Unauthorized deletion of audit tables

Hi,
the Identity Center stores audit information in one of the database tables. But as an administrator I can easily configure jobs that perform operations on the database such as the deletion of records and tables. This means that the IC admin should also be able to delete audit records in case he tampered with the configuration.
Has anyone introduced SAP IC for compliancy reasons and found a solution on how the integrity of the audit records can be guaranteed?
Best regards,
Holger

Gregg,
I agree that this is the same problem as with other tools that give you administrator privileges. And the copying of database or using a tool like Snare tables might be a viable way for the customers.
But in general, I would almost consider the logon to the Identity Center with a database account as a design weakness. One problem that we have already discussed is the auditing and the full access of the admin to the database. Another issue that is closely related to this is that the DBA can modify any internal data using SQL Update commands  without anybody being able to realize that. Especially in the financial services sector, this might be a no-go. And in addition, because of the usage of the database account for logging on to the system, Identity Center is not able to support role-based or delegated administration for the IC configuration. I can not for example configure that one user can only configure resources and another user can only configure one identity store. This is at least my perception and correct me if I'm wrong.
Other tools solve this by using the users in the identity store for logging on to the system. This means that administrators do not have a database account and do not have full access to the database. In addition, using identity store users that do not have full access to the database allows you to perform delegated administration as I have described above, where certain admins are only able to see certain areas of the configuration. To control changes even further, it is sometimes also possible to start a workflow where all changes by an admin need to be approved by somebody else before the changes take effect.
Best regards
Holger

Similar Messages

  • How to delete the source table rows once loaded in Destination Table in SSIS?

    Data Base=kssdata
    Tables= Userdetails having 1000 rows
    Using SSIS: 
    Taking A  
    OLE DB Source----------------->OLE DB Destination
    Am Taking 200 rows in Source table and loaded into Destination table once
    Constraint: here once 200 rows are exported in destination table , that 200 rows are deleted in source table
    repeat the task as source table all the records are loaded into Destination table 
    After that am taking another 200 rows in source table and loaded into Destination table

    Provided you've a sequential primary key  or audit timestamp (datetime/date) column in the table you can do an approach like this
    1. Add a execute sql task connectng to source db with below statement
    SELECT COUNT(*) FROM table
    Store the result in a variable
    2. Have another variable and set it to below expression
    (@[User::CountVariable]/200) + (@[User::CountVariable]%200 >0? 1:0)
    by setting EvaluatesExpression as true. Here CountVariable is variable created in previous step
    3. Have a for loop container with below settings
    InitExpression
    @NewVariable = @CounterVariable
    EvalExpression
    @NewVariable > 0
    AssignExpression
    @NewVariable = @NewVariable - 1
    3. Add a data flow task with OLEDB source and OLEDB Destination
    4. Use source query as
    SELECT TOP 200 columns...
    FROM Table
    ORDER BY [PK | AuditColumn]
    Use PK or audit column depending which one is sequential
    5. After data flow task have a execute sql task with statement as below
    DELETE t
    FROM (SELECT ROW_NUMBER() OVER (ORDER BY PK) AS Rn
    FROM Table)t
    WHERE Rn <= 200
    This will make sure the 200 records gets deleted each time
    Please Mark This As Answer if it solved your issue
    Please Vote This As Helpful if it helps to solve your issue
    Visakh
    My Wiki User Page
    My MSDN Page
    My Personal Blog
    My Facebook Page

