As you implement and maintain application-event, internal-event, and database auditing, you want to be sure that the audit data trail is complete and unalterable. To ensure that the audit data is complete, you create and activate audit policies, taking care to include as auditing events only those events whose occurrence is important to you. To ensure that the trail is unalterable, you determine who can access the audit data, and what form that access can take.
For example, who can create and activate an audit policy? Should that same user also be responsible for archiving and loading audit data, or even for determining when those tasks should be done? Do you want to make sure that someone cannot alter data and then cover that activity by altering the corresponding audit data record? Additionally, when should audit data be moved from short-term to long-term storage?
In other words, should the entire responsibility for creating, monitoring, and maintaining audit data rest with one individual? In all likelihood, no. For this reason, OpenEdge allows you to assign auditing roles to individual users and user accounts, thereby granting a user some (but not necessarily all) privileges with regard to audit policy configuration and audit data maintenance.
