Specifying Audit Conditions
Suppose that your organization is one of those global corporations with 50,000 or more employees scattered across the world. With different labor laws and varying pay cycles, the HR database hums with activity that’s more akin to that of an OLTP database. In such a case, if you try to log every access to the columns COMM and SALARY, your audit trail will quickly balloon to an unmanageable size. While thinking about solutions, you may want to limit the recording of access to high-profile cases only—for example, when someone chooses to see salaries of 150,000 or more or when someone sees your salary. You can set this kind of limitation in your FGA policy using a condition. To code the above condition, you will have to use a special parameter named audit_condition while invoking the procedure. If you already have the policy defined, you need to drop it by specifying:
BEGIN
DBMS_FGA.drop_policy (object_schema => 'ARUP',
object_name => 'EMP',
policy_name => 'EMP_SEL'
);
END;Then create the policy as follows:
BEGIN
DBMS_FGA.add_policy (object_schema => 'HR',
object_name => 'EMP',
policy_name => 'EMP_SEL',
audit_column => 'SALARY, COMM',
audit_condition => 'SALARY >= 150000 OR EMPID = 100'
);
END;Here the parameter audit_condition is used to limit the audit trail so that it is generated only when the value of the SALARY column exceeds 150,000 or when the EMPID value is 100. If a user selects a record for someone whose salary is 149,999, for example, the action ...