  • Query based on main table and audit table

    Hi,
    I had created auditing on some table. Values might not change and if they changed, it should be stored in audit table.
    I want to get the values in the table a on real time basis, like dimentions in datawarehouse.
    Trying to write a query based on table a and aud_a to get point-in-time or values at anytime in the past.
    Something like
    SELECT *
    FROM a (table_name)
    WHERE effective_from >= $DATE_TO_QUERY
    AND effective_to < $DATE_TO_QUERY
    How to get this kind of query .
    Please help. ( Table structure for table a and audit table aud_a and trigger aud_tg_a given below)
    Giving code as follows.
    main table a
    create table a
    ( val1 number,
    val2 number,
    update_by varchar2(30),
    date_updated date);
    creare auidt table aud_a
    create table aud_a
    ( "AUDIT_SEQ" NUMBER,
    "AUDIT_TRAN_ID" NUMBER,
    "AUDIT_PROG_ID" VARCHAR2(30 BYTE),
    "AUDIT_TERMINAL" VARCHAR2(16 BYTE),
    "AUDIT_REASON" VARCHAR2(30 BYTE),
    "AUDIT_ACTION" CHAR(1 BYTE),
    "AUDIT_ACTION_BY" VARCHAR2(20 BYTE),
    "AUDIT_ACTION_DT" DATE,
    val1 number,
    val2 number,
    updated_by varchar2(30),
    date_updated date);
    trigger on  table a to populate aud_a
    CREATE OR REPLACE TRIGGER aud_tg_a AFTER
    INSERT OR
    DELETE OR
    update on a
    for each row
    declare
    v_time_now DATE;
    v_terminal VARCHAR2(16);
    v_tran_id NUMBER;
    v_prog_id VARCHAR2(30);
    V_reason VARCHAR2(30);
    BEGIN
    v_time_now := sysdate;
    v_terminal := userenv('TERMINAL');
    v_tran_id := 1;
    v_prog_id := 'test';
    v_reason := 'AUDIT';
    IF inserting THEN
    INSERT
    INTO a
    audit_seq,
    AUDIT_tran_id,
    AUDIT_prog_id,
    AUDIT_reason,
    AUDIT_terminal,
    AUDIT_action_by,
    AUDIT_action_dt,
    AUDIT_action ,
    val1,
    val2,
    updated_by,
    date_updated
    VALUES
    s_audit_no.nextval,
    v_tran_id,
    v_prog_id,
    v_reason,
    v_terminal,
    USER,
    v_time_now,
    'I' ,
    :new.val1,
    :new.val2,
    :new.updated_by,
    :new.date_updated
    elsif deleting THEN
    INSERT
    INTO a
    audit_seq,
    AUDIT_tran_id,
    AUDIT_prog_id,
    AUDIT_reason,
    AUDIT_terminal,
    AUDIT_action_by,
    AUDIT_action_dt,
    AUDIT_action ,
    us_agy_backed_id,
    industry_subgroup,
    comments,
    updated_by,
    date_updated
    VALUES
    s_audit_no.nextval,
    v_tran_id,
    v_prog_id,
    v_reason,
    v_terminal,
    USER,
    v_time_now,
    'D' ,
    :old.val1,
    :old.val2,
    :old.comments,
    :old.updated_by,
    :old.date_updated
    elsif updating THEN
    INSERT
    INTO a
    audit_seq,
    AUDIT_tran_id,
    AUDIT_prog_id,
    AUDIT_reason,
    AUDIT_terminal,
    AUDIT_action_by,
    AUDIT_action_dt,
    AUDIT_action ,
    us_agy_backed_id,
    industry_subgroup,
    comments,
    updated_by,
    date_updated
    VALUES
    s_audit_no.nextval,
    v_tran_id,
    v_prog_id,
    v_reason,
    v_terminal,
    USER,
    v_time_now,
    'U' ,
    :new.val1,
    :new.val2,
    :new.updated_by,
    :new.date_updated
    END IF;
    END;
    -------------------------

    Hi hoek,
    I am not able to use Oracle's audit functionality becuase I need to trap some changes in particular tables and then rebuild query if required.
    Thanks for your suggestion though.
    Regards,
    Milind

  • Auditing tables..

