im trying to setup a GDPR-Compliant auditing system for our Databases in order to log reading or DML operations in certain tables.
I've read the MS documentation about SQL Auditing and actually didnt found anything helpful about my problem, which comes when queries or data requests come from application users.
If i run a select on dbo.DevContent1 (even with SA or using my own login) it is recorded,
but If the same query runs in application code, nothing new appears in SQL Audit logs
Here is my current Audit specifications configuration:
USE [MY_DEV_DB]
GO
CREATE DATABASE AUDIT SPECIFICATION [GDPR_DEV_Audits]
FOR SERVER AUDIT [GDPR_PDATA_Audit]
ADD (DELETE ON OBJECT::[dbo].[DevContent1] BY [dbo]),
ADD (INSERT ON OBJECT::[dbo].[DevContent1] BY [dbo]),
ADD (SELECT ON OBJECT::[dbo].[DevContent1] BY [dbo]),
ADD (UPDATE ON OBJECT::[dbo].[DevContent1] BY [dbo]),
ADD (DELETE ON OBJECT::[dbo].[DevCustomer1] BY [dbo]),
ADD (INSERT ON OBJECT::[dbo].[DevCustomer1] BY [dbo]),
ADD (SELECT ON OBJECT::[dbo].[DevCustomer1] BY [dbo]),
ADD (UPDATE ON OBJECT::[dbo].[DevCustomer1] BY [dbo]),
ADD (DELETE ON OBJECT::[dbo].[DevQuotes] BY [dbo]),
ADD (INSERT ON OBJECT::[dbo].[DevQuotes] BY [dbo]),
ADD (SELECT ON OBJECT::[dbo].[DevQuotes] BY [dbo]),
ADD (UPDATE ON OBJECT::[dbo].[DevQuotes] BY [dbo]),
ADD (DELETE ON OBJECT::[dbo].[DevUsers] BY [dbo]),
ADD (INSERT ON OBJECT::[dbo].[DevUsers] BY [dbo]),
ADD (SELECT ON OBJECT::[dbo].[DevUsers] BY [dbo]),
ADD (UPDATE ON OBJECT::[dbo].[DevUsers] BY [dbo])
WITH (STATE = ON)
GO
Any idea about how to solve this?
Thanks
The reason that the audit isn't working for your application user, is because the Audit has been set up specifically for the user [dbo]:
CREATE DATABASE AUDIT SPECIFICATION [GDPR_DEV_Audits]
FOR SERVER AUDIT [GDPR_PDATA_Audit]
ADD (DELETE ON OBJECT::[dbo].[DevContent1] BY [dbo]);
I doubt that your applicaiton login maps to the user [dbo]; as [dbo]is the database owner (and thus would have very elevated permissions).
I believe if you want to audit all users on the database you need to use BY [public], as every user should be a member of this role. Thus:
CREATE DATABASE AUDIT SPECIFICATION [GDPR_DEV_Audits]
FOR SERVER AUDIT [GDPR_PDATA_Audit]
ADD (DELETE ON OBJECT::[dbo].[DevContent1] BY [public]);
If you do have any users not a member of public, you'll need to add those users (or the roles) separately; or add them to the public role again.
Related
I have MicroSoft SQL Server 2017, I audited all DML statements using commands like
CREATE DATABASE AUDIT SPECIFICATION [DatabaseAuditSpecification-dbo-GENERAL]
FOR SERVER AUDIT [Audit-Primary-dbo]
ADD (DELETE ON SCHEMA::xxx BY [dbo]),
ADD (INSERT ON SCHEMA::xxx BY [dbo]),
ADD (UPDATE ON SCHEMA::xxx BY [dbo]),
ADD (SELECT ON SCHEMA::xxx BY [dbo]),
ADD (DELETE ON SCHEMA::xxx BY [db_datawriter]),
ADD (INSERT ON SCHEMA::xxx BY [db_datawriter]),
...
Now I've been asked to audit ALL what is done by dbo/datawriter users, such as:
table drop/create/change
schema changes (alter table add column, ...)
BUT ALSO
unsuccessful schema accesses (select on a table which is not authorized)
unsuccessful executions due to integrity violation rules
Questions:
Is there any "audit all" on database by dbo, datawriter possibility?
