Forum Home » Database » Database - General

Thread: An issue of auditing DML operations

Reply to this Thread Reply to this Thread Search Forum Search Forum Back to Thread List Back to Thread List

Permlink Replies: 6 - Pages: 1 - Last Post: Nov 26, 2007 12:04 PM Last Post By: user607433
orausern

Posts: 184
Registered: 03/27/06
An issue of auditing DML operations
Posted: Nov 22, 2007 11:14 PM
Click to report abuse...   Click to reply to this thread Reply
Hi All,

I have a requirement described below.

Requirement:
We want to audit all DML operations done on a table by the application users. There are several application users who do the DML and it is required to track which application user did what DML operation.

When connection is made to the database, the schema to which all the application users connect is the one and the same – i.e. we use SCOTT schema credentials for establishing DB connection for all different application users.

Therefore the detail of which application user is performing the DML is not available for oracle. It is available in the application code. Our primary requirement is that we need to have the detail of the application user doing the transaction to be passed into the database so that we can audit the DML operations done.

To take an example:

Let’s say that the table to be audited is EMP which is in SCOTT schema:

SQL> desc EMP
Name Null? Type
EMPNO NOT NULL NUMBER (4)
ENAME VARCHAR2 (10)
JOB VARCHAR2 (9)
MGR NUMBER (4)
HIREDATE DATE
SAL NUMBER (7,2)
COMM NUMBER(7,2)
DEPTNO NUMBER(2)


Let’s say that there are 4 application users; user1, user2, user3 & user4. Now when they connect to the database, the connection is to schema SCOTT. So all the 4 application users will connect to the same db schema ‘Scott’. The app users will do some transactions; they may roll it back etc. And we need to track that. – The tricky part being that we need to track which application user has done the DML.

We are planning to track the Edit Audits through Triggers. Before the actual Data record Insert into the EMP table the trigger should insert the Record into the Audit Table, along with the UserID.

We have distributed transactions (under the COM+ Environment)

I am unable to figure out how to meet this requirement...shall be very thankful for any help/suggestions.

Thanks,
Nirav
sybrandb

Posts: 5,205
Registered: 08/04/98
Re: An issue of auditing DML operations
Posted: Nov 22, 2007 11:30 PM   in response to: orausern in response to: orausern
Click to report abuse...   Click to reply to this thread Reply
If you don't have set up externally authenticated users in Oracle, the obvious answer is you need to instrument this from your application.
If you didn't instrument this from your application, bad luck.
You need to set up a mechanism to differentiate application users, the proper way would be to use externally authenticated users. It would require some doc reading though.

--
Sybrand Bakker
Senior Oracle DBA
P. Forstmann

Posts: 2,857
Registered: 01/26/07
Re: An issue of auditing DML operations
Posted: Nov 22, 2007 11:35 PM   in response to: orausern in response to: orausern
Click to report abuse...   Click to reply to this thread Reply
Please have a look to proxy authentication and authorization and auditing in a multitier environment .
orausern

Posts: 184
Registered: 03/27/06
Re: An issue of auditing DML operations
Posted: Nov 23, 2007 1:43 AM   in response to: P. Forstmann in response to: P. Forstmann
Click to report abuse...   Click to reply to this thread Reply
Thank you. While going through the docs, I saw that it is mentioned in the topic
"Using CLIENT_IDENTIFIER Independent of Global Application Context" , here it is suggested that client_identifier attribute can be used to retrieve the identity. I will try this method.

Best regards
Nirav
burleson

Posts: 2,343
Registered: 05/06/98
Re: An issue of auditing DML operations
Posted: Nov 24, 2007 4:34 AM   in response to: orausern in response to: orausern
Click to report abuse...   Click to reply to this thread Reply
Hi Nirav,

I have these ready-to-use scripts for DDL auditing:

http://www.dba-oracle.com/art_builder_proper_oracle_design_for_auditing.htm

connect sys/manager;

drop table perfstat.stats$ddl_log;

create table
perfstat.stats$ddl_log

(
user_name varchar2(30),
ddl_date date,
ddl_type varchar2(30),
object_type varchar2(18),
owner varchar2(30),
object_name varchar2(128)

)
tablespace perfstat;

The DDL trigger executes every time a DDL statement is executed, and adds new entries to your new table, as shown below:

connect sys/manager

create or replace trigger
DDLTrigger
AFTER DDL ON DATABASE
BEGIN
insert into
perfstat.stats$ddl_log
(
user_name,
ddl_date,
ddl_type,
object_type,
owner,
object_name
)
VALUES
(
ora_login_user,
sysdate,
ora_sysevent,
ora_dict_obj_type,
ora_dict_obj_owner,
ora_dict_obj_name
);

END;
/

Hope this helps. . .

Don Burleson
Oracle Press author
gintsp

Posts: 1,847
Registered: 09/30/99
Re: An issue of auditing DML operations
Posted: Nov 25, 2007 10:15 AM   in response to: burleson in response to: burleson
Click to report abuse...   Click to reply to this thread Reply
I have these ready-to-use scripts for DDL auditing:

I wonder since when DDL is the same as DML ;)

Gints Plivna
http://www.gplivna.eu
user607433

Posts: 9
Registered: 11/26/07
Re: An issue of auditing DML operations
Posted: Nov 26, 2007 12:04 PM   in response to: orausern in response to: orausern
Click to report abuse...   Click to reply to this thread Reply
you can do that by adding to the table you want to audit the pc name and the ip address and the OS user and you can get them through sys_context.
Pages: 1
Back to Thread List Back to Thread List
Legend
Guru Guru : 2500 - 1000000 pts
Expert Expert : 1000 - 2499 pts
Pro Pro : 500 - 999 pts
Journeyman Journeyman : 200 - 499 pts
Newbie Newbie : 0 - 199 pts
Oracle ACE Director
Oracle ACE Member
Oracle Employee ACE
Helpful Answer (5 pts)
Correct Answer (10 pts)

Point your RSS reader here for a feed of the latest messages in all forums