I have an application that accesses my SQL Server using a username\password. However our lead developer has access to this password and I suspect that he may be utilizing this outside of our terms of agreement. My wish is to audit for anytime this username (appaccount) accesses our database and any commands that are issued.
Luckily this application uses purely stored procedures with passed in parameters when it accesses the database so anytime the account runs a T-SQL statement it has to be from our developer in question.
My ideal output would be something like this:
Datetime | Username | Action Performed
11:23am | appaccount | "Select * from claimstable"|
11:26am | appaccount | "update table ...(skip change control process)"|
Related
I am setting up a new database using AWS Aurora serverless and have a requirement to enable binlog. I think I have followed the documentation as-is but can't get it to work. How do I set it up?
Following the documentation, below is what I have tried to enable binlog.
Created a custom Parameter Group of type as "DB cluster parameter group" and Family as Aurora5.6.
Changed binlog_format parameter to ROW for the parameter Group.
Created a new database with Role as serverless and Engine as "Aurora MySQL" and assigned parameter group created above.
Enabled backup retention to 3 days (enabled this as I saw some posts somewhere that unless you enable backups binlog doesn't really get enabled).
I have also tried to modify the DB and apply/force the parameter group by selecting "apply Immediately".
I expect the binlog is enabled after database goes from modifying to available state and I should be able to see the Global variable on the DB correctly set.
I see following -
mysql> select variable_value from information_schema.global_variables where variable_name='log_bin';
+----------------+
| variable_value |
+----------------+
| OFF |
+----------------+
1 row in set (0.01 sec)
The serverless version of Aurora only gives you a subset of parameters that you can change - see https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/aurora-serverless.how-it-works.html#aurora-serverless.parameter-groups, and of course turning on binlogging is not available. So if you need your Aurora DB to act as a Master then don't use serverless!
In the SQL Server Audit Add DB User Event Class, there are four Event Sub Classes defined:
Add
Drop
Grant database access
Revoke database access
(MS documentation found here)
When I set up SQL Server Profiler to trace the Audit Add DB User Event Class, it only seems to capture events with a subclass of 3 or 4, and not 1 or 2.
To test the trace, I am using the following SQL statements:
CREATE USER testuser FOR LOGIN testlogin;
DROP USER testuser;
When I run these statements in SQL Server Management Studio, SQL Server Profiler displays two Audit Add DB User Events, one with EventSubClass 3 (Grant database access) and one with EventSubClass 4 (Revoke database access), but does not display anything for EventSubClass 1 (Add) or EventSubClass 2 (Drop).
From what I can tell, all three even subclasses should be covered by the SQL statements used above. Is there something additional that needs to be configured in order to capture these event subclasses?
The old trace functionality has been deprecated since 2012. I did some testing and depending on what commands I executed I could get 2. But I never managed to get 1. If you look at the documentation for this event class, you'll see that it is documented to provide information when you use the ancient procedures sp_adduser, sp_dropuser, etc. But even when doing that it seems a bit flaky.
Sure, one could report this to MS, but they will (most likely) just say that you should use a technology which isn't deprecated. I.e., Extended Events. I very much doubt that MS will pour any resources into fixing this, even if that would consider this to be a bug in the first place. So, my recommendation will be the same: Look into Extended Events instead.
Here's a blog I wrote about "getting into" XE: http://sqlblog.karaszi.com/tips-for-getting-started-with-extended-events/
I have a VB procedure that changes a connection string for all 360 linked tables in my Access 2002 database. If I run this procedure using an SQL server in my local network, it runs about 30 seconds. The problem is that I have to use an SQL server somewhere in the Internet. In this case the procedure runs for about 5 minutes.
The question is - how can I prevent Access from connecting to the server to check every table I re-connect?
An alternative question (maybe more correct).
I need to run that re-connection procedure on every user's computer every time I give them a new version of the database, to save user's login and password into every linked table. Maybe there is some other way to set the username and password for the ODBC connection?
Linked tables do NOT all of a sudden decide to connect to some some server. So the recommend approach here is to link the tables once (and leave the password + user name OUT of the link).
Then on startup, all you do is execute ONE logon command and then ALL OF THE tables are instant available and able to be used WITHOUT any re-link or re-fresh of the conneciton string. Same goes for any pass-ghouth queries etc.
So the existence of a linked table IS NOT USED on startup and you can have 3 or 300 linked tables and launch Access WILL NOT cause a connection to occur “unless” you decode to do something like a re-link.
Bottom line:
You don’t and should not re-link on startup
You do not need to include the user name + password in the table links.
A ONE TIME logon at startup will cause Access to “cache” the user name + password and this will be used for ALL CURRENT EXISTING table links. The beauty of this is when the user exits the applctaion then no passwords etc. are stored in the linked tables.
So you cannot prevent access from connecting to the server during a table re-link since that what it must do.
