Try OpenEdge Now
skip to main content
Core Business Services - Security and Auditing
Auditing : Audit Security : Managing audit privileges : Assigning audit security privileges
 
Assigning audit security privileges
By default, OpenEdge applies a GRANT authorization model to all audit-related database tables. This means that in order for an individual to be able to create audit policies and manage audit data, the individual must be granted the appropriate privileges to do so.
Because you might not want only one individual to have responsibility for all audit-related activities, you can assign to certain users one or more auditing privileges. When you assign privileges to a user, you also decide whether that user can then grant the same privileges to other users. Only users who have been granted the appropriate privileges can perform the corresponding auditing functions.
There are four audit security privileges:
*Audit administrator — An authenticated user who has been granted privileges to create, update, and delete audit policies and read audit data.
*Application audit event inserter — An authenticated user who has been granted privileges to generate application audit events. Note that in ABL applications, application of this privilege is optional and disabled by default; in SQL applications, application of the privilege is enabled by default and cannot be disabled.
The application audit event inserter does not have privileges to archive audit data or policy tables.
*Audit data archiver — An authenticated user who has been granted privileges only to archive or load audit data. An audit data archiver has no access to audit policy.
*Audit data reporter — An authenticated user who has been granted privileges to read the audit data.
The audit administrator has unrestricted read access to all the audit tables; no one has the privilege to update the audit data, and only the audit data archiver can truncate or move the audit data to another location, maybe for long-term storage, for example. The audit administrator is the only user authorized to configure audit policy. The generated policy and audit data is stored in standard OpenEdge database tables, which allows you to easily query the data for audit details.
The addition or removal of a user account from the list of privileged audit users results in an auditing record being generated to preserve any and all changes.
As shown in the following table, a user who is granted a particular auditing privilege can (with permission) grant one or more audit privileges to other users. Whenever an audit administrator grants or revokes an audit privilege, that action is recognized system-wide by both the SQL and the ABL clients.
Table 6. Granting audit privileges to other users
A user with this audit privilege . . .
Can grant this privilege to other users . . .
Audit administrator
Audit administratorApplication audit event inserterAudit data reporterAudit data archiver
Application audit event inserter
Application audit event inserter
Audit data reporter
Audit data reporter
Audit data archiver
Audit data archiver
SQL administrators grant audit-related privileges through the SQL GRANT statement. ABL administrators use either Data Administration or the character Data Dictionary.
For more information, see the Database Administration online help, the Data Dictionary online help, OpenEdge Development: Basic Database Tools, and OpenEdge Data Management: SQL Development.
If no specific audit administrator is defined, the security administrator or ABL administrator automatically inherits the audit administrator privilege. If no specific security administrator or ABL administrator is defined, all users are, effectively, security administrators or ABL administrators and inherit the privilege of audit administrator.