Books
in black and white
Main menu
Share a book About us Home
Books
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics
Ads

Teradata RDBMS forUNIX SQL Reference - NCR

NCR Teradata RDBMS forUNIX SQL Reference - NCR, 1997. - 913 p.
Download (direct link): teradataforunix1997.pdf
Previous << 1 .. 112 113 114 115 116 117 < 118 > 119 120 121 122 123 124 .. 241 >> Next

CREATE USER DUMP ROLLBACK DATABASE
CREATE VIEW EXECUTE ROLLFORWARD DATABASE
DELETE GRANT SELECT
DROP DATABASE INDEX UPDATE

Up to 20 objects can be in a BEGIN/END LOGGING statement. If more than 20 objects are required, use two or more BEGIN/END LOGGING statements.

8-32

Teradata RDBMS for UNIX SQL Reference
Teradata SQL Syntax Guide

BEGIN/END LOGGING

Changing Options: No Access Rights if MODIFY USER is used

BEGIN LOGGING Generates Entries in DBC.AccLogTbl

If more or less logging is desired, the full function of the BEGIN LOGGING statement may be used. Also, logging may be ended on any action, user, or object for which logging is currently active.

Only those sites that require access logging should create the DBC.AccLogRule macro. The feature extracts a performance penalty even if little or no logging is performed.

This feature must be installed by any site that used to use the SecurityLog and wishes to continue to do so. Once the DBC.AccLogRule macro is created and logging is initialized, the following command will cause the same statements to be logged as were previously logged in the SecurityLog.

The user executing a BEGIN LOGGING or END LOGGING statement must have the EXECUTE privilege on the DBC.AccLogRule macro.

You can enter a self-referent MODIFY USER statement. In such a case, no access rights are required in order to change the following options:

• BEFORE JOURNAL

• AFTER JOURNAL

• DEFAULT JOURNAL TABLE

• PASSWORD

• STARTUP

• COLLATION

• DEFAULT DATABASE.

Logging is triggered by the use of access rights. Therefore, no logging occurs if you enter a self-referent MODIFY USER statement.

The rules resulting from the execution of BEGIN/END LOGGING statements are entered in the system table DBC.AccLogRuleTbl. When logging is begun, the specified privilege checks performed by the Teradata RDBMS generates entries in system table DBC.AccLogTbl. The contents of these tables can be monitored via the system views DBC.AccLogRules and DBC.AccessLog.

Aged log entries can be purged automatically. The viewname to be used in the DELETE statement is DBC.DeleteAccessLog.

Privilege checks generate log entries. MODIFY is not a privilege that can be granted, so MODIFY is not a privilege that is checked. MODIFY operations are not logged.

Teradata RDBMS for UNIX SQL Reference

8-33
Teradata SQL Syntax Guide

BEGIN/END LOGGING

To log MODIFY operations, select logging for the type of access that the MODIFY will or might require.

Specifying such actions as DROP, INSERT, DELETE, and UPDATE can cause logging on actions used by a MODIFY. For example, to log MODIFY DATABASE operations, specify logging on the DROP DATABASE privilege. DROP DATABASE is the documented access right requirement for MODIFY DATABASE.

ALL, Operation, or GRANT Actions with Access Rights

Rules related to access rights are the following:

• CREATE DATABASE/MACRO/TABLE/VIEW/USER and DROP DATABASE/USER are allowed only on databases or users.

• DROP TABLE includes ALTER TABLE.

DROP MACRO or VIEW includes REPLACE MACRO or VIEW.

• Only DROP, EXECUTE, and GRANT are allowed on macros.

• DUMP, RESTORE, and CHECKPOINT are not allowed on views.

• DATABASE, TABLE, VIEW, MACRO, and USER confer both CREATE and DROP privileges.

The END LOGGING statement erases only the frequency and/or END loggiNg text flags for the specified actions and user or object. However, if

erasing a frequency leaves all logging blank for a particular user, database, and table, the row is deleted from the AccLogRuleTbl table.

Use of the END LOGGING statement results in an error if BEGIN LOGGING is not currently in effect for the community for which logging is to be ended.

Checked Access Rights Are Not Always for the Logon Username

The access rights checked at execution time are not always those for the logon username. In the execution of a macro, for example, the access right checked for the EXECUTE statement is for the logon username. However, the access rights checked for the individual statements within the macro are for the owner of the macro.

The logon name is always present. The second name is also present, as the owner name, if the access right being checked is for other than the logon name.

A log entry is generated only if a logging rule is present for the Log Entry Generated If object or for the user whose privilege is being checked. Log entries

Logging Rule Present may contain two names.

8-34

Teradata RDBMS for UNIX SQL Reference
Teradata SQL Syntax Guide

BEGIN/END LOGGING

Logging begun for specific usernames cannot be ended by omitting the “BY username” option.

Object Level Used in the Logging Statement

When a logging statement specifies logging at the database level, actions against all the tables in that database are candidates for log entries. Also, the object level used in granting an access right should be considered when specifying the object level of a logging statement.
Previous << 1 .. 112 113 114 115 116 117 < 118 > 119 120 121 122 123 124 .. 241 >> Next