Use the BEGIN LOGGING statement to enable access logging of row level security privilege checks. For example:
BEGIN LOGGING [DENIALS] [WITH TEXT] ON [FIRST|EACH] [ALL|operation_type ...(, operation_type)|GRANT] FOR CONSTRAINT constraint_name [BY user_name ...(, user_name)] [ON object_name ...(, object_name);
where:
| Syntax Element | Description |
|---|---|
| DENIALS | Causes the system to create a log entry if a security constraint defined for the object being accessed is not defined for the session. A denial is not logged if the session has the constraint definition, but lacks the required value to access a row.
|
| WITH TEXT | Specifies inclusion of the full text of the request in the log entry. |
| ON [FIRST|EACH] | Optionally defines the logging frequency as either the FIRST time, or EACH time, that the specified action is attempted against the specified object. |
| ALL | Specify one of the following options:
|
| operation_type ...(, operation_type) | |
| GRANT | |
| FOR CONSTRAINT constraint_name | Logging of row level security privilege checks must include the keywords FOR CONSTRAINT. A BEGIN LOGGING statement can only reference one constraint name, and it must be the name of a constraint object that already exists in the system. |
| BY user_name ...(, user_name) | Identifies the users whose sessions are logged. If the BY clause is not specified, logging applies to all users. |
| ON object_name ...(, object_name) | Identifies the objects for which requests can generate row level security access logging, based on the specified logging parameters. Each object_name must be a database or a table.
If no objects are specified, access logging rules apply to all objects that are subject to the security constraint specification. |