6.3. Administering FGASo far I have talked only about how you can set up FGA on a table. As a DBA, you will also be responsible for managing and administering the overall FGA configuration. 6.3.1. The DBA_AUDIT_POLICIES ViewTo see the FGA policies that have already been defined in the database, you can query the data dictionary view DBA_AUDIT_POLICIES, which contains the following columns:
In Oracle Database 10g, this view has several additional columns:
These are described later in the "FGA in Oracle Database 10g" section. 6.3.2. Using DBMS_FGA ProceduresDBMS_FGA is a rather simple package, providing only four procedures that you use to administer fine-grained auditing in your database, ADD_POLICY, DROP_POLICY, DISABLE_POLICY, and ENABLE_POLICY. 6.3.2.1. The ADD_POLICY procedureRemember that an FGA policy is not an object in the database, so the normal SQL operations do not apply to it. To administer it, you must use the ADD_POLICY procedure in the DBMS_FGA package . That procedure was described earlier in the chapter. 6.3.2.2. The DROP_POLICY procedureTo remove an FGA policy, use the DROP_POLICY procedure in the DBMS_FGA package. For example, to drop the policy we defined earlier on the EMP table, you might specify the following block of code. BEGIN DBMS_FGA.drop_policy (object_schema => 'HR', object_name => 'EMP', policy_name => 'EMP_SEL' ); END; / If the policy does not exist, it will throw the error ORA-28102: policy does not exist. 6.3.2.3. The DISABLE_POLICY procedureSometimes you may just want to suspend the writing of the audit trail temporarilyfor example, when purging the audit trail or switching it to a different table. There is no need to drop a policy in such cases; you can disable it by using the DISABLE_POLICY procedure in the DBMS_FGA package as follows: BEGIN DBMS_FGA.disable_policy (object_schema => 'HR', object_name => 'EMP', policy_name => 'EMP_SEL' ); END; / 6.3.2.4. The ENABLE_POLICY procedureOnce you have disabled a policy, it will remain on the object, but entries will not be written to the audit trail. After your maintenance operations are complete, you can enable the policy again by using the ENABLE_POLICY procedure in the DBMS_FGA package as follows: BEGIN DBMS_FGA.enable_policy (object_schema => 'HR', object_name => 'EMP', policy_name => 'EMP_SEL' ); END; / |