not do not have the OVERRIDE INSERT CONSTRAINT privilege on the table, that attempt would be considered a denial.

For example, Teradata Database generates an audit row if logging is enabled by the following request.

     BEGIN LOGGING DENIALS
     ON EACH OVERRIDE INSERT
     FOR CONSTRAINT group_membership
     ON TABLE securedb.emp_record;