Auditing for Metadata-Bound Libraries

Which Events Can Be Logged?

For metadata-bound libraries, certain events are logged as part of a system-wide logging facility. The following table summarizes the events that can be logged:

Logged Events for Metadata-Bound Data

Category (Logger)	Logged Events
Authorization failure records (Audit.Data.MetaboundLib.PermDenied)	A user attempts to access a metadata-bound table to which the user has insufficient effective permissions in the metadata layer. Access is not allowed.
Misalignment issue records1 (Audit.Data.MetaBoundLib.AuthAudit)	A user accesses a metadata-bound table that is located within a traditional (unbound) library.
	A user accesses a traditional (unbound) table that is located within a metadata-bound library.2
	A user accesses a metadata-bound table whose security location reference doesn’t match the security location reference of its parent library.
	A user accesses a metadata-bound table whose security name reference doesn’t match the corresponding secured table object. In other words, there is a mismatch of names (the correspondence is determined by another identifier).
	A user attempts to access a metadata-bound table whose passwords don't match the passwords of the corresponding secured library object. In other words, there is a mismatch of passwords. Even if the user’s metadata-layer permissions are sufficient, access is not allowed.
1The misalignment issue records do not specify who created the issue; these records just indicate that the issue exists at the time that access is requested.
2This is the most important event to audit, because it might indicate a circumvention of security (for example, a user uses SAS to copy protected data to an unsecured location, updates that data, and then host-copies it back to the secured location). Only users who have Write access to the directory could do this. However, anyone who needs Create Table access to any secured table object within a library must have Write access to the corresponding directory.

Audit Record Content and Layout

Here is an example of an authorization failure record:

DateTime=2012-02-15T17:48:28,671, Userid=JOE@COMPANY, StepName=DATASTEP, Action=Read, LoginId=JOE@COMPANY, IdentityName=Joe, Libref=REVENUE , OSLibraryPath=\\machine.company.com\Data\Revenue, MemberName=CSV, MemberType=VIEW , DataSetInfoSecuredLibrary=/System/Secured Libraries/Data/, DataSetInfoSecuredLibraryGuid=5200B831-50A1-4E66-92CD-AD86ACDB43B7, DataSetInfoSecuredTableName=CSV.VIEW, DataSetInfoSecuredTableGuid=5BE37390-986F-45B4-8227-F3653C79768A, LibraryInfoSecuredLibrary=/System/Secured Libraries/Data, LibraryInfoSecuredLibraryGuid=5200B831-50A1-4E66-92CD-AD86ACDB43B7, RequiredPermission=Select, UserEffectivePermissions=None, Message=ERROR: JOE@COMPANY as Joe is not authorized to read data set REVENUE.CSV.VIEW. Select permission is required.

Here is an example of a misalignment issue record that indicates a possible security concern:

DateTime=2012-02-15T17:48:21,201, Userid=JOE@COMPANY, StepName=DATASTEP, RecType=201, LoginId=JOE@COMPANY, IdentityName=omitest, Libref=METAOMI , OSLibraryPath=\\machine.company.com\Data, MemberName=D, MemberType=DATA , DataSetInfoSecuredLibrary=, DataSetInfoSecuredLibraryGuid=, DataSetInfoSecuredTableName=, DataSetInfoSecuredTableGuid=, LibraryInfoSecuredLibrary=/System/Secured Libraries/Data, LibraryInfoSecuredLibraryGuid=ACFAF468-B77E-4DF2-BB64-D7342F2CB1CE, PasswordDifferences=, UserEffectivePermissions=, Message=WARNING: Data set METAOMI.D.DATA is not bound to a secured table object, but it resides in a directory that is bound to a secured library object. The data set might have existed in this directory before the library was bound, or the data set might have been copied to this directory with a host copy utility.

Tip

The layout of an audit record is determined by conversion patterns within your logging configuration file.

Auditing for Metadata-Bound Libraries

Which Events Can Be Logged?

Audit Record Content and Layout

See Also