Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle NULL vs '' revisited

Re: Oracle NULL vs '' revisited

From: <euan.garden_at_gmail.com>
Date: Tue, 21 Aug 2007 22:32:15 -0700
Message-ID: <1187760735.005614.195730@i38g2000prf.googlegroups.com> 





> And I posted the link to Microsoft's own docs where they say that this

> isn't true. So who's correct? You or Microsoft?




Hmmm, you posted 2 links, one was a write up by an MVP(from 6 years
ago) which documented that C2 in SQL Server 2000 would tell you who
made a change(update) but not what the change was. The second link you
sent was the to C2 summary, in that doc it lists the following;



"...End User Activity (for example, all SQL commands, logins, and
logouts).."



Which I think is the bucket that selects are going to come under, I
agree we could have made this clearer but the doc was not written with
HIPAAs more exacting/different requirements in mind. Given that C2 has
been superceded as a std and SQL Server is currently undergoing common
criteria certification I don't think there is much chance of getting
the page updated.



Now trace was not that well documented in SQL 6.5/7/2000 so I am going
to reference SQL2005 docs, most of what I reference also applies on
older versions. Here is the list of events that can be audited by
trace in 2005;



http://msdn2.microsoft.com/en-us/library/ms175481.aspx



To save time, here is the category of events that include all sql
statements, hence would include select statements;



http://msdn2.microsoft.com/en-us/library/ms177488.aspx



>

> Perhaps the problem here is that you don't understand what HIPAA means

> with respect to auditing SELECT statements. It isn't who issued it. That

> is not the issue. It is which records, with which specific values, were

> returned to which users?




Ah ok now that makes sense, as I said I am no HIPAA expert so I was
not aware of that requirement.



>

> If you believe otherwise then please provide a link to the doc that

> demonstrates that this capability exists in any database product other

> than Oracle.




I'm not aware of it existing in SQL Server at this time, I'm not going
to comment on other DBs as I don't know them.



However I have another question about HIPAA at this point, I thought
that HIPAA was an end to end requirement, which means while Oracle
makes this possible on the back end through built in features(I
presume this is done through versioning somehow? How long is the audit
trail kept btw) if the app tier does something thats not auditable
then from a compliance perspective its a bust?



-Euan
Received on Wed Aug 22 2007 - 00:32:15 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US