    Hi Experts,
    Could anyone help me with the following issue.
    we are trying to implement the "audit feature" on a table. what is the best way to do the audit? (keep track of all the changes in the table)
    This is what we are doing..
      Main_table
      id
      first_name
      last_name
       dob
      hire_date
      created_date
      created_by
      updated_date
      updated_by
      audit_table
      ad_action (whether it is insert,update or delete)
      ad_time (time)
      ad_user (whos is the user)
      id
      first_name
      last_name
       dob
      hire_date
      created_date
      created_by
      updated_date
      updated_by
    and i have a trigger on the "main_table" like this
      CREATE OR REPLACE TRIGGER Main_table_AIUD after
    insert or update or delete on Main_table for each row
    begin
       declare
          ljn_action varchar2(3);
       begin
          if inserting then
             ljn_action := 'INS';
          elsif updating then
             ljn_action := 'UPD';
          else
             ljn_action := 'DEL';
          end if;
          if inserting  then
             insert into audit_table
              ad_action,
              ad_time,
              ad_user,
              id
              first_name
             last_name
             dob
             hire_date
             created_date
             created_by
             updated_date
             updated_by
             values
              ljn_action
             ,sysdate
             ,nvl(v('APP_USER') ,USER)
             :new.id,
            :new.first_name,
             :new.last_name,
              :new.dob,
             :new.hire_date,
             :new.created_date,
             :new.created_by,
             :new.updated_date,
              :new.updated_by
          elsif updating then
            insert into audit_table
              ad_action,
              ad_time,
              ad_user,
              id
              first_name
             last_name
             dob
             hire_date
             created_date
             created_by
             updated_date
             updated_by
             values
              ljn_action
             ,sysdate
             ,nvl(v('APP_USER') ,USER)
             :old.id,
            :old.first_name,
             :old.last_name,
              :old.dob,
             :old.hire_date,
             :old.created_date,
             :old.created_by,
             :old.updated_date,
              :new.updated_by
          else
             insert into audit_table
              ad_action,
              ad_time,
              ad_user,
              id
              first_name
             last_name
             dob
             hire_date
             created_date
             created_by
             updated_date
             updated_by
             values
              ljn_action
             ,sysdate
             ,nvl(v('APP_USER') ,USER)
             :old.id,
            :old.first_name,
             :old.last_name,
              :old.dob,
             :old.hire_date,
             :old.created_date,
             :old.created_by,
             :old.updated_date,
              :new.updated_by
          end if;
       end;
    end;
    /For "Insert" and "Delete" as i need to capture all the elements my code would be ok.
    But for "update" how can i capture only the columns that got changed? and put it in the audit table
    so next time if i go to the audit table i can clearly see that these elements got changes.
    Is there any better way to do this?
    Please let me know
    Thanks

    Yeah for tracking OLD and NEW values you have to write a trigger.
    Your trigger code seems fine except a few quirks.
    You audit_table should contain two fields against each column of the main table. e.g. for first_name column in main_table there should be two fields old_firstname and new_firstname in the audit_table.
    And then each section of trigger (inserting, updating, deleting) insert both :OLD and :NEW values to the table. In case of INSERT there will be no :OLD values so just insert NULL and in case of DELETE there will be no :NEW values so insert NULL. But in case of UPDATE its important to track both :NEW and :OLD.
    and if you track both NEW and OLD values in the trigger and put them in the audit_table then you no longer need to identify which columns are changed. You can figure that later on when you query the audit_table, any fields where OLD and NEW values are same was not updated.
    If you still want to check which column was changed in the trigger, refer to Himanshu Kandpal's post above.
    And you probably don't need this code in the trigger:
          if inserting then
             ljn_action := 'INS';
          elsif updating then
             ljn_action := 'UPD';
          else
             ljn_action := 'DEL';
          end if;You can Just use the values 'DEL','INS' and 'UPD' where appropriate instead of the ljn_action variable.

  • Update audit table trigger by a column

    Have a need to update a audit table when a specific column data has been updated\deleted\inserted on table T1 . The column is Grade_complete.
    My first thought was to create an instead of trigger since the form was based on the table (T1) view
    ( CREATE OR REPLACE TRIGGER "AI_T1" AFTER INSERT OR UPDATE OF grade_complete ON T1........) but then I realized with instead of , I can't create a trigger with a update of . Can anyone give me some suggestions on how to resolve this ? There got to be something easy that I am just not getting it now.
    Thanks.
    Wan

