16.10 - Ending RLS Access Logging - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

You can selectively end some or all access logging for a security constraint using the END LOGGING statement, for example:

END LOGGING [DENIALS] [WITH TEXT]
On [FIRST|EACH]
[ALL|operation_type  ...(,  operation_type)|GRANT]
FOR CONSTRAINT  constraint_name 
[BY  user_name  ...(,  user_name)]
[ON  object_name  ...(,  object_name)

where:

Syntax Element Description
DENIALS Causes the system to end logging when a security constraint defined for the object being accessed is not defined for the session user/profile.
Denials are not logged if the session has the constraint definition, but lacks the required value to access a row.
WITH TEXT Specifies inclusion of the full text of the request in the log entry.
ON [FIRST|EACH] Optionally defines the logging frequency as either the FIRST time, or EACH time, that the specified action is attempted against the specified object.
ALL Specify one of the following options:
  • The ALL option ends logging of UDF enforcement of all row level security restrictions for the constraint name specification, on the object specification.
  • The operation_type option ends logging of UDF enforcement of SQL operations and SQL/ARC overrides, for the constraint name specification, on the object specification.
  • The GRANT option ends logging of grants for the username specification
operation_type ...(, operation_type)
GRANT
FOR CONSTRAINT constraint_name Logging of row level security privilege checks must include the keywords FOR CONSTRAINT.

An END LOGGING statement can only reference one constraint name, and it must already exist in the system.

BY user_name ...(, user_name) Identifies the users for whose sessions logging is ended.

If the BY clause is not specified, logging applies to all users.

BY object_name ...(, object_name) Identifies the objects for which requests no longer generate row level security access logging, based on the specified logging parameters.

Each object_name must be a database or a table.

  • If a database is specified, the end logging applies to all tables in the database that contain the specified constraint.
  • If table is specified, it must contain the specified constraint.

If no objects are specified, access logging is ended for all objects that are subject to the security constraint specification.