Use the BEGIN LOGGING statement to enable access logging of row level security privilege checks. For example:
BEGIN LOGGING [DENIALS] [WITH TEXT] ON [FIRST|EACH] [ALL|operation_type ...(, operation_type)|GRANT] FOR CONSTRAINT constraint_name [BY user_name ...(, user_name)] [ON object_name ...(, object_name);
where:
Syntax Element | Description |
---|---|
DENIALS | Causes the system to create a log entry if a security constraint defined for the object being accessed is not defined for the session. A denial is not logged if the session has the constraint definition, but lacks the required value to access a row.
|
WITH TEXT | Specifies inclusion of the full text of the request in the log entry. |
ON [FIRST|EACH] | Optionally defines the logging frequency as either the FIRST time, or EACH time, that the specified action is attempted against the specified object. |
ALL | Specify one of the following options:
|
operation_type ...(, operation_type) | |
GRANT | |
FOR CONSTRAINT constraint_name | Logging of row level security privilege checks must include the keywords FOR CONSTRAINT. A BEGIN LOGGING statement can only reference one constraint name, and it must be the name of a constraint object that already exists in the system. |
BY user_name ...(, user_name) | Identifies the users whose sessions are logged. If the BY clause is not specified, logging applies to all users. |
ON object_name ...(, object_name) | Identifies the objects for which requests can generate row level security access logging, based on the specified logging parameters. Each object_name must be a database or a table.
If no objects are specified, access logging rules apply to all objects that are subject to the security constraint specification. |