    Jure, Roel;
    Thanks for the reply.
    I have no permission to create triggers on the table so instead of being used. when ran the following statement , I am getting "ORA-25004: WHEN clause is not allowed in INSTEAD of triggers. Have tried if statement to no avail. Can anyone help ?
    create or replace trigger ioft_test
    instead of insert or update or delete on T1
    referencing old as old new as new for each row
    when nvl(new.grade_complete, 0) != nvl(old.grade_complete, -1)
    declare
    v_seq number;
    begin
    insert statemetn here
    end;

  • Need to create a audit table column change wise

    Is it possible to know which column value has been change? when ? by which operation(insert,update,delete) ?
    have any view or trigger?
    MY sample audit table like
    CREATE TABLE CHANGE_TRACK
    SERIAL NUMBER NULL,
    TABLE_NAME VARCHAR2(100 BYTE) NULL,
    COLUMN_NAME VARCHAR2(100 BYTE) NULL,
    COLUMN_VALUE VARCHAR2(1024 BYTE) NULL,
    CHANGE_TIME DATE NULL,
    OPERATION_TYPE VARCHAR2(20 BYTE) NULL
    Thanks
    Halim

    I have found my solution here
    http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:59412348055
    Thanks
    Halim

  • Records have been deleted from the table.

    Hi all ,
    If records have been deleted from the table that any log file maintains the history as following Way.
    User Name who delete the records.
    Machine name where the command is execute.
    The command syntax e.g delete from abc where ……..
    or any other help related to mentioned problem.
    Regards,
    Mobeen.

    Wrong forum .. your question doesnt make much sense.
    But take a look at Oracle Auditing.

  • Audit tables population

    I am working on Oracle 9i database and having nearly 100 tables of 15 columns each on average.
    We have two seperate tables for Audit purpose. First table contains only table name which got effected by updates and deletes. Second table contains first table's Id, column name, old value and new value.
    If value of one column of a table changes, it would be one record in each audit table. If values of 20 columns are updated then one record in the first table and 20 records in the second table with old and new values.
    Please help me out the best way to accomplish this task.
    Thanks for the help.

    Because I don't know which column is being updated by user.Yes you do.
    SQL> set serveroutput on
    SQL> create or replace trigger trig_emp2_insupd
      2  before insert or update
      3  on emp2
      4  for each row
      5  begin
      6    if (UPDATING('ENAME'))
      7    then
      8      dbms_output.put_line('Ename is updated') ;
      9    end if ;
    10    if (UPDATING('SAL'))
    11    then
    12      dbms_output.put_line('Sal is updated') ;
    13    end if ;
    14  end ;
    15  /
    Trigger created.
    SQL> update emp2 set ename = null where rownum < 2 ;
    Ename is updated
    1 row updated.
    SQL>
    SQL> update emp2 set sal = null where rownum < 2 ;
    Sal is updated
    1 row updated.
    SQL>
    SQL> update emp2 set sal = null, ename = null where rownum < 2 ;
    Ename is updated
    Sal is updated
    1 row updated.
    SQL>

  • Maintaining an Audit Table

    Hi - I have created a small country table with country cd, country name and some audit columns like updt timestamp, updt cd etc. I edited the doDML() method of cntryImpl.java to auto populate some of the audit information.
    and generated the JHeadstart webpages.
    If I want to add another table like an audit table, which will maintain all the inserts, deletes, updates made to the actual country table, how do I do that ?
    That is, any row added to the country table via the default webpages, should also add a row in this audit table. Any deletes in the actual table, should insert a record in the audit table with updt type cd 'delete'. How do I go about this?

    You have several options:
    1. Create audit tables in the database and have them filled with triggers. I believe good-old Headstart utilties (not to be confused with JHeadstart) can automate this proces. No java coding needed
    2. Or you want to implement this in business components. I would recommend building a generic solution in the entityImpl superclass in the doDML method. Perhaps it is good idea to have a generic audit table in which changed values are stored in XML format, so you do not need to create shadow tables for every table of your application you want to implement auditing for.

  • How to Generate Audit table entries for user navigation in ADF application?

