Release 10.1A: OpenEdge Getting Started:
Core Business Services

Audit security for database clients, tools, and utilities

In order for database clients to access the audit tables, the clients must be audit-aware. Being audit-aware means that the client understands audit schema and can distinguish an audit-related table from an application or built-in database table.

When a database client recognizes an audit table, the client uses separate access control tables designed specifically for auditing.

From the audit privileges, the client determines whether the user (the application) has the ability to perform READ, CREATE, or DELETE operations on the audit tables. UPDATE is never allowed on any audit data table; UPDATE is allowed only on those tables that contain audit configuration and policy information.

The OpenEdge database utilities protect the audit tables by:

Allowing only the audit data archiver to copy, move, or delete audit data.
Recording each archive, copy, backup, recover, roll forward, dump, and load event into the audit tables.
Recording all changes in auditing configuration or administrator roles.
Using a MAC when dumping audit and policy tables to preserve data integrity.
Confirming the message digest of an audit data dump before loading it into a database.

The database utilities also contribute to the data integrity of the audit information. When the database utility recognizes that the task it is to perform requires permissions to access audit tables, the utility will perform a series of actions to determine whether the user has the required audit permissions.