Assign audit security privileges
- Last Updated: March 30, 2020
- 2 minute read
- OpenEdge
- Version 12.2
- Documentation
By default, OpenEdge applies a GRANT authorization model to all audit-related database tables. This means that in order for an individual to be able to create audit policies and manage audit data, the individual must be granted the appropriate privileges to do so.
Because you might not want only one individual to have responsibility for all audit-related activities, you can assign to certain users one or more auditing privileges. When you assign privileges to a user, you also decide whether that user can then grant the same privileges to other users. Only users who have been granted the appropriate privileges can perform the corresponding auditing functions.
There are four audit security privileges:
- Audit administrator—An authenticated user who has been granted privileges to create, update, and delete audit policies and read audit data.
-
Application audit event inserter—An
authenticated user who has been granted privileges to generate
application audit events. Note that in ABL applications, application
of this privilege is optional and disabled by default; in SQL
applications, application of the privilege is enabled by default and
cannot be disabled.
The application audit event inserter does not have privileges to archive audit data or policy tables.
- Audit data archiver—An authenticated user who has been granted privileges only to archive or load audit data. An audit data archiver has no access to audit policy.
- Audit data reporter—An authenticated user who has been granted privileges to read the audit data.
The audit administrator has unrestricted read access to all the audit tables; no one has the privilege to update the audit data, and only the audit data archiver can truncate or move the audit data to another location, maybe for long-term storage, for example. The audit administrator is the only user authorized to configure audit policy. The generated policy and audit data is stored in standard OpenEdge database tables, which allows you to easily query the data for audit details.
The addition or removal of a user account from the list of privileged audit users results in an auditing record being generated to preserve any and all changes.
As shown in the following table, a user who is granted a particular auditing privilege can (with permission) grant one or more audit privileges to other users. Whenever an audit administrator grants or revokes an audit privilege, that action is recognized system-wide by both the SQL and the ABL clients.
| A user with this audit privilege . . . | Can grant this privilege to other users . . . |
|---|---|
| Audit administrator | Audit administratorApplication audit event inserterAudit data reporterAudit data archiver |
| Application audit event inserter | Application audit event inserter |
| Audit data reporter | Audit data reporter |
| Audit data archiver | Audit data archiver |
SQL administrators grant audit-related privileges through the SQL GRANT statement. ABL administrators use either Data Administration or the character Data Dictionary.
For more information, see the Database Administration online help, the Data Dictionary online help, OpenEdge Database Tools, and Develop SQL for OpenEdge.
If no specific audit administrator is defined, the security administrator or ABL administrator automatically inherits the audit administrator privilege. If no specific security administrator or ABL administrator is defined, all users are, effectively, security administrators or ABL administrators and inherit the privilege of audit administrator.