    Hi all,
    I have a requirement that I need to have audit table entries for each user action in my application. Along with entries for user actions like insertion,deletion and updation I also need to have entries in the audit log even when a user simply navigates to or views any page.
    Although I was successful in creating the entries for user actions like insertion,deletion and updation I failed to do so for simple user navigation through the pages.
    Can anyone please help me out?
    Thanks in advance,
    Arijit

    Hi,
    Thanks for the quick reply. I am using JSF for my ADF application.Could u please elaborate how to use the PhaseListener for Auditing user navigation?
    Arijit

  • Issue Audit Table

    Has anyone built an audit table, or something similar, for the Issue Tracking system example database?
    If so, would you provide how you went about the process?
    If not, then could someone point me in the right direction to figure out how to accomplish this task?
    Thanks in advance.

    Hi All,
    I am waiting for reply. I am not sure why Audit tables are not updating when salary record is created through API as Audit Table is updated when Salary record is created or deleted from the applciation.
    Any thoughts on this????

  • HFM TASK AUDIT TABLE

    We are using HFM system 9 and we notice that the size of the task audit table has exceeded the normal limits,we would like to take a backup of data before deleting the records.Is this possible?
    is the deletion of records recommeneded or truncation of the table.How do we take a backup of the table,can we make HFM web retrieve from this table when needed?
    Does anyone know how to convert the float type(starttime,endtime) to date datatype?
    Thanks in advance

    Here is the query I use against the task audit table to get my users by day.. Our DBA came up with the code to convert the starttime field using CASt(convert(VARCHAR
    SELECT COUNT(DISTINCT ActivityUserID) as NumUsers
         , CAST(convert(VARCHAR,CAST(starttime AS DATETIME),106) AS DATETIME) AS [DAY]
    FROM dbo.LAUREATE_TASK_AUDIT
    WHERE CAST(convert(VARCHAR,CAST(starttime AS DATETIME),106) AS DATETIME) >= '8/1/2009'
    GROUP BY CAST(convert(VARCHAR,CAST(starttime AS DATETIME),106) AS DATETIME)
    ORDER BY CAST(convert(VARCHAR,CAST(starttime AS DATETIME),106) AS DATETIME)
    What I noticed with our database (SQL 2000 SP4, HFM 9.2.1) is that the date conversion is off by 2 days. So user activity for today shows as 2 days in the future when I query the table. I logged this with Oracle but no resolution. For what I need, it works fine.
    We have made a backup of the table in the past and truncated the existing table. Your SQL DBA can do that easily.Then yes you can just query either table as needed.

  • Error while deleting a customer table

    When I try to delete a customer table which is saved as a local object I get an error stating that the table is still used in ABAP Dictionary. It seems that the customer table is still used in a customer program, but the program is already deleted! I deleted the program earlier and thus no longer exist in our system. I cannot find any trace of the program, but am unable to delete the customer table now. Any suggestions?

    Program name would have been of the table maintenance generator and you deleted it manually.
    It should have been deleted from TMG .
    Your problem will be resolved if you will create Table maintenance of the database table and then delete it again.

  • Open HUB ( SAP BW ) to SAP HANA through DB Connection data loading , Delete data from table option is not working Please help any one from this forum

    Issue:
    I have SAP BW system and SAP HANA System
    SAP BW to SAP HANA connecting through a DB Connection (named HANA)
    Whenever I created any Open Hub as Destination like DB Table with the help of DB Connection, table will be created at HANA Schema level ( L_F50800_D )
    Executed the Open Hub service without checking DELETING Data from table option
    Data loaded with 16 Records from BW to HANA same
    Second time again executed from BW to HANA now 32 records came ( it is going to append )
    Executed the Open Hub service with checking DELETING Data from table option
    Now am getting short Dump DBIF_RSQL_TABLE_KNOWN getting
    If checking in SAP BW system tio SAP BW system it is working fine ..
    will this option supports through DB Connection or not ?
    Please follow the attachemnet along with this discussion and help me to resolve how ?
    From
    Santhosh Kumar

