DB2 10.5 for Linux, UNIX, and Windows

AUDIT statement

The AUDIT statement determines the audit policy that is to be used for a particular database or database object at the current server. Whenever the object is in use, it is audited according to that policy.

Invocation

This statement can be embedded in an application program or issued interactively. It is an executable statement that can be dynamically prepared only if DYNAMICRULES run behavior is in effect for the package (SQLSTATE 42509).

Authorization

The privileges held by the authorization ID of the statement must include SECADM authority.

Syntax

Read syntax diagramSkip visual syntax diagram
          .-,---------------------------------------.   
          V  (1)                                    |   
>>-AUDIT----------+-DATABASE----------------------+-+----------->
                  +-TABLE--table-name-------------+     
                  +-TRUSTED CONTEXT--context-name-+     
                  +-+-USER--+--authorization-name-+     
                  | +-GROUP-+                     |     
                  | '-ROLE--'                     |     
                  '-+-ACCESSCTRL-----------+------'     
                    +-CREATE_SECURE_OBJECT-+            
                    +-DATAACCESS-----------+            
                    +-DBADM----------------+            
                    +-SECADM---------------+            
                    +-SQLADM---------------+            
                    +-SYSADM---------------+            
                    +-SYSCTRL--------------+            
                    +-SYSMAINT-------------+            
                    +-SYSMON---------------+            
                    '-WLMADM---------------'            

>--+-+-USING---+--POLICY--policy-name-+------------------------><
   | '-REPLACE-'                      |   
   '-REMOVE POLICY--------------------'   

Notes:
  1. Each clause (with the same object name, if applicable) can be specified at most once (SQLSTATE 42713).

Description

ACCESSCTRL, CREATE_SECURE_OBJECT, DATAACCESS, DBADM, SECADM, SQLADM, SYSADM, SYSCTRL, SYSMAINT, SYSMON, or WLMADM
Specifies that an audit policy is to be associated with or removed from the specified authority. All auditable events that are initiated by a user who holds the specified authority, even if that authority is not required for the event, will be audited according to the associated audit policy.
DATABASE
Specifies that an audit policy is to be associated with or removed from the database at the current server. All auditable events that occur within the database are audited according to the associated audit policy.
TABLE table-name
Specifies that an audit policy is to be associated with or removed from table-name. The table-name must identify a table, materialized query table (MQT), or nickname that exists at the current server (SQLSTATE 42704). It cannot be a view, a catalog table, a created temporary table, a declared temporary table (SQLSTATE 42995), or a typed table (SQLSTATE 42997). Only EXECUTE category audit events, with or without data, will be generated when the table is accessed, even if the policy indicates that other categories should be audited.
TRUSTED CONTEXT context-name
Specifies that an audit policy is to be associated with or removed from context-name. The context-name must identify a trusted context that exists at the current server (SQLSTATE 42704). All auditable events that happen within the trusted connection defined by the trusted context context-name will be audited according to the associated audit policy.
USER authorization-name
Specifies that an audit policy is to be associated with or removed from the user with authorization ID authorization-name. All auditable events that are initiated by authorization-name will be audited according to the associated audit policy.
GROUP authorization-name
Specifies that an audit policy is to be associated with or removed from the group with authorization ID authorization-name. All auditable events that are initiated by users who are members of authorization-name will be audited according to the associated audit policy. If user membership in a group cannot be determined, the policy will not apply to that user.
ROLE authorization-name
Specifies that an audit policy is to be associated with or removed from the role with authorization ID authorization-name. The authorization-name must identify a role that exists at the current server (SQLSTATE 42704). All auditable events that are initiated by users who are members of authorization-name will be audited according to the associated audit policy. Indirect role membership through other roles or groups is valid.
USING, REMOVE, or REPLACE
Specifies whether the audit policy should be used, removed, or replaced for the specified object.
USING
Specifies that the audit policy is to be used for the specified object. An existing audit policy must not already be defined for the object (SQLSTATE 5U041). If an audit policy already exists, it must be removed or replaced.
REMOVE
Specifies that the audit policy is to be removed from the specified object. Use of the object will no longer be audited according to the audit policy. The association is deleted from the catalog when the audit policy is removed from the object.
REPLACE
Specifies that the audit policy is to replace an existing audit policy for the specified object. This combines both REMOVE and USING options into one step to ensure that there is no period of time in which an audit policy does not apply to the specified object. If a policy was not in use for the specified object, REPLACE is equivalent to USING.
POLICY policy-name
Specifies the audit policy that is to be used to determine audit settings. The policy-name must identify an existing audit policy at the current server (SQLSTATE 42704).

Rules

Notes

Examples