Operation Auditing
audit_system_object
Parameter description: Specifies whether to audit the operations such as CREATE, DROP, and ALTER on database objects. Database objects include databases, users, schemas, and tables. You can change the value of this parameter to audit only the operations on required database objects. Parameter type: integer.
Unit: none
- 0 indicates that the operations such as CREATE, DROP, and ALTER are not audited.
- A non-zero value indicates that the operations such as CREATE, DROP, and ALTER on a certain or some database objects are audited.
Value description:
The value of this parameter is calculated by 29 binary bits. The 29 binary bits represent 29 types of database objects. If the corresponding binary bit is set to 0, the operations such as CREATE, DROP, and ALTER on corresponding database objects are not audited. If it is set to 1, the operations such as CREATE, DROP, and ALTER are audited. For details about the audit contents represented by these 29 binary bits, see Table 1.
When SQL patches are audited and audit_dml_state_select is enabled, an SQL patch operation will be audited twice and recorded as DML and DDL operations in the audit log, respectively. If a remote API is called, the DDL logs are generated on the node corresponding to the input parameter, instead of on the node where the statement is issued.
Default value: 67121159 (decimal), corresponding to 0 0100 0000 0000 0011 0000 0000 0111 in binary, indicating that DDL operations on DATABASE, SCHEMA, USER, NODE GROUP, and SQLPatch are audited.
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Set the type of database objects to be audited based on service requirements. In the scenario where the leader node is forcibly elected, you are advised to set audit_system_object to the maximum value and audit all DDL objects.
Risks and impacts of improper settings: A larger number of objects to be audited indicates a greater impact on system performance and more CPU and I/O resources are occupied.
Binary Bit |
Description |
Value Range |
---|---|---|
Bit 0 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on databases. |
|
Bit 1 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on schemas. |
|
Bit 2 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on users and user mappings. |
|
Bit 3 |
Specifies whether to audit the CREATE, DROP, ALTER, and TRUNCATE operations on tables. |
|
Bit 4 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on indexes. |
|
Bit 5 |
Specifies whether to audit the CREATE and DROP operations on VIEW and MATVIEW objects. |
|
Bit 6 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on triggers. |
|
Bit 7 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on procedures/functions. |
|
Bit 8 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on tablespaces. |
|
Bit 9 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on resource pools. |
|
Bit 10 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on workloads. |
|
Bit 11 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on server objects. |
|
Bit 12 |
Reserved. |
- |
Bit 13 |
Specifies whether to audit the CREATE and DROP operations on node groups. |
|
Bit 14 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on ROW LEVEL SECURITY objects. |
|
Bit 15 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on types. |
|
Bit 16 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on text search objects (CONFIGURATION and DICTIONARY). |
|
Bit 17 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on directories. |
|
Bit 18 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on synonyms. |
|
Bit 19 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on sequences. |
|
Bit 20 |
Specifies whether to audit the CREATE, ALTER, and DROP operations on CMKs and CEKs. |
|
Bit 21 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on packages. (Currently, the operations on packages can be audited only in the centralized deployment scenario.) |
|
Bit 22 |
Reserved |
- |
Bit 23 |
Reserved |
- |
Bit 24 |
Specifies whether to audit the ALTER and DROP operations on the gs_global_config objects. |
|
Bit 25 |
Specifies whether to audit the CREATE, DROP, and ALTER operations on FOREIGN DATA WRAPPER objects. Currently, this function is not supported. |
|
Bit 26 |
Specifies whether to audit the CREATE, ENABLE, DISABLE, and DROP operations on SQL patches. |
|
Bit 27 |
Reserved |
- |
Bit 28 |
Specifies whether to audit the CREATE, ALTER, and DROP operations on database links. Currently, the database link function is not supported. |
|
audit_dml_state
Parameter description: Specifies whether to audit the INSERT, UPDATE, DELETE, and MERGE operations on all tables.
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The INSERT, UPDATE, DELETE, and MERGE operations on a specific table are not audited.
- 1: The INSERT, UPDATE, DELETE, and MERGE operations on a specific table are audited.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 1, audit logs are frequently recorded when INSERT, UPDATE, DELETE, and MERGE operations are frequently performed in the database. As a result, the database performance deteriorates.
audit_dml_state_select
Parameter description: Specifies whether to audit the SELECT operation.
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The SELECT auditing function is disabled.
- 1: The SELECT auditing function is enabled.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 1, audit logs are frequently recorded when the SELECT operation is frequently performed in the database. As a result, the database performance deteriorates.
audit_function_exec
Parameter description: Specifies whether to record the audit information during the execution of the stored procedures, anonymous blocks, or user-defined functions (excluding system functions).
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The stored procedures, anonymous blocks, or user-defined functions (excluding system functions) are not audited.
- 1: The stored procedures, anonymous blocks, or user-defined functions (excluding system functions) are audited.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 1, audit logs are frequently recorded when the database frequently executes stored procedures, anonymous blocks, or user-defined functions. As a result, the database performance deteriorates.
audit_system_function_exec
Parameter description: Specifies whether to record audit logs when system functions in the whitelist are executed.
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The function of auditing the execution of system functions is disabled.
- 1: The function of auditing system function execution is enabled.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 1, audit logs are frequently recorded when the database frequently executes system functions in the whitelist. As a result, the database performance deteriorates.
The following table lists the whitelist of system functions that can be recorded and audited.
set_working_grand_version_num_manually |
set_config |
pg_terminate_backend |
pg_cancel_backend |
pg_cancel_session |
pg_cancel_invalid_query |
pg_reload_conf |
pg_rotate_logfile |
pg_terminate_session |
pg_terminate_backend |
pg_start_backup |
pg_stop_backup |
pg_create_restore_point |
pg_switch_xlog |
pg_cbm_get_merged_file |
pg_cbm_recycle_file |
pg_enable_delay_ddl_recycle |
pg_disable_delay_ddl_recycle |
pg_cbm_rotate_file |
gs_roach_enable_delay_ddl_recycle |
gs_roach_disable_delay_ddl_recycle |
gs_roach_stop_backup |
pg_last_xlog_receive_location |
pg_xlog_replay_pause |
pg_xlog_replay_resume |
gs_roach_switch_xlog |
gs_pitr_archive_slot_force_advance |
gs_pitr_clean_history_global_barriers |
gs_download_obs_file |
gs_upload_obs_file |
gs_set_obs_file_context |
gs_set_obs_delete_location |
gs_hadr_do_switchover |
gs_set_obs_delete_location_with_slotname |
gs_streaming_dr_in_switchover |
pg_advisory_lock |
pg_advisory_lock_shared |
pg_advisory_unlock |
pg_advisory_unlock_shared |
pg_advisory_unlock_all |
pg_advisory_xact_lock |
pg_advisory_xact_lock_shared |
pg_try_advisory_lock |
pg_try_advisory_lock_shared |
pg_try_advisory_xact_lock |
pg_try_advisory_xact_lock_shared |
gs_get_hadr_key_cn |
pg_create_physical_replication_slot_extern |
pg_create_logical_replication_slot |
pg_drop_replication_slot |
pg_logical_slot_peek_changes |
pg_logical_slot_get_changes |
pg_logical_slot_get_binary_changes |
pg_replication_origin_drop |
pg_replication_origin_session_reset |
local_space_shrink |
gs_space_shrink |
global_space_shrink |
pg_free_remain_segment |
gs_fault_inject |
sqladvisor.init |
sqladvisor.set_weight_params |
sqladvisor.set_cost_params |
sqladvisor.assign_table_type |
gs_repair_file |
local_clear_bad_block_info |
gs_repair_page |
- |
- |
- |
- |
- |