How to audit failed attempts?
Thanks
I have a user that cannot update stored procedures because he gets an error that an INSERT cannot be done on one of our changelog tables. We checked his permissions to insert on that table and he has it, so we were confused as to why he couldn't insert. When we dug deep into this, it looks like we gave him the explicit permission to insert into the table, but for some reason he does not list INSERT as an effective permission. Our layout is server -> database -> table (pretty simple setup).
Note - for some reason when writing this question, it kept interpreting my inserted pictures as code and wouldn't let me post with embedded pics, so I had to use links instead.
Explicit server permissions:
ALTER ANY DATABASE
CONNECT SQL
CREATE ANY DATABASE
Effective server permissions:
ALTER ANY DATABASE
CONNECT SQL
CREATE ANY DATABASE
VIEW ANY DATABASE
VIEW ANY DEFINITION
Explicit database permissions:
ALTER
CONNECT
CREATE TABLE
DELETE
INSERT
SELECT
SHOW PLAN
UPDATE
VIEW DEFINITION
Effective database permissions:
Explicit table permissions:
ALTER
CONTROL
DELETE
INSERT
REFERENCES
SELECT
TAKE OWNERSHIP
UPDATE
VIEW CHANGE TRACKING
VIEW DEFINITION
Effective table permissions:
I have to implement a financial application. One of the acceptance criteria is:
"The data may never change."
Therefore I need to prevent update and delete operations on the database, because it will be deployed on machines owned and administrated by the customer.
Is this even possible? Maybe with triggers? If not, are there any other databases that can prevent update and delete?
The easiest way is via roles, such as a query role. Grant select on the list of tables to that role, and grant that role to the user of your application. You can of course create others such as an admin role with update and delete privileges, to be granted later on when needed.
Example:
CREATE ROLE FIN_APP_INS_SEL_ROLE;
GRANT INSERT, SELECT on <table1> to FIN_APP_INS_SEL_ROLE;
GRANT INSERT, SELECT on <table2> to FIN_APP_INS_SEL_ROLE;
GRANT CONNECT, FIN_APP_INS_SEL_ROLE to <app_user>;
You can also make tablespaces read only,
ALTER TABLESPACE <name> READ ONLY;
or the entire database read only.
ALTER DATABASE OPEN READ ONLY;
It turns out to be impossible.
There is no way to grant an INSERT privilege without allowing to UPDATE. As I understand it, the INSERT privilege is interpreted as may alter data of that table.
I got a task from my customer on his existing SQL Server database.
They have a database with 1 user with all admin rights. They manage the accessibility rights on the application level.
The task is to create an audit table, to audit who INSERT, UPDATE, & DELETE from database tables.
The structure of this table is simple:
TableName
Operation {INSERT, UPDATE, or DELETE}
TimeStamp,
UserName
The audit log is requested to be on server side through triggers.
So it is an EASY Task: Add Trigger to each table & each Event. Inside the trigger, insert a new row to Audit Table with Values of (TableName, Operation, TimeStamp, & UserName).
The problem is the username (SQL: SYSTEM_USER) is always the same for all users as they all connect with the same admin account.
Is there anyway, in SQL server, to get the network user name who is making the transaction?
I am sorry I should have made some researches before asking. Anyway, it could be useful to others.
I found this function [Host_Name()], which returns the name of the computer that makes the transaction.
I would like to stop power users from deleting data using SQL Server Management Studio. I need to archive data and add some info to the audit trail when data gets deleted.
Is there a way to stop them when they attempt to delete the data from SSMS?
Is there a way to know which process caused the deletion? such as from SSMS, application, stored proc?
Is there a way to allow only deletes from Stored Procedure?
Thanks
Create a new login and database user for this login. Then grant delete permission to this user, and revoke it from all others. Write procedure[s] that removes data, add WITH EXECUTE AS [previously created user that can delete data]. Grant other users with execute permissions to the procedure[s].
Well they are power users aren't they. You could set deny Delete permissions for them.
DENY DELETE TO [Your_User]
GO
From your second sentence I get the impression that deleting is not the real issue but that you need to archive data and create an audit trail when data is deleted. Why not use a delete trigger?