    Hi Ramanjaneyulu ,
    First of all thanks for the reply ,
    Here the issue is At OH level ( Definition Level - DESTINATION TAB and FIELD DEFINITION )
    in that there is check box i have selected already that is what my issue even though selected also
    not performing the deletion from target level .
    SAP BW - to SAP HANA via DBC connection
    1. first time from BW suppose 16 records - Dtp Executed -loaded up to HANA - 16 same
    2. second time again executed from BW - now hana side appaended means 16+16 = 32
    3. so that i used to select the check box at OH level like Deleting data from table
    4. Now excuted the DTP it throws an Short Dump - DBIF_RSQL_TABLE_KNOWN
    Now please tell me how to resolve this ? will this option is applicable for HANA mean to say like , deleting data from table option ...
    Thanks
    Santhosh Kumar

  • How to maintain previous and record count in audit table in SQL Server 2008 r2?

    Hi Experts ,
     Situation :
    in our database we are having few of stored procedures which will drop and recreates the tables and it is scheduled on weekly basis. when this job will run all the stored procedures will drop all the tables and recreate. Now we need to create one table which
    will maintain history of the records.
    my table structure is listed below
    TableName CurrentReocrdCount CurrentExecutionDate PreviousReordCount PreviousExurtiondate
    TEST         1000                   2014-03-30            NULL        NULL
    Test         1500                   2014-04-10            1000      2014-03-30
    Test         2000                   2014-04-11            1500      2014-04-10 
    How do i achive this . 
    franklinsentil

    You need to create audit tables for these. The table will be populated by COUNT value inside stored procedure. Each time it clears the main table and fills new data and also logs count details to audit tables. You can use COUNT(*)  to get count value
    and GETDATE function to get current execution value.
    So proc will look like
    CREATE PROC procname
    @param....
    AS
    --step to drop existing table
    IF OBJECT_ID('tablename') IS NOT NULL
    DROP TABLE <table name>
    --step to fill new table
    SELECT ...
    INTO TableName
    FROM
    --Audit table fill step
    INSERT AuditTable (TableName,CurrentRecordCount,CurrentExecdate,PrevRecordCount,PrevExecDate)
    SELECT TOP 1 'TableName',(SELECT COUNT(*) FROM tableName),GETDATE(),CurrentRecordCount,CurrentExecDate
    FROM AuditTable
    ORDER BY CurrentExecDate DESC
    UNION ALL
    SELECT 'TableName',(SELECT COUNT(*) FROM tableName),NULL,NULL
    WHERE NOT EXISTS (SELECT 1 FROM AuditTable)
    GO
    Please Mark This As Answer if it helps to solve the issue Visakh ---------------------------- http://visakhm.blogspot.com/ https://www.facebook.com/VmBlogs

Maybe you are looking for

  • When i open firefox it comes up with an error message saying that it can not load the page

    Any time I open Firefox an error message will appear saying that it's unable to connect. "Firefox can't establish a connection to the server at en-us.start3.mozilla.com." == This happened == Just once or twice == june 23, 2010 == == User Agent == Moz

  • Extract the data in a view and put them into a table

    Hi, all I am a new beginer in Oracle. Recently I have a project with 70,000 records in the database. I made a view so that I can combine the tables and extract the columns I need. However making the view took me a lot of time, thus I want to put thos

  • Updated CODE1 is showing wrong values in 2LIS_05_QE1

    Hi all, I'm using 2LIS_05_QE1 extractor to report over qualitative data in BW. When the code of the characteristics is updated, the extractor takes 2 records, before and after images. The extractor is gathering wrong values for the CODE1 field  in th

  • Accessing material master change information

    We have a requirement to pull all changes to material master records by month.  I know that I can hit the CDHDR and CDPOS tables using CHANGEDOCUMENT_READ_HEADERS and CHANGEDOCUMENT_READ_POSITIONS functions to pull this; however our change tables are

  • Newbie to Mainstage: Help on advice on a controller

    Hey all, I am a sax player and want to take MS and my MB onstage. While a have a E-mu KB controller to use, it seems to me it would be easier for a FOOT controller once all my patches ect are set up. I will get the Ap. Duet as the interface, but can