Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditing GRANT activities

Status
Not open for further replies.
jigitty

jigitty

Programmer
Jun 10, 2003
8
US
Objective
=========
I want to audit any grants made on my database objects. In addition to the basic information(timestamp, grantor, DB object, machine name, IP address etc.), I want to track the level of access granted (insert, delete, update, select) and the grantee.

Current Solution
================
1. Going forward - for new tables, I can execute "AUDIT GRANT TABLE BY ACCESS"
2. For existing tables - I have to execute "AUDIT GRANT ON tablename BY ACCESS" for every single table

For #2, I can generate a script off of SYS.ALL_OBJECTS

Questions
=========
1. Is there a simpler way of achieving the objective?
2. The OBJ_PRIVILEGE column in SYS.DBA_AUDIT_TRAIL has Y in certain positions, depending on which access was granted. I can run tests and figure out which ones correspond to insert/delete/update/select but is there a comprehensive list to explain which position corresponds to which access.

Thanks for all your help!

Jigitty
 
Sort by date Sort by votes
Jiggity said:
Is there a simpler way of achieving the objective?
Click to expand...
Actually, I'm not clear or "the objective". Are you interested in a snapshot in time of WHO granted WHOM WHAT access on WHICH table? For that, you can
Code: 
select GRANTEE, GRANTOR, TABLE_NAME, PRIVILEGE
from user_tab_privs;
For more granular monitoring of privileges down to the column level (which relates to your second question, then you can query on "user_col_privs", which has the following column information:

GRANTEE
OWNER
TABLE_NAME
COLUMN_NAME
GRANTOR
PRIVILEGE
GRANTABLE

To monitor grants at the moment when they occur, then your AUDIT suggestion is probably better. I just don't like using the AUDIT command because of the on-going overhead that it creates while it is on.



[santa]Mufasa
(aka Dave of Sandy, Utah, USA)

Do you use Oracle and live or work in Utah, USA?
Then click here to join Utah Oracle Users Group on Tek-Tips.
 
Upvote 0 Downvote
Mufasa,

Tracking WHEN the grant occurred is the main objective, in addition to WHO, WHOM, WHAT & WHICH.

What are the main concerns with turning on the auditing for grants? I already have it on for DDL statements.

Also, I don't see any rows in user_tab_privs nor user_col_privs. I have rows in dba_audit_trail for grant statements. What am I missing?

Appreciate your input.

Jiggity.
 
Upvote 0 Downvote
Jigitty,

If WHEN is a main interest, then yes, AUDIT is your best alternative. If all you are auditing is GRANT and DDL, then you shouldn't be a major performance concern. Use AUDIT in good health [smile].

[santa]Mufasa
(aka Dave of Sandy, Utah, USA)

Do you use Oracle and live or work in Utah, USA?
Then click here to join Utah Oracle Users Group on Tek-Tips.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

aznabeel
  • Locked
  • Question
oracle database auditing
Replies
0
Views
61
aznabeel
aznabeel
aznabeel
  • Locked
  • Article
auditing in oracle
Replies
0
Views
46
aznabeel
aznabeel
tekpr00
  • Locked
  • Question
Grant Priviledge on XML objects.
Replies
3
Views
113
Turkbear
Turkbear
nyck
  • Locked
  • Question
setting grant for user on CTXSYS.CTX_DLL
Replies
6
Views
268
KenCunningham
KenCunningham
RichardF
  • Locked
  • Question
Grant problems with Roles
Replies
4
Views
67
ChrisHunt
ChrisHunt

Part and Inventory Search

Sponsor

Back
Top