Oracle SA_AUDIT_ADMIN
Version 20c

General Information
Library Note
Purpose This package configures auditing for labels and policies specific to Oracle Label Security and, in addition, creates an auditing-related view.
AUTHID DEFINER
Dependencies
DBMS_ASSERT LBAC_CACHE LBAC_UTL
DBMS_STANDARD LBAC_SERVICES OLS$POL
LBAC$USER_LIBT LBAC_STANDARD OLS_DIP_NTFY
Documented Yes
First Available 10.1
Security Model Owned by LBACSYS with no privileges granted.

To use this package a schema must be granted the policy_DBA role.
Source {ORACLE_HOME}/rdbms/admin/prvtolsdd.plb
Subprograms
AUDIT AUDIT_LABEL_ENABLED_SQL NOAUDIT
AUDIT_LABEL CREATE_VIEW NOAUDIT_LABEL
AUDIT_LABEL_ENABLED DROP_VIEW  
 
AUDIT
Enables policy-specific auditing. Audit records capture Oracle OLS administrative actions and the use of Oracle Label Security privileges
that were used during logons, DML executions, and trusted stored procedure invocations		 sa_audit_admin.audit(
policy_name  IN VARCHAR2,
users        IN VARCHAR2 DEFAULT NULL,
audit_option IN VARCHAR2 DEFAULT NULL,
audit_type   IN VARCHAR2 DEFAULT NULL,  -- options 'BY ACCESS' or 'BY SESSION'
success      IN VARCHAR2 DEFAULT NULL); -- options 'SUCCESSFUL' or 'NOT SUCCESSFUL'

Audit Options
Option Description
APPLY Audits application of specified Oracle Label Security policies to tables and schemas
PRIVILEGES Audits use of all policy-specific privileges
REMOVE Audits removal of specified Oracle Label Security policies from tables and schemas
SET Audits the setting of user authorizations, and user and program privileges
exec sa_audit_admin.audit('DATA_ACCESS');
 
AUDIT_LABEL
Records policy labels during auditing sa_audit_admin.audit_label(policy_name IN VARCHAR2);
exec sa_audit_admin.audit_label('DATA_ACCESS');
 
AUDIT_LABEL_ENABLED
Returns a flag indicating whether labels are being recorded in audit records for the policy sa_audit_admin.audit_label_enabled(policy_name IN VARCHAR2) RETURN BOOLEAN;
BEGIN
  IF sa_audit_admin.audit_label_enabled('DATA_ACCESS') THEN
    dbms_output.put_line('T');
  ELSE
    dbms_output.put_line('F');
  END IF;
END;
/

SELECT COUNT(*)
FROM ols_admin.ols_aud$;
 
AUDIT_LABEL_ENABLED_SQL
Undocumented but identical in function to AUDIT_LABEL_ENABLED, above, except that it returns an integer value and the function can be incorporated into SQL statements sa_audit_admin.audit_label_enabled_sql(policy_name IN VARCHAR2)
RETURN BINARY_INTEGER;
SELECT sa_audit_admin.audit_label_enabled_sql('DATA_ACCESS')
FROM dual;
 
CREATE_VIEW
Creates an audit trail view named DBA_policyname_AUDIT_TRAIL but the user can optionally specify a different name sa_audit_admin.create_view(
policy_name IN VARCHAR2,
view_name   IN VARCHAR2 DEFAULT NULL);
exec sa_audit_admin.create_view('DATA_ACCESS', 'OLS_AUD$_DAP');
 
DROP_VIEW
Drops the OLS auditing view sa_audit_admin.drop_view(
policy_name IN VARCHAR2,
view_name   IN VARCHAR2 DEFAULT NULL);
exec sa_audit_admin.drop_view('DATA_ACCESS', 'OLS_AUD$_DAP');
 
NOAUDIT
Disables Oracle Label Security policy specific auditing

A list of audit options is associated with the AUDIT procedure above		 sa_audit_admin.noaudit(
policy_name  IN VARCHAR2,
users        IN VARCHAR2 DEFAULT NULL,
audit_option IN VARCHAR2 DEFAULT NULL
exec sa_audit_admin.noaudit('DATA_ACCESS');
 
NOAUDIT_LABEL
Disables the auditing of policy labels sa_audit_admin.noaudit_label();
exec sa_audit_admin.noaudit_label('DATA_ACCESS');

Related Topics
LBAC_EXP
LBAC_POLICY_ADMIN
LBAC_SESSION
LBAC_STANDARD
LBAC_SYSDBA
OLS$DATAPUMP
OLS_DIP_NTFY
OLS_ENFORCEMENT
OLS_UTIL_WRAPPER
Oracle Label Security (OLS)
SA_COMPONENTS
SA_LABEL_ADMIN
SA_POLICY_ADMIN
SA_SYSDBA
SA_USER_ADMIN
TO_LABEL_LIST