It is possible to view and analyze queries in SQL Server before implement on database and log or drop it if necessary?
For example some application send an update query to SQL Server, can I first log it to a database, and then possibly reject it if the query is illegal based on my roles?
You can use SQL Profiler to monitor queries sent to server, but you can't do what you wnat to.
If you say it is illegal for smoe roles to execute some queries it should be specified in permissions - every role have assigned permissions.
One way to achieve what you want is to define user, which mentioned applciation would use (I would even create dedicated user). Then, if you want this user to execute SELECT, just execute such command
GRANT SELECT ON [table] TO [user]
Then the user won't be able to update table, just select rows from it.
I found solution to use SQL SERVER triggers so after insert or update I check my role so if there is any access problem I can rollback transaction and send error to user.
Related
Im writing a simple utility that will allow our users to run simple select SQL statements on the DB to retrieve data they require. Just a textbox and a button and when they click the button it will spit out the query results in a list.
The problem I have is I only want them to be able to run SELECT statements. I dont want any edit statements to be executed i.e. update, insert, delete, drop etc.
Is there a simple way to parse a sql string to make sure its only a read only select statement entered?
A better way would be to use sql permissions. As a datareader, your users will only be able to SELECT. exec sp_addrolemember db_datareader, <user>
Best way to deal with this is by creating a user that only has limited permissions.
If you want to allow users to read data from all tables then you can go with what Steve D already suggested.
If you want to allow users to read data from only some tables but not all then you need to create a user that only has ‘public’ role and then GRANT SELECT for specific tables.
Make sure user only has ‘public’ selected here for a given database
Then just execute this query for all tables
grant select on <schema>.<table> to <user>
I have a database (SQL Server) that is being used by 20 users, all members of the same security role. The role enables them to insert, delete and update to Table1, but they have no permissions for Table2.
Table1 has a trigger that fires a stored procedure, Table2_Refresh, that truncates Table2 and rebuilds it from Table1.
I have read in some places that the trigger and stored procedure automatically execute as the caller, and therefore uses the caller's permissions. However 19 of the 20 users are able to update Table1 and the trigger and SP execute fine. One user gets an error telling him that Table2 cannot be found.
I know I can put an 'EXECUTE AS' line in the SQL, but this is happening in multiple places, and it seems like it is an issue with the user, so I would like to solve it there if possible. Since the role memberships and permissions are identical, are there any other reasons why two users would be experiencing different behaviour from the database?
The role and permissions are clearly not identical...
Are they logging in the same way (e.g. are they all using Integrated Security)?
I suggest to check the default schema of the database user used by that special login.
If the table schema is dba but the default schema of the database user is dbo, querying the table without specifying the schema will fail.
I'd like to create a SQL table which stores/captures user access or activities for a particular database.
For example, a table which has an entry for username, database accessed/queried, activity time etc everytime a user logs into a server and queries a particular db.
I know there's the .txt log file somewhere I would look up - but is there an easier way of doing it automatically?
How would I go about doing this?
Thanks in advance!
You can capture login activity in the SQL Server error log (turn on Login Auditing for "Both failed and successful Logins"):
USE [master];
GO
EXEC xp_instance_regwrite
N'HKEY_LOCAL_MACHINE',
N'Software\Microsoft\MSSQLServer\MSSQLServer',
N'AuditLevel',
REG_DWORD,
3;
Or by creating a LOGON TRIGGER and using that to log to a specific table.
However since there are no triggers on SELECT statements, capturing all queries would require pretty intrusive methods such as a server-side trace or SQL Server Audit.
Read about Logon Triggers in SQL Server
I have many databases in one SQL Server instance. Also I have many individual domain users for logins and also domain groups as logins. These logins are attached to databases as database users. Now I would like to create a report (or a query) to find out when and where (which database) these logins take a connection. I tried to find this information from sys-schema, but I could not find this kind of information. Where SQL Server store this information and how to create this kind of report? I would also like to automate this using a stored procedure.
in the login stored procedure, along with the username, add a GetDate() and DB_NAME() to each record in a table called LoginData (or whatever you prefer)
You could set up a SQL trace logging all login events then just query that.
I'm making a call to odbc32.dll (SQLBrowseConnect) to return a list of databases on a sql server.
From running a trace I can see the query being executed is
select name from master..sysdatabases where has_dbaccess(name)=1
If the credentials I pass aren't the sa user it returns just the system databases. Is there anyway I can use SQLBrowseConnect with another user (whose default database is also not guarenteed to be the master database) to return all databases on the server?
Also I want to avoid smo objects
The query does work without sysadmin credentials.
You need to ensure that you / the credentials you are using are at least in the public database role on each of the databases that you need to connect to.
As you would guess, select name from master..sysdatabases returns all database names irrespective of your access to the DB.