Teradata Database provides the capability for two types of user security monitoring:
Note: Access log entries are generated each time the database checks a privilege to determine whether or not it will honor a user request.
Logging of Directory Users
Directory users are logged by directory username rather than by the name of any database user they may be mapped to.
Logging of Middle-tier Application Users
Users that access the database through a middle-tier application by means of a trusted session and who are set up as proxy users are logged by their proxy user name. If the middle-tier application and its end users are not set up for trusted sessions, all such users will appear in the log as the same username, that is, the name used by the application.
Enabling and Disabling Access Logging
Use the BEGIN and END LOGGING statements to enable and disable logging and to indicate which access parameters should be logged. Access logging can be set up for almost any database object, for instance, users, databases, or tables.
Security-related System Views
The Data Dictionary provides s number of security-related system views, including the following.
View |
Description |
DBC.AccessLogV |
Each entry indicates a privileges check that has resulted from a user request. |
DBC.AccLogRulesV |
Lists the access logging rules contained in each BEGIN and END LOGGING statement. These rules are used by the database to determine the access logging criteria for a particular user or database object. |
DBC.LogOnOffV |
Lists all logon and logoff activity. |
DBC.LogonRulesV |
Lists the logon rules that result from GRANT and REVOKE LOGON statements. These rules are used by the database to determine whether or not to allow logon privileges to a particular user. |
For a complete listing of security-related system views, see Security Administration.