17.3 Audit End-User Activity

Just as you audit regular database users, you can configure audit policies for operations such as SELECT, INSERT, UPDATE, and DELETE to capture the actions performed by Oracle Deep Data Security (Deep Sec) end users.

To help you identify the end user who performed a specific action, two new columns are introduced to the UNIFIED_AUDIT_TRAIL view:

• END_USER_NAME: The name of the end user whose security context was active during the operation.
• END_USER_SECURITY_CONTEXT_ID: The identifier of the end-user security context associated with the operation.

These columns are populated when a Deep Sec end user connects to the database and performs actions in an end-user security context. They enable you to trace database activity back to the specific end user, even when multiple users share the same database connection through a connection pool.

Note:

Deep Sec configuration actions (such as CREATE END USER or CREATE DATA GRANT) are performed by database administrators, not end users. These actions do not populate the END_USER_NAME or END_USER_SECURITY_CONTEXT_ID columns in the audit trail.

You can use the END_USER_NAME column to filter for operations performed in an end-user security context.

Failed access attempts in the audit trail are particularly valuable to review. They typically indicate misconfigured data grants, missing role assignments, or incorrect security context attributes. They can also point to malicious attempts by end users to access data outside their authorization.

The following query returns failed operations performed in an end-user security context:

SELECT SQL_TEXT,
       END_USER_NAME,
       END_USER_SECURITY_CONTEXT_ID,
       ACTION_NAME,
       OBJECT_NAME,
       RETURN_CODE
  FROM UNIFIED_AUDIT_TRAIL
 WHERE END_USER_NAME IS NOT NULL
   AND RETURN_CODE <> 0;

For a complete description of the UNIFIED_AUDIT_TRAIL view and its columns, see UNIFIED_AUDIT_TRAIL in Oracle AI Database Reference.