16.10 - Beginning RLS Access Logging - Teradata Database

Teradata Database Security Administration

Teradata Database
Release Number
Release Date
June 2017
Content Type
Publication ID
English (United States)

Use the BEGIN LOGGING statement to enable access logging of row level security privilege checks. For example:

ON [FIRST|EACH] [ALL|operation_type  ...(,  operation_type)|GRANT]
FOR CONSTRAINT  constraint_name 
[BY  user_name  ...(,  user_name)]
[ON  object_name  ...(,  object_name);


Syntax Element Description
DENIALS Causes the system to create a log entry if a security constraint defined for the object being accessed is not defined for the session.
A denial is not logged if the session has the constraint definition, but lacks the required value to access a row.
WITH TEXT Specifies inclusion of the full text of the request in the log entry.
ON [FIRST|EACH] Optionally defines the logging frequency as either the FIRST time, or EACH time, that the specified action is attempted against the specified object.
ALL Specify one of the following options:
  • The ALL option logs UDF enforcement of all row level security restrictions for the constraint name, on the specified object(s).
  • The operation_type option logs UDF enforcement on the listed SQL operations and SQL/ARC /overrides, for the constraint name, on the specified object(s).
  • The GRANT option logs all grants for the user and object specifications.
operation_type ...(, operation_type)
FOR CONSTRAINT constraint_name Logging of row level security privilege checks must include the keywords FOR CONSTRAINT.

A BEGIN LOGGING statement can only reference one constraint name, and it must be the name of a constraint object that already exists in the system.

BY user_name ...(, user_name) Identifies the users whose sessions are logged.

If the BY clause is not specified, logging applies to all users.

ON object_name ...(, object_name) Identifies the objects for which requests can generate row level security access logging, based on the specified logging parameters.

Each object_name must be a database or a table.

  • If a database is specified, the logging applies to all tables in the database that contain the specified constraint.
  • If table is specified, it must contain the specified constraint.

If no objects are specified, access logging rules apply to all objects that are subject to the security constraint specification.