In the audit record of the system function execution event, the value of the object_name column is the system function name and does not contain function parameters.
audit_copy_exec
Parameter description: Specifies whether to audit the COPY operation.
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The function of auditing the COPY operation is disabled.
- 1: The function of auditing the COPY operation is enabled.
Default value: 1
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 1, audit logs are frequently recorded when the COPY operation is frequently performed in the database. As a result, the database performance deteriorates.
audit_set_parameter
Parameter description: Specifies whether to audit the SET operation.
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The function of auditing the SET operation is disabled.
- 1: The function of auditing the SET operation is enabled.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to 1, audit logs are frequently recorded when the SET operation is frequently performed in the database. As a result, the database performance deteriorates.
audit_xid_info
Parameter description: Specifies whether to record the transaction ID of the SQL statement in the detail_info column of the audit log.
Parameter type: integer.
Unit: none
Value range: 0 and 1
- 0: The function of recording transaction IDs in the audit log is disabled.
- 1: The function of recording transaction IDs in the audit log is enabled.
Default value: 0
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.

If this function is enabled, the detail_info information in the audit log starts with xid. For example:
detail_info: xid=14619 , create table t1(id int);
If transaction IDs do not exist, xid=NA is recorded.
enableSeparationOfDuty
Parameter description: Specifies whether the separation of three duties is enabled.
Parameter type: Boolean.
Unit: none
Value range:
- on: The separation of duties is enabled.
- off: The separation of duties is disabled.
Default value: off
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: If this parameter is set to on, the permissions of a system administrator are restricted, and some operations that can be performed before may fail.
enable_nonsysadmin_execute_direct
Parameter description: Specifies whether non-SYSADMIN and non-MONADMIN users are allowed to execute the EXECUTE DIRECT ON statement.
Parameter type: Boolean.
Unit: none
Value range:
- on: Any user is allowed to execute the EXECUTE DIRECT ON statement.
- off: Only users with the SYSADMIN or MONADMIN permission are allowed to execute the EXECUTE DIRECT ON statement.
Default value: off
Setting method: This is a POSTMASTER parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.
enable_access_server_directory
Parameter description: Specifies whether to allow non-initial users to create, modify, and delete directories.
Parameter type: Boolean.
Unit: none
Value range:
- on: Non-initial users are allowed to create, modify, and delete directories.
- off: Non-initial users are not allowed to create, modify, or delete directories.
Default value: off
Setting method: This is a SIGHUP parameter. Set it based on instructions provided in Table 1.
Setting suggestion: Retain the default value.
Risks and impacts of improper settings: Change the parameter value after fully understanding the parameter meaning and verifying it through testing.

- To use the advanced package UTL_FILE to access files on the server, you must have the permissions on the specified directory.
- For security purposes, only the initial user can create, modify, and delete directories by default.
- If enable_access_server_directory is enabled, users with the SYSADMIN permission and users who inherit the permissions of the built-in role gs_role_directory_create can create directories. A user with the SYSADMIN permission, the owner of a directory, a user who is granted with the DROP permission on the directory, or a user who inherits the permissions of the built-in role gs_role_directory_drop can delete the directory. A user with the SYSADMIN permission and the owner of a directory object can change the owner of the directory, and the user must be a member of the new owner.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot