I want to be notified of SQL Server logins that has a particular value for the Application Name property of the connection string. Can someone help me to get these type of notifications by email or by any other recommended method?
You're looking for a logon trigger. In the trigger you can inspect the connection application name (note that this setting is not secure and can be easily spoofed). Use sp_send_dbmail to send yourself mail.
Related
I'm trying to find a way to do the equivalent of an "execute as user" command from within a SQL connection string. I have a query coming from an external source that I can't modify and a database that already has security setup using execute as user. The only thing I can really modify is the connection string. I've been looking all over and am having trouble finding anything related in my searches.
Can something similar to "execute as user" be done within a connection string?
If yes, how?
Using SQL Server 2016 - SP1
Edit:
Users in a table have a number of roles associated with them. Each unique combination of roles has a user created (that can't login so you can't connect as that user and get access). That user has a schema that applies row level security so based on the user's role they can only see the data they are allowed. Using "execute as user = [auto generated user]" they impersonate the appropriate user with the unique permissions schema and thus only get back the data they are allowed to see. I will make a connection with a user and then need to do the equivalent of the execute as statement, but I can't modify the actual query so it needs to be done in the connection string.
You cannot do this via the connection string since you must already be connected in order to impersonate a user.
A connection string allows a user to connect (i.e., login) to a SQL Instance and therefore cannot be used by users that cannot login. Instead you'll have to connect as a user with login rights and then impersonate the user via EXECUTE AS USER.
For a trigger in SQL Server 2008R2 I need to know the user who inserted, updated or deleted the record.
As different users log in with the same connection string I do not know who is really logged in to the server (I use SQL authentication with the same UID and I grant access through the Access database!!).
I would like if possible to add a variable to the connection string such as Application Name=myrealusername but it seems that from Access VBA I cannot add this Parameter.
Does anyone know how to retrieve the real username who's logged in to pass the username to the trigger?
You could try recording the HOST_NAME() to capture the instance the query was executed from. If every user has it's own PC, it's probably one of your best guesses if you don't plan on using Windows Authentication.
More details: HOST_NAME() MSDN Documentation
Obviously the only real solution would be to use Windows Authentication.
You can use windows authentication and try using
select suser_name()
How to create an login trigger which does not allow connections from ssms, but allows only login from application server?
A logon trigger https://msdn.microsoft.com/en-us/library/bb326598.aspx has access to EVENTDATA() https://msdn.microsoft.com/en-us/library/ms173781.aspx which you can use to restrict logons. However, afaik this doesn't contain the Application Name (check the schema for details).
And as others have said in the comments, this is easily faked anyway.
This over on DBA has a nice example of a logon trigger. https://dba.stackexchange.com/a/111557/56641
And remember to turn on the dedicated admin connection...
I have a SQL Job where I want to send an email alert if job fails. I know that for this functionalty I have to Configure Database Mail and than Adjust the properties within the SQL Server Agent. This article gives pretty good detail http://www.sherweb.com/blog/how-to-set-up-database-mail-for-sql-server-job-failures/.
What I want is, instead of setting up an email address to particular user like person1#test.com, I want to send an email to current user. This way who ever logged in to database and runs the job receives the email on job failure.
As I see, there are two benefits of this approach,
i. One particular user won't get flooded with emails. ii. Who ever is running the job can know that job has failed.
For example,
If I set person1#test.com and person2 logs in than on job failure person1 will receive an email. I don't want that. Is there any way that I can do this in SQL Server Agent Job settings. If no than how can I achieve this?
Like SELECT SYSTEM_USER or SELECT SUSER_NAME() gives me current user and use that as outgoing email address.
I think you are confused, if one user will start the job manually then you use a STORE PROCEDURE and there you can get the connected user information.
But pgAgent will run the process automatic and run using the USER you setup on the job.
I am creating an Access project linked to a SQL Server. Instead of using Windows authentication for the SQL Server I want to use an application specific username/password and authenticate users myself using a login form. The reason is that other applications may connect to this database from a context where Windows authentication is not an option (FileMaker Server for instance).
I have found myriad discussions that cover this issue from one angle or another, but none that have actually enabled me to implement a solution. I do not have a lot of VBA or LDAP experience but I know this must be possible.
So, what I want to do is:
Ask the user for a username and password when they open the database.
Use that username and password to authenticate them
against our LDAP server.
Proceed if it passes, fail if it does not.
Can someone sketch out how this works or point me to a resource that describes this?
One way to accomplish this is to create a VBA procedure which loops through all of your linked tables and alters the connection string to embed the username and password from a login form.
You can get the syntax for the existing ODBC linked tables by going to the debug window and typing this:
? CurrentDb().TableDefs("My Table Name").Connect
Which should give you something similar to:
ODBC;DRIVER=SQL Server;SERVER=MYSQLSERVER001;UID=JPARKER;PWD=Pizza123;APP=2007 Microsoft Office system;DATABASE=MyDatabaseName
So your login form would capture the user name and password from the user, then store those as variables and use to build a new connection string. Then iterate through the tabledefs collection updating the connect property. Happens pretty quickly.