12.4.1 Adding, deleting, and changing auditors (granting or revoking audit privileges)
This subsection uses examples to describe how to add, delete, and change auditors (how to grant or revoke audit privileges).
- Organization of this subsection
(1) Adding auditors (granting audit privileges)
An HADB user who has the DBA privilege can add an auditor. The procedure for adding auditors is as follows:
- Example:
-
In this example, an auditor who has the audit admin privilege (with the authorization identifier ADBAUDITADMIN01) and an auditor who has the audit viewer privilege (with the authorization identifier ADBAUDITOR01) are added. This process will involve creating new HADB users and granting audit privileges to those users.
Procedure:
-
Add the HADB users.
CREATE USER "ADBAUDITADMIN01" IDENTIFIED BY '#HelloHADB_AUD01' CREATE USER "ADBAUDITOR01" IDENTIFIED BY '#HelloHADB_AUD02'
HADB users are added with the authorization identifiers ADBAUDITADMIN01 and ADBAUDITOR01.
-
Grant the CONNECT privilege and the appropriate audit privilege to the HADB users you added.
GRANT CONNECT,AUDIT ADMIN TO "ADBAUDITADMIN01" GRANT CONNECT,AUDIT VIEWER TO "ADBAUDITOR01"
Grant the CONNECT privilege and audit admin privilege to ADBAUDITADMIN01, and the CONNECT privilege and audit viewer privilege to ADBAUDITOR01.
- Important
-
The added auditors must immediately change their passwords from the defaults (#HelloHADB_AUD01 and #HelloHADB_AUD02). For details about how to change passwords, see 11.6.2 Changing an HADB user's password.
You can omit step 1 if you want to make an existing HADB user an auditor. If the existing HADB user already has the CONNECT privilege, you only need to grant the audit privilege in step 2.
Note that you cannot grant the audit admin privilege to an HADB user who has the DBA privilege.
-
(2) Deleting auditors (revoking audit privileges)
The procedure for deleting auditors is as follows:
- Example 1
-
In this example, an auditor with the audit admin privilege (authorization identifier ADBAUDITADMIN) is deleted.
Procedure:
-
Revoke the audit admin privilege of the auditor (ADBAUDITADMIN).
REVOKE AUDIT ADMIN FROM "ADBAUDITADMIN"
This operation is performed by an HADB user who has the audit admin privilege.
-
Delete the HADB user (ADBAUDITADMIN) whose audit admin privilege was revoked.
DROP USER "ADBAUDITADMIN"
This operation is performed by an HADB user who has the DBA privilege.
-
- Example 2
-
In this example, an auditor with the audit viewer privilege (authorization identifier ADBAUDITOR) is deleted.
Procedure:
-
Revoke the audit viewer privilege of the auditor (ADBAUDITOR).
REVOKE AUDIT VIEWER FROM "ADBAUDITOR"
This operation is performed by an HADB user who has the audit admin privilege.
-
Delete the HADB user (ADBAUDITOR) whose audit viewer privilege was revoked.
DROP USER "ADBAUDITOR"
This operation is performed by an HADB user who has the DBA privilege.
-
(3) Changing auditors
The procedure for changing auditors is as follows:
- Example:
-
In this example, the auditor with the audit admin privilege is changed. The auditor will be changed from the HADB user with the authorization identifier ADBAUDITADMIN01 to the HADB user with the authorization identifier ADBAUDITADMIN02.
A new HADB user ADBAUDITADMIN02 is created, and this user is then nominated as an auditor.
Procedure:
-
Add the HADB user (ADBAUDITADMIN02).
CREATE USER "ADBAUDITADMIN02" IDENTIFIED BY '#HelloHADB_AUD02'
Add an HADB user with the authorization identifier ADBAUDITADMIN02.
This operation is performed by an HADB user who has the DBA privilege.
-
Grant the CONNECT privilege and audit admin privilege to the HADB user you added (ADBAUDITADMIN02).
GRANT CONNECT,AUDIT ADMIN TO "ADBAUDITADMIN02"
This operation is performed by an HADB user who has the DBA privilege.
-
Revoke the audit admin privilege of the auditor (ADBAUDITADMIN01).
REVOKE AUDIT ADMIN FROM "ADBAUDITADMIN01"
This operation is performed by an HADB user who has the audit admin privilege.
-
Delete the HADB user (ADBAUDITADMIN01) whose audit admin privilege was revoked.
DROP USER "ADBAUDITADMIN01"
This operation is performed by an HADB user who has the DBA privilege.
Only perform this operation if the HADB user is no longer required.
-
- Important
-
The new auditor (ADBAUDITADMIN02) must immediately change his or her password from the default (#HelloHADB_AUD02). For details about how to change passwords, see 11.6.2 Changing an HADB user's password.
You can omit step 1 if you want to appoint an existing HADB user as a new auditor. If the existing HADB user already has the CONNECT privilege, you only need to grant the audit admin privilege in step 2.
Note that you cannot grant the audit admin privilege to an HADB user who has the DBA privilege.
(4) Notes
-
An HADB user who has the audit admin privilege can revoke their own audit privileges and the audit privileges of other HADB users.
-
When the audit trail facility is enabled, if an HADB user is the only user who has the audit admin privilege and the CONNECT privilege, that user cannot revoke his or her own audit admin privilege.
-
Audit privileges cannot be revoked while the audit trail facility is disabled. However, if both of the following conditions are met, a user can revoke his or her own audit admin privilege:
-
He or she is the only HADB user who has the audit admin privilege.
-
There are no HADB users who have the audit viewer privilege.
-