OpenEdge Getting Started:<br />Core Business Services Assigning audit security privileges

By default, OpenEdge applies a GRANT authorization model to all audit-related database tables. This means that in order for an individual to be able to create audit policies and manage audit data, the individual must be granted the appropriate privileges to do so.

Because you might not want only one individual to have responsibility for all audit-related activities, you can assign to certain users one or more auditing privileges. When you assign privileges to a user, you also decide whether that user can then grant the same privileges to other users. Only users who have been granted the appropriate privileges can perform the corresponding auditing functions.

Audit administrator — An authenticated user who has been granted privileges to create, update, and delete audit policies and read audit data.

Application audit event inserter — An authenticated user who has been granted privileges to generate application audit events. Note that in 4GL applications, application of this privilege is optional and disabled by default; in SQL applications, application of the privilege is enabled by default and cannot be disabled.

The application audit event inserter does not have privileges to archive audit data or policy tables.

Audit data archiver — An authenticated user who has been granted privileges only to archive or load audit data. An audit data archiver has no access to audit policy.

Audit data reporter — An authenticated user who has been granted privileges to read the audit data.

The audit administrator has unrestricted read access to all the audit tables; no one has the privilege to update the audit data, and only the audit data archiver can truncate or move the audit data to another location, maybe for long-term storage, for example. The audit administrator is the only user authorized to configure audit policy. The generated policy and audit data is stored in standard OpenEdge database tables, which allows you to easily query the data for audit details.

The addition or removal of a user account from the list of privileged audit users results in an auditing record being generated to preserve any and all changes.

As shown in Table 9–1, a user who is granted a particular auditing privilege can (with permission) grant one or more audit privileges to other users. Whenever an audit administrator grants or revokes an audit privilege, that action is recognized system-wide by both the SQL and the 4GL clients.

Table 9–1: Granting audit privileges to other users
A user with this audit privilege ...	Can grant this privilege to other users...
Audit administrator.	Audit administrator. Application audit event inserter. Audit data reporter. Audit data archiver.
Application audit event inserter.	Application audit event inserter.
Audit data reporter.	Audit data reporter.
Audit data archiver.	Audit data archiver.

SQL administrators grant audit-related privileges through the SQL GRANT statement. Progress 4GL administrators use either Data Administration or the character Data Dictionary.

If no specific audit administrator is defined, the database administrator or 4GL administrator automatically inherits the audit administrator privilege. If no specific database administrator or 4GL administrator is defined, all users are, effectively, database administrators or 4GL administrators and inherit the privilege of audit administrator.