16.10 - Beginning RLS Access Logging - Teradata Database

Teradata Database Security Administration

Teradata Database
June 2017

Use the BEGIN LOGGING statement to enable access logging of row level security privilege checks. For example:

ON [FIRST|EACH] [ALL|operation_type  ...(,  operation_type)|GRANT]
FOR CONSTRAINT  constraint_name 
[BY  user_name  ...(,  user_name)]
[ON  object_name  ...(,  object_name);


Syntax Element Description
DENIALS Causes the system to create a log entry if a security constraint defined for the object being accessed is not defined for the session.
A denial is not logged if the session has the constraint definition, but lacks the required value to access a row.
WITH TEXT Specifies inclusion of the full text of the request in the log entry.
ON [FIRST|EACH] Optionally defines the logging frequency as either the FIRST time, or EACH time, that the specified action is attempted against the specified object.
ALL Specify one of the following options:
  • The ALL option logs UDF enforcement of all row level security restrictions for the constraint name, on the specified object(s).
  • The operation_type option logs UDF enforcement on the listed SQL operations and SQL/ARC /overrides, for the constraint name, on the specified object(s).
  • The GRANT option logs all grants for the user and object specifications.
operation_type ...(, operation_type)
FOR CONSTRAINT constraint_name Logging of row level security privilege checks must include the keywords FOR CONSTRAINT.

A BEGIN LOGGING statement can only reference one constraint name, and it must be the name of a constraint object that already exists in the system.

BY user_name ...(, user_name) Identifies the users whose sessions are logged.

If the BY clause is not specified, logging applies to all users.

ON object_name ...(, object_name) Identifies the objects for which requests can generate row level security access logging, based on the specified logging parameters.

Each object_name must be a database or a table.

  • If a database is specified, the logging applies to all tables in the database that contain the specified constraint.
  • If table is specified, it must contain the specified constraint.

If no objects are specified, access logging rules apply to all objects that are subject to the security constraint specification.