Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle NULL vs '' revisited

Re: Oracle NULL vs '' revisited

From: <>
Date: Tue, 21 Aug 2007 22:32:15 -0700
Message-ID: <>

> And I posted the link to Microsoft's own docs where they say that this
> isn't true. So who's correct? You or Microsoft?

Hmmm, you posted 2 links, one was a write up by an MVP(from 6 years ago) which documented that C2 in SQL Server 2000 would tell you who made a change(update) but not what the change was. The second link you sent was the to C2 summary, in that doc it lists the following;

"...End User Activity (for example, all SQL commands, logins, and logouts).."

Which I think is the bucket that selects are going to come under, I agree we could have made this clearer but the doc was not written with HIPAAs more exacting/different requirements in mind. Given that C2 has been superceded as a std and SQL Server is currently undergoing common criteria certification I don't think there is much chance of getting the page updated.

Now trace was not that well documented in SQL 6.5/7/2000 so I am going to reference SQL2005 docs, most of what I reference also applies on older versions. Here is the list of events that can be audited by trace in 2005;

To save time, here is the category of events that include all sql statements, hence would include select statements;

> Perhaps the problem here is that you don't understand what HIPAA means
> with respect to auditing SELECT statements. It isn't who issued it. That
> is not the issue. It is which records, with which specific values, were
> returned to which users?

Ah ok now that makes sense, as I said I am no HIPAA expert so I was not aware of that requirement.

> If you believe otherwise then please provide a link to the doc that
> demonstrates that this capability exists in any database product other
> than Oracle.

I'm not aware of it existing in SQL Server at this time, I'm not going to comment on other DBs as I don't know them.

However I have another question about HIPAA at this point, I thought that HIPAA was an end to end requirement, which means while Oracle makes this possible on the back end through built in features(I presume this is done through versioning somehow? How long is the audit trail kept btw) if the app tier does something thats not auditable then from a compliance perspective its a bust?

-Euan Received on Wed Aug 22 2007 - 00:32:15 CDT

Original text of this message