Enable=enable-disable-options Enables security auditing for the specified audit event classes. To enable alarms and audits for all events, specify the All option. You can also selectively enable alarms and audits for one or more classes that are currently disabled. You must specify at least one class when you specify the Enable qualifier. When you specify audit classes with the Enable qualifier, the audit events you specify are immediately enabled, so that audit events of currently attached users are recorded in the security audit journal and alarms are sent to security-enabled terminals, as specified. With the Enable and Disable qualifiers, you can specify one or more of the following six valid class options: All, Daccess, Daccess=object-type, Identifier=(identifier-list), Protection, and Rmu. If you specify more than one class, separate the classes with commas, and enclose the list of classes within parentheses. The following list provides a description of each option: o All Enables or disables all possible audit event classes. o Daccess Enables or disables DACCESS (discretionary access) audit events. A DACCESS audit event occurs whenever a user issues a command that causes a check to be made for the existence of the appropriate privilege in an access privilege set (APS). To monitor access to a particular database object or group of objects, use the Daccess=object-type option to specify that a DACCESS audit record be produced whenever an attempt is made to access the object. Specifying the general Daccess option enables or disables the general DACCESS audit event type. If DACCESS event auditing is enabled and started for specific objects, auditing takes place immediately after you issue the RMU Set Audit command with the Enable=Daccess qualifier. Auditing starts for any users specified in the Identifier=(identifier-list) option who are attached to the database when the command is issued. o Daccess=object-type[=(object name)]/Privileges=(privilege- list) Allows you to audit access to database objects by users in the Identifier=(identifier-list) option with the privileges you specify. A DACCESS type event record indicates the command issued, the privilege used by the process issuing the command, and whether the attempt to access the object was successful. The object-type option enables or disables DACCESS auditing for the specified object type. You can specify one or more object types in an RMU Set Audit command. The three valid object types are: - DATABASE When you specify the DATABASE object type, you must use the Privileges qualifier to specify one or more privileges to be audited for the database. Do not specify an object name with the DATABASE object type. - TABLE Specify the TABLE option for both tables and views. When you specify the TABLE object type, you must specify one or more table names with the object name parameter. You must also use the Privileges qualifier to specify one or more privileges to be audited for the specified tables. - COLUMN When you specify the COLUMN object type, you must specify one or more column names with the object name parameter. Specify the table name that contains the column by using the following syntax: table-name.column-name If you specify more than one column, separate the list of table-name.column-names with commas, and enclose the list within parentheses. You must also use the Privileges qualifier to specify one or more privileges to be audited for the specified columns. The object name parameter enables or disables DACCESS auditing for the specified object or objects. If you specify more than one object name, separate the object names with commas, and enclose the list of object names within parentheses. If you specify one or more object names, you must select one or more privileges to audit. Use the Privileges=privilege-list qualifier to select the privileges that are to be audited for each of the objects in the object name list when the selected objects are accessed. The privileges that can be specified with the Privileges qualifier are listed in DACCESS Privileges for Database Objects. Privilege names SUCCESS and FAILURE can be used as a convenient way to specify that all successful or failed accesses to that object for all privileges should be audited. The privilege name All can be used with the Enable or Disable qualifier to turn on or turn off auditing for all privileges applicable to the object. If you specify a privilege that does not apply to an object, Oracle Rdb allows it, but will not produce any auditing for that privilege. You can specify only SQL privileges with the Privileges=(privilege-list) qualifier. The privileges that can be specified for each Oracle Rdb object type are shown in DACCESS Privileges for Database Objects. The Relational Database Operator (RDO) privileges that correspond to the SQL privileges are included in DACCESS Privileges for Database Objects to help RDO users select the appropriate SQL privileges for auditing. Table 13 DACCESS Privileges for Database Objects SQL RDO Privilege Privilege Database Table/ViColumn ALTER CHANGE Y Y N CREATE DEFINE Y Y N DBADM ADMINISTRATOR Y N N DBCTRL CONTROL Y Y N DELETE ERASE N Y N DISTRIBTRAN DISTRIBTRAN Y N N DROP DELETE Y Y N INSERT WRITE N Y N REFERENCES REFERENCES N Y Y SECURITY SECURITY Y N N SELECT READ Y Y N UPDATE MODIFY N Y Y SUCCESS SUCCESS Y Y Y FAILURE FAILURE Y Y Y ALL ALL Y Y Y o Identifier=(identifier-list) Enables or disables auditing of user access to objects listed in the Enable=Daccess=object-type qualifier. If you do not specify this option, no users are audited for the DACCESS event. Any user whose identifier you specify is audited for accessing the database objects with the privileges specified. You can specify wildcard characters within the identifiers to identify groups of users. The [*,*] identifier indicates public, and causes all users to be audited. If you specify a nonexistent identifier, you receive an error message. The order of identifiers in the identifier list is not significant. A user is audited if he or she holds any of the identifiers specified in the identifier list. You can specify user identification code (UIC) identifiers, general identifiers, and system-defined identifiers in the identifier list. For more information on identifiers, see the Oracle Rdb Guide to Database Design and Definition. If you specify more than one identifier, separate the identifiers with commas, and enclose the identifier list within parentheses. UIC identifiers with commas such as [RDB,JONES] must be enclosed within quotation marks as follows: IDENTIFIER=(INTERACTIVE,"[RDB,JONES]",SECRETARIES) When you use Identifier=(identifier-list) to specify one or more identifiers to be audited, those identifiers are audited whenever they access any object for which auditing has been enabled. o Protection Allows you to audit changes made to access privilege sets for database objects by means of the SQL GRANT and REVOKE statements. o Rmu Audits the use of Oracle RMU commands by users with the privilege to use them.