Valid in: SQL, ESQL
The Create Security_Alarm statement specifies databases or the current installation the conditions that cause records to be written to the security log for one or more tables.
Security logging is enabled using the enable security_audit statement. To delete a security alarm, use the drop security_alarm statement. To determine what security alarms have been created for a table, use the help security_alarm statement.
The Create Security_Alarm statement has the following format:
[EXEC SQL] CREATE SECURITY_ALARM [alarm_name] ON
[TABLE | DATABASE] [schema.]object_name {, [schema.]object_name} |
CURRENT INSTALLATION
[IF SUCCESS | FAILURE | SUCCESS, FAILURE]
[WHEN SELECT | DELETE | INSERT | UPDATE | CONNECT | DISCONNECT]
[BY [USER | GROUP | ROLE] auth_id{, auth_id} | PUBLIC;]
[RAISE DBEVENT [dbevent_owner.]dbevent_name [dbevent_text]]
Specifies the table or database for which security events are logged.
Specifies when logging occurs:
SUCCESS
Creates a log record when a user succeeds in performing the specified type of access.
FAILURE
Creates a log record when a user attempts to perform the specified type of access and fails (the query is aborted). Users can fail to gain access to a table because they lack the required permissions.
Logs all attempts to access the tables.
Specifies the types of access to be logged. Any combination of the access types shown in the syntax diagram can be specified, in a comma separated list.
Specifies the user names of the users for whom logging is performed.
To log access attempts for all users, specify PUBLIC.
Default: PUBLIC
You cannot use host language variables in an embedded Create Security_Alarm statement.
You must be the owner of the table.
The Create Security_Alarm statement locks the specified table, the iisecurity_alarms catalog, the iipermits catalog, and the iiprotect catalog.
The following are Create Security_Alarm statement examples:
create security_alarm on table employee
if success when insert, update, delete by public;
create security_alarm clerk_update on table secure_data if failure when update by group clerk
These alarms are fired when a session connects as the specified group or role.
create security_alarm secconnect on current installation when connect by user spy
create security_alarm secconnect on database sec1
when connect by user spy
raise dbevent secconnect 'user spy connected to sec1 database';