For a trigger in SQL Server 2008R2 I need to know the user who inserted, updated or deleted the record.
As different users log in with the same connection string I do not know who is really logged in to the server (I use SQL authentication with the same UID and I grant access through the Access database!!).
I would like if possible to add a variable to the connection string such as Application Name=myrealusername but it seems that from Access VBA I cannot add this Parameter.
Does anyone know how to retrieve the real username who's logged in to pass the username to the trigger?
You could try recording the HOST_NAME() to capture the instance the query was executed from. If every user has it's own PC, it's probably one of your best guesses if you don't plan on using Windows Authentication.
More details: HOST_NAME() MSDN Documentation
Obviously the only real solution would be to use Windows Authentication.
You can use windows authentication and try using
select suser_name()
Related
I want to connect to SQL Server using SQL Server authentication in connection manager in SSIS. I want that every time when the package runs and connects to server it should use user id and password from the table created in SQL Server at run time.
The reason to get password from table is that every 6 months I need to change the password as per the policy so I don't want to login to each and every SSIS package and change the password there. I want to change the password in table and redirect that password through variable/expression to the connection manager password window.
I will ignore the idea that saving passwords in plain text makes changing them every six months a futile effort. It is a far greater security risk to have them stored in plain text ANYWHERE.
The solution is to NOT use an SQL Login. Have these services run under a specific Windows User and grant that User the necessary access.
An alternative is to explain the problem to the Security admin and get an account setup that does not expire but that can only login locally as a service. Don't use that account for anything else.
HTH,
Sean
One of the users in our network needs access to one table of a sql server database. Since it's Windows Authentication, I created the user in Security\Logins and I've added the user in Security\Users for the database. I've also added the permissions.
Now I'd like to test it. How can I do this if I don't have this user's password? Obviously, he's not going to give it to me.
Thanks.
Execute As User = 'domain\Name';
-- Perform the test - use a Transaction if you need to test data modifications
Select * From schema.table;
Revert
I've got an application which is running under under the credentials of the local user. However, I would like to allow this application access to a MSSQL database using specific credentials.
This isn't a problem if I use an SQL login, however I would like to use a specific Windows account for which I have the username (along with the domain) and password. Note that I do NOT wish to run the entire application using these credentials.
Is this at all possible? This SO question seems to suggest that using Integrated Security=SSPI in the connection string WITH Windows credentials specified will allow me to login to the database as that user, however I was not able to do this on my test machine.
Given how the SQL Server Management Studio logs into databases (i.e. it uses the current credentials or specified SQL credentials, but doesn't seem to permit specified Windows credentials) I'm thinking this cannot be done, but I would like a confirmation of this...
You could deal with this as the SQL Server end
by encapsulating the tasks that need done under the other account in a stored procedure created using the "EXECUTE AS Clause"
Create Proc sp_Dosomething_As_specific_user
WITH EXECUTE AS '{SpecificUser}'
BEGIN
/*Do Something*/
END
and allow the user account execute permissions on that
GRANT EXEC ON sp_Dosomething_As_specific_user TO {Actual_User}
For fuller details on the "EXECUTE AS" clause look at this
http://msdn.microsoft.com/en-us/library/ms188354.aspx
This means that you've limited the user to running only a specifically predefined action or set of actions as the other user as opposed to a general permission to let them impersonate the other user
Which is going to help keep whoever is responsible for IT security happy
I'm working on an application right now that requires a link to a couple of SQL Server tables. My windows network account has permission to connect to this server, but I am not going to be the only one using this application. I'm going to send it out for people to save to their PC or just put it on the company shared drive to use (I know, that's asking for problems sometimes). It's inconvenient to make a windows account for users to share because they would need to log out and in to use the app, so I was wondering if the application or ODBC connection file itself can store the credentials to access the table.
Should I configure the connection object to use something other than the windows login information (maybe a SQL server username/password), and just store the connection object in a shared location? I don't have much experience with this and haven't tried out many different solutions and I am open to suggestions.
Thank you for the suggestions
As suggested in a comment to the question, one solution would be to
create a User Group in Windows on the SQL Server,
create a SQL Server login for that group,
assign permissions within SQL Server to that login,
and then just add or remove particular Windows Users from that group as required.
That way you don't need to mess with the various SQL Server permissions for each database user, and your application can connect to the SQL Server using Windows Authentication so you don't have to mess with saved SQL Server credentials (in connection strings, or elsewhere).
You certainly can specify the username & password in the connection string -- ConnectionStrings.Com is highly recommended if you are having trouble with connection strings -- their first example for Sql Server is
Server=myServerAddress;Database=myDataBase;User Id=myUsername;Password=myPassword;
The issue is security, if users can see this in a configuration file, they can do anything that account can do. You have to handle security within you application if you do this. Most apps that handle their own security have to create users and passwords in a database table (best not to store password at all, much less plaintext -- a one way hash is recommended).
One good strategy is the create a "login user" account with well known name and password, grant no read / write, etc. for that account at all, and grant execute access to single stored proc
IsLoginPermitted #ID, #PASS
When successful, IsLoginPermitted returns the ID & PASS for subsequent use (of course these are hidden from the user) and you create your new connection string based on these.
I have a web application, which is using a SQL Server 2005 database.
My problem is, that the application has no role management. So the application always accesses the database with one default user. But now I have to save and access a value only for the current user.
Is there any way to do this? Maybe something like a session on the web server? The best way would be, if there is any possibility to access the current session id of the web server from T-SQL.
Do anyone understand my problem? :)
Allows a system-supplied value for the current login to be inserted into a table
DECLARE #sys_usr char(30);
SET #sys_usr = SYSTEM_USER;
SELECT 'The current user is: '+ #sys_usr;
GO
from MSDN
In my opinion, it's better don't do this. Another way: send to stored procedure current user from web sever:
command.CommandText = "EXEC mySP #user";
command.Parameters.Add("#user").Value = ((YourOwnUserClass)Session["user"]).Name;
// or System.Web.HttpContext.Current.User.Identity.Name; to use built-in
// from web page it becomes this.User.Identity.Name;
If you are using Windows integrated authentication instead of SQL accounts:
Give schema object permissions to a Windows group, not a user. Then add all of your application users to this group.
Use the built-in SUSER_NAME() function to retrieve the underlying Windows user name (in loginDomain\userName format.