However there is LITTLE if not ZERO reason to re-link every time on startup? Why are you doing a re-link are startup?
I need to run that re-connection procedure on every user's computer every time I give them a new version of the database,
Why not link the database on your machine BEFORE you distribute it to that user? After all the connection is over the internet – so you should be able to link to that database system from your development computer. And assuming you cannot, then ok, perhaps you might beforced to do a ONE time re-link. Try the re-link with a cached logon – it likely will run faster, but then again it will only be a one time re-link anyway.
save user's login and password into every linked table.
NO NO this is NOT required nor is recommended. If a user holds their mouse over a linked table then if you included the user name + password it is in plan view.
You DO NOT want to include the user name + password in each linked table. How to execute a SINGLE logon and have that logon used for ALL tables (without a re-link) and for ALL tables EVEN without the user id + password saved is outlined here:
Power Tip: Improve the security of database connections
http://blogs.office.com/b/microsoft-access/archive/2011/04/08/power-tip-improve-the-security-of-database-connections.aspx
Amazon recently announced support for time zone change in Oracle RDS.
Since this is still not supported for Microsoft SQL Server 2012, are there any workarounds, to obtain functionality similar to changing the whole database time zone?
Since you're asking for workarounds...
We basically totally disregard server time/database time zone and work entirely off of UTC. GetUtcDate() for instance for all 'DateCreated' columns. Since we've committed to that approach we just don't bump up against any issues.
If you need to store the time zone alongside your date data, you can use DateTimeOffset.
The one caveat is that maintenance plans will be run on server time. This has not been an issue because we normalize everything to local time (which is not UTC and not server time) in any of our calendaring programs.
I did this with MySQL on RDS by changing my instance DB Parameter Group to a custom one that I can edit the parameters for.
I then created the following procedure:
DELIMITER |
CREATE PROCEDURE mysql.init_connect_procedure ()
IF NOT(POSITION(‘rdsadmin#’ IN user()) = 1)
THEN SET SESSION time_zone = 'America/New_York';
END IF |
DELIMITER ;
Note: every other instruction on the internet uses the function current_user() instead of user() which did not work for me!
The catch to this configuration is that then you have to give privileges to all your database users to be able to execute this function, or they won't even be able to connect to the database, so for every user and every future user you have to run this command. (and no there is no wildcard access to procedures)
GRANT EXECUTE ON PROCEDURE mysql.init_connect_procedure TO 'user'#'%' ;
I edited the parameter init_connect for to be set as CALL mysql.init_connect_procedure . I am sure SQL SERVER has an equivalent parameter if not the same.
Restart the server and you should be good!
Warning: The user rdsadmin is the root user that only Amazon has the password to and uses to maintain and backup the database. You don't want to change the timezone for this user or you might damage your entire database. Hence the code to make sure it is not this user. I really recommend making sure the user is the same for SQL SERVER, this solution is only for MySQL and is a terrible solution, unfortunatly I had no other choice. If you can avoid doing this handle the timezone on your application end.
We have an application that runs in MSAccess but utilizes SQL Server as the backend database. This generates a query to check which views it's got access to, and for normal users this takes up to 18 seconds. For all users that's member of the db_owner role, it takes 0.2 seconds. Is there any way I can tune this for normal users? Maybe something I can do in Access? I don't want to give them db_owner, and rewriting the application to not use Access is out of the question.
Here's the query:
select
object_name(id),
user_name(uid), type,
ObjectProperty(id, N'IsMSShipped'),
ObjectProperty(id, N'IsSchemaBound')
from sysobjects
where type = N'V'
and permissions(id) & 4096 <> 0
Using MS Access 2003, SQL Server 2008 R2
Short of figuring out the root cause of issue, maybe a work around might help? Just an idea: you could encapsulate your SQL statement in a proc owned by a db_owner and give it an EXECUTE AS clause. That way when a non db_owner called the proc the SQL in the proc would get executed under the impersonation of db_owner just for the duration and scope of the proc. Hopefully then your non db_owner users would benefit from the performance you're seeing when db_owner's run that SQL.
Bit late to the party but try this:
select
[name],
schema_name(schema_id),
[type],
Is_MS_Shipped,
Is_Schema_published
from
sys.all_views
where
not permissions(object_id) & 4096 = 0
Using the view specific object and inverting the comparison may give you slight improvement
Let me guess: You have an Access-ADP application that does this at startup. We had exactly the same. This query is used to get metadata that Access uses later. The root cause of the problem is the deprecated PERMISSIONS function:
http://msdn.microsoft.com/en-us/library/ms186915.aspx
Quote: "Continued use of the PERMISSIONS function may result in slower performance."
Since you cannot change either the query or the function, you are out of luck.
I suggest you consider moving to an ACCDB with linked tables, as ADP-support was cancelled in Access 2013 anyway.