Name Dept ID
MARK XYZ 25
DENIM ABC 35
SOLO DEF 45
The above is my table.Here when the update is done, a trigger will be executed to get the old values and store that in a existing log table with the updated USERID and here my requirements is when a delete operation is performed i need to perform the trigger operation that should update the same log table with the old values.When it stores in the log table i have a USERID field in log table and that should be updated with current(Deleting User ID) USERID in the log table.
The answer depends on the authentication mode. If you want an audit log that is written by a trigger to show the identity of the user who deletes a given row, the identity of that user must be known within the scope of the trigger. There are two ways for the identity to be known: the SQL engine itself can be aware of a user it has authenticated, or the front-end client software can pass the username to a stored procedure that is handling the deletion. If it is the latter the stored procedure will have to update the row in the base table with the current user value before it deletes the row.
It is often the case the many real individuals will authenticate with the client software (or on the network) individually but the connection to the SQL engine is via a shared pseudo-user that might correspond to a permission level (e.g. clerical-user, manager-user). The database sees that the record is being updated by "clericaluser" rather than by "joe". So then the database authentication may be insufficient for your auditing purposes, and you need to pass "joe" to a stored procedure.
The SQL engine can be (but need not be) integrated with network authentication, in which case the trigger will have access to the authenticated user identity, e.g. YOURDOMAIN\YourUser.
Guess you will find what(?) you are looking for here:
http://technet.microsoft.com/en-us/library/ms189799.aspx
Related
I have a group login which has the Server Role "dbcreator". Users of this login has been granted execute on "sp_delete_database_backuphistory" so that they can delete each others databases. The problem now is that it is possible for these users to delete databases created by other logins. Is there a solution for this? Can permissionĀ“s be set, so that these users ONLY can delete databases created with this login?
You can't do this directly, but you can wrap the system sp_delete_database_backuphistory into your own usp_delete_database_backuphistory
that can call sp_delete_database_backuphistory or return immediately depending on a result of the check you want to perform.
I cannot ask you in a comment what do you mean saying 'databases created by other users', first of all only login (not user) can create a database but this information (db creator) you cannot extract from any system metadata, all you can get is the current database owner and this can differ from database creator.
I mean, when you create a database you can explicitly assign other login to own the database, or you can do this later for certain purposes
I am using SQL Server 2012.
I have a table which contains two columns. One is called Directory, the other UserName.
To explain my problem I think a simple example is easier.
So this table has 3 users. In the UserName column, only the 3 users, usernames can be entered plus one other entry called Default.
Directory UserName
C:\Blah Bob
C:\BlaF Brad
C:\BlaK Dave
C:\BlaPP Default
C:\Anoth Default
What I would like to know is if it is possible to allow only two of the users to be able to insert, delete records with the username Default and the other user to be able to only select the records with Default.
Is this possible?
Update
After doing some reading is it not possible to do this using an Instead of trigger? So in my understanding this trigger will fire before an insert, update or delete query is executed. So I was thinking in the trigger if could check the host pc (users on my team will only be using their computer) to see who it is trying to insert, update or delete and if its a user who doesn't have permission to edit the default list then exit the trigger and don't update the table. Or am I missing something?
Instead of giving users direct access to the table, give the first two users access to a stored procedure that inserts to the table, and only inserts "Default" for the username.
Give the third user access to a view (or stored procedure) that only selects records where username="Default".
The goal is to allow all the "Teachers" that have access to the Faculty table to have Select permissions to only their own social security number and not everybody elses. Do any of you know how I can perform something like this? I do have all my users setup as Windows Users and I have a windows group called Teachers, if that helps.
Not possible using the standard permissions in SQL server (that I am aware of)
You will need to implement this kind of constraint in your code.
You could in theory pass in the SS# and query based on this and raise an error if they do not match.
Social security numbers shoud be encrypted so they can't see each others numbers if they call up the record. You can use a decryption proc to allow them to decrypt that checks the userid against the profile id and will only decrypt if they match.
Implementing Row-level Permissions
Row-level permissions are used for applications that store information in a single table. Each row has a column that defines a differentiating parameter, such as a user name, label or other identifier. You then create parameterized stored procedures, passing in the appropriate value. Users can see only rows that match the supplied value.
The following steps describe how to configure row-level permissions based on a user or login name.
Create the table, adding an additional column to store the name.
Create a view that has a WHERE clause based on the user name column. This will restrict the rows returned to those with the specified value. Use one of the built-in functions to specify a database user or login name. This eliminates the need to create different views for different users.
' Returns the login identification name of the user.
WHERE UserName = SUSER_SNAME()
' USER_NAME or CURRENT_USER Return the database user name.
WHERE UserName = CURRENT_USER()
Create stored procedures to select, insert, update, and delete data based on the view, not the base tables. The view provides a filter that restricts the rows returned or modified.
For stored procedures that insert data, capture the user name using the same function specified in the WHERE clause of the view and insert that value into the UserName column.
Deny all permissions on the tables and views to the public role. Users will not be able to inherit permissions from other database roles, because the WHERE clause is based on user or login names, not on roles.
Grant EXECUTE on the stored procