Wednesday 3 July 2024

How to implement audit policy for the SAP HANA ( Tenant/System DB) ?

Permissions

To create an audit policy on SYSTEMDB or on a tenant, you must have the AUDIT ADMIN privilege.

To use the FOR <database_name> option, you need the DATABASE AUDIT ADMIN privilege granted on SYSTEMDB, not on the tenant.

Example

Create a new audit policy named priv_audit that audits the successful granting and revoking of privileges and roles. The audit policy has a medium audit level CRITICAL.

This policy has to be explicitly enabled to cause the auditing of the audit policy.

CREATE AUDIT POLICY priv_audit AUDITING SUCCESSFUL GRANT PRIVILEGE, REVOKE PRIVILEGE, GRANT ROLE, REVOKE ROLE LEVEL CRITICAL;

Create a new audit policy named object_audit that audits the inserts into the existing table MY_SCHEMA.MY_TABLE. This policy must be explicitly enabled to cause the auditing of the audit policy. This policy is restricted to user FRED and uses the audit level INFO.

CREATE USER FRED PASSWORD <pwd>;
 CREATE SCHEMA MY_SCHEMA OWNED BY system;
 CREATE ROW TABLE MY_SCHEMA.MY_TABLE (first_col int);
 GRANT INSERT ON MY_SCHEMA.MY_TABLE to FRED;
 CREATE AUDIT POLICY OBJECT_AUDIT AUDITING SUCCESSFUL INSERT ON MY_SCHEMA.MY_TABLE FOR FRED LEVEL INFO;

Create a new audit policy named update_object_audit that audits the updates of the existing table MY_SCHEMA.MY_TABLE. This policy must be enabled explicitly to make the auditing of the audit policy occur. The auditing should be done for all users except the existing user TECH_ADMIN. This policy uses the audit level CRITICAL.

CREATE USER TECH_ADMIN PASSWORD <pwd>;
 CREATE SCHEMA MY_SCHEMA OWNED BY system;
 CREATE ROW TABLE MY_SCHEMA.MY_TABLE (first_col int);
 GRANT UPDATE ON MY_SCHEMA.MY_TABLE to TECH_ADMIN;
 CREATE AUDIT POLICY UPDATE_OBJECT_AUDIT AUDITING SUCCESSFUL UPDATE ON MY_SCHEMA.MY_TABLE EXCEPT FOR TECH_ADMIN LEVEL CRITICAL;
Create a new audit policy named SYSTEMDB_TEST that audits successful changes to an existing PSE. This policy is set on the SYSTEMDB and applies the tenant HA2.
CREATE AUDIT POLICY SYSTEMDB_TEST FOR HA2 AUDITING SUCCESSFUL ALTER PSE LEVEL CRITICAL;

Create an audit policy that tracks all tables created in the schema TEST_SCHEMA.

CREATE AUDIT POLICY MY_AUDIT_POLICY AUDITING ALL CREATE TABLE ON SCHEMA TEST_SCHEMA LEVEL INFO;
at