The difference between BY ACCESS and BY SESSION lies in how the DBA_AUDIT_TRAIL data dictionary view records the actions that they capture:
BY ACCESS: Inserts one record in the audit trail for each audited statement.
BY SESSION: Inserts only one audit record in the audit trail, for each user and schema object, during a session that includes an audited action.
Example:
First, enable auditing on the table TABLE1:
AUDIT SELECT, UPDATE,DELETE,INSERT ON HR.TABLE1 BY SESSION WHENEVER SUCCESSFUL;
Secondly, assuming there is activity against TABLE1, check the audit trail:
SELECT timestamp, os_username, obj_name,userhost, username,action,action_name, ses_actions FROM dba_audit_trail WHERE obj_name IN ('TABLE1') AND username = 'HR' ORDER BY timestamp DESC;The query in my case returned the following:
TIMESTAMP | OS_USERNAME | OBJ_NAME | USERHOST | USERNAME | ACTION | ACTION_NAME | SES_ACTIONS |
---|---|---|---|---|---|---|---|
04.07.2011 10:35:20 | joe | TABLE1 | laptop-joe | HR | 103 | SESSION REC | ---------S------ |
08.02.2011 18:11:10 | joe | TABLE1 | appserver1 | HR | 2 | INSERT | |
08.02.2011 18:11:10 | joe | TABLE1 | appserver1 | HR | 6 | UPDATE | |
08.02.2011 18:11:10 | jack | TABLE1 | appserver1 | HR | 7 | DELETE | |
08.02.2011 14:50:41 | tina | TABLE1 | workstation-tina | HR | 103 | SESSION REC | ---S--S---S----- |
For statements which are audited BY SESSION, the column SES_ACTIONS will indicate a pattern to view which operation we are talking about.
The 16 characters string in the SES_ACTION column represents different actions, one for each action type in the order (note that positions 14, 15, and 16 are reserved for future use):
* ALTER, AUDIT, COMMENT, DELETE, GRANT, INDEX, INSERT, LOCK, RENAME, SELECT, UPDATE, REFERENCES, and EXECUTE.
The characters are:
* - - None
* S - Success
* F - Failure
* B - Both
Finally, interpret the audit trail:
The first row in the table indicates that a successfull SELECT (the S is found on position 10) was executed on TABLE1, 04.07.2011 10:35:20.
The last row indicates a successful DELETE, INSERT and UPDATE (the S is found in position 4, 7 and 11) in TABLE1 during the session that was audited 08.02.2011 14:50:41.
The three rows where ACTION_NAME is INSERT, UPDATE and DELETE are self-explanatory.
At the tail of the AUDIT clause comes the directive WHENEVER [NOT] SUCCESSFUL which means that oracle should audit only SQL statements and operations that succeed, fail or result in errors. If you omit this clause, then Oracle Database performs the audit regardless of success or failure.
Is the behaviour the same in oracle 12c ?
ReplyDeletethanks for sharing such a amazing information
ReplyDeletehr solutions
professional employer organization
hire best hire dedicated team in india
Career in peo
hr solutions
hr solutions