Implementing an auditing solution requires making decisions about who will do what with regard to creating, updating, and deleting audit policies; reading audit data records; archiving audit data; and performing other auditing-related activities. You must consider whether you want all responsibility for auditing to reside with one individual, or whether you would rather establish a separation of duty.

The premise behind incorporating a separation of duty is that it removes total responsibility from only one individual and instead shares the responsibility for who can create, manage, maintain, or access auditing in some way. Administrative responsibility for audit data and policy can be separated from the administrative responsibility for the database.

OpenEdge provides four database-level auditing privileges. The auditing security model also allows control over whether privileged users can grant their own privileges to other users. Each user must be authenticated and authorized prior to being assigned auditing-related privileges.

The level of auditing privileges that a user possesses relates directly to the privileges the user has with regard to the audit policy and physical audit data tables. All the audit data that is collected, as well as the audit policy that controls what data is collected, is stored in internal tables. Based on the assigned privileges, these tables are accessible by the database utilities, ABL, and SQL when appropriate permissions have been granted.

The standard OpenEdge database CAN-* permissions do not apply to audit data and audit policy tables. The auditing privileges replace the CAN-* permissions.