PL/SQL Packages and Types Reference 10g Release 1 (10.1) Part Number B10802-01 |
|
|
View PDF |
The DBMS_FGA
package provides fine-grained security functions.
See Also:
Oracle Database Application Developer's Guide - Fundamentals for a fuller discussion and more usage information on |
This chapter contains the following topics:
Execute privilege on DBMS_FGA
is needed for administering audit policies. Because the audit function can potentially capture all user environment and application context values, policy administration should be executable by privileged users only.
This package is available for only cost-based optimization. The rule-based optimizer may generate unnecessary audit records since audit monitoring can occur before row filtering. For both the rule-based optimizer and the cost-based optimizer, you can refer to DBA_FGA_AUDIT_TRAIL
to analyze the SQL text and corresponding bind variables that are issued.
Subprogram | Description |
---|---|
Creates an audit policy using the supplied predicate as the audit condition | |
Disables an audit policy | |
Drops an audit policy | |
Enables an audit policy |
This procedure creates an audit policy using the supplied predicate as the audit condition. The maximum number of FGA policies on any table or view object is 256.
DBMS_FGA.ADD_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2, audit_condition VARCHAR2, audit_column VARCHAR2, handler_schema VARCHAR2, handler_module VARCHAR2, enable BOOLEAN, statement_types VARCHAR2, audit_trail BINARY_INTEGER IN DEFAULT, audit_column_opts BINARY_INTEGER IN DEFAULT);
DBMS_FGA.ADD_POLICY(object_schema => 'scott', object_name=>'emp', policy_name => 'mypolicy1', audit_condition => 'sal < 100', audit_column =>'comm, credit_card, expirn_date', handler_schema => NULL, handler_module => NULL, enable => TRUE, statement_types=> 'INSERT, UPDATE')
;NULL
, the current effective user schema is assumed.PROCEDURE <fname> ( object_schema VARCHAR2, object_name VARCHAR2, policy_ name VARCHAR2 ) AS ...
where fname
is the name of the procedure, object_schema
is the name of the schema of the table audited, object_name
is the name of the table to be audited, and policy_name
is the name of the policy being enforced.
INSERT-WITH-APPEND
-hint.)NULL
(or omitted), which is interpreted as TRUE
, but it cannot contain the following elements:
SYSDATE
, UID
, USER
or USERENV
functions. However, a user-defined function and other SQL functions can use these functions to return the desired information.LEVEL
, PRIOR
, or ROWNUM
.Specifying an audit condition of "1=1" to force auditing of all specified statements ("statement_types") affecting the specified column ("audit_column") is no longer needed to achieve this purpose. NULL
will cause audit even if no rows were processed, so that all actions on a table with this policy are audited.
LSQLTEXT
and LSQLBIND
:
The audit_trail parameter appears in the ALL_AUDIT_POLICIES
view.
DBMS_FGA.ANY_COLUMNS
), orDBMS_FGA.ALL_COLUMNS
).The default is DBMS_FGA.ANY_COLUMNS
.
The ALL_AUDIT_POLICIES
view also shows audit_column_opts
.
DBMS_FGA.ADD_POLICY (object_schema => 'scott', object_name=>'emp', policy_name => 'mypolicy1', audit_condition => 'sal < 100', audit_column =>'comm, credit_ card, expirn_date', handler_schema => NULL, handler_module => NULL, enable => TRUE, statement_types=> 'INSERT, UPDATE');
This procedure disables an audit policy.
DBMS_FGA.DISABLE_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2 );
The default value for object_schema is NULL. (
If NULL, the current effective user schema is assumed.)
This procedure drops an audit policy.
DBMS_FGA.DROP_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2 );
The DBMS_FGA
procedures cause current DML transactions, if any, to commit before the operation. However, the procedures do not cause a commit first if they are inside a DDL event trigger. With DDL transactions, the DBMS_FGA
procedures are part of the DDL transaction. The default value for object_schema is NULL. (
If NULL, the current effective user schema is assumed.)
This procedure enables an audit policy.
DBMS_FGA.ENABLE_POLICY( object_schema VARCHAR2, object_name VARCHAR2, policy_name VARCHAR2, enable BOOLEAN);