12.1.6 Appointing auditors

When using the audit trail facility, HADB requires users (auditors) to be appointed to the following positions of responsibility:

• Audit trail facility administrator

  A person responsible for operating the audit trail facility. To execute the adbaudittrail command that is used to operate the audit trail facility, this role requires the OS account of an OS user who belongs to the HADB administrators group.

  This role also requires an HADB user account with the audit admin privilege.

• Person responsible for auditing

  A person who is responsible for auditing database usage by referencing audit trail information.

  Because audit trails can be referenced from non-server machines, the person responsible for auditing is not required to have an OS account on a server machine. The only time this role requires the OS account of an OS user who belongs to the HADB administrators group is when the person responsible for auditing references audit trails on a server machine.

  This role also requires an HADB user account with the audit viewer privilege.

  If you intend to also audit the activity of the person responsible for auditing, you can appoint several persons responsible for auditing and have them audit each other.

  Note

  When incorporating external auditing by an external person responsible for auditing, we recommend that the external person responsible for auditing have an HADB user account with the audit viewer privilege.

Although you can have one user serve as both audit trail facility administrator and person responsible for auditing, we recommend that the roles are filled by different people.

Important

• Do not appoint as an auditor a user who also serves as the database administrator (an HADB user who has the DBA privilege).

• It is preferable that auditors are responsible only for work related to auditing. We also recommend that you keep the HADB user accounts used for auditing work separate from those used for other work, by creating an HADB user used exclusively for auditing.

The following figure shows an example of the user accounts used with the audit trail facility.

Figure 12‒2: Example of user accounts used with audit trail facility

Explanation

• In this example, the audit trail facility administrator associated with the audit department has OS and HADB (ADBAUDITADMIN) user accounts to use only when operating the audit trail facility.

  In this example, the persons responsible for auditing associated with the audit department share OS and HADB (ADBAUDITVIEWER user accounts used only for auditing.

• An external person responsible for auditing can only view audit trail data. Therefore, external persons responsible for auditing do not need to have an OS account on a server machine, and will carry out their work from a machine other than a server. An HADB user account with the audit viewer privilege (ADBOUTSIDEAUDITVIEWER) is created for use only by the external person responsible for auditing.

To Page Top