16.10 - Ending RLS Access Logging - Teradata Database

Teradata Database Security Administration

Teradata Database
Release Number
Release Date
June 2017
Content Type
Publication ID
English (United States)

You can selectively end some or all access logging for a security constraint using the END LOGGING statement, for example:

[ALL|operation_type  ...(,  operation_type)|GRANT]
FOR CONSTRAINT  constraint_name 
[BY  user_name  ...(,  user_name)]
[ON  object_name  ...(,  object_name)


Syntax Element Description
DENIALS Causes the system to end logging when a security constraint defined for the object being accessed is not defined for the session user/profile.
Denials are not logged if the session has the constraint definition, but lacks the required value to access a row.
WITH TEXT Specifies inclusion of the full text of the request in the log entry.
ON [FIRST|EACH] Optionally defines the logging frequency as either the FIRST time, or EACH time, that the specified action is attempted against the specified object.
ALL Specify one of the following options:
  • The ALL option ends logging of UDF enforcement of all row level security restrictions for the constraint name specification, on the object specification.
  • The operation_type option ends logging of UDF enforcement of SQL operations and SQL/ARC overrides, for the constraint name specification, on the object specification.
  • The GRANT option ends logging of grants for the username specification
operation_type ...(, operation_type)
FOR CONSTRAINT constraint_name Logging of row level security privilege checks must include the keywords FOR CONSTRAINT.

An END LOGGING statement can only reference one constraint name, and it must already exist in the system.

BY user_name ...(, user_name) Identifies the users for whose sessions logging is ended.

If the BY clause is not specified, logging applies to all users.

BY object_name ...(, object_name) Identifies the objects for which requests no longer generate row level security access logging, based on the specified logging parameters.

Each object_name must be a database or a table.

  • If a database is specified, the end logging applies to all tables in the database that contain the specified constraint.
  • If table is specified, it must contain the specified constraint.

If no objects are specified, access logging is ended for all objects that are subject to the security constraint specification.