Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Fine-Grained Auditing OCP Question

Re: Fine-Grained Auditing OCP Question

From: Jusung Yang <JusungYang_at_yahoo.com>
Date: 11 Mar 2003 12:13:53 -0800
Message-ID: <130ba93a.0303111213.424ee2@posting.google.com> 





I think the main point the question was trying to make is that one
uses FGA for "select" only. Therefore the first 3 choices are
immediately eliminated.



Choice d is obviously qualified. In dbms_fga.add_policy, salary would
be the audit_column, employee would be the object_name, and executive
title would be in audit_condition.



Choice e is also possible - by extending choice d a little. In
audit_condition, you check who the querying user is by using
SYS_CONTEXT. For example, you can create a user group id fuction like:



create or replace function groupid return number as
igrp number;


begin


select groupid into igrp from usergrp where
username=sys_context('userenv','session_user');
return igrp;


end;



it looks up a user table called usergrp which identifies the querying
user as internal or external. Assuming that for this case, 1 is
internal and 2 is external, you can specify audit_condition as



groupid=2;



for the Internet users who you want to track. Internal users will fail
the audit condition and will therefore not be audited.







"Buck Turgidson" <jc_va_at_hotmail.com> wrote in message news:<Vbbba.147974$P1.8963177_at_news1.east.cox.net>...


> I am wrestling with the following question (which I got wrong), and

> would like some opinions.  I chose a and d, but apparently the correct

> answer is d and e.  How could you differentiate access between internal

> and external users?

> 

> In which 2 situations would Fine-Grained Auditing be beneficial:

> 

> You need to track all accesses of the EMPLOYEE table.

> You need to identify all users who updated the CUSTOMER table on a

> specific date.

> You want to be able to compare the before and after values of each

> update of the PRICE column of the PRODUCT table.

> You want to alert the Human Resources Administrator any time someone

> accesses an executive's salary in the EMPLOYEE table.

> You want to allow unaudited access to the CONTACT_ ADDRESS column of the

> CUSTOMER table from within your organization, but track any access to

> the CONTACT_ADDRESS column that occurs via the Internet.

Received on Tue Mar 11 2003 - 14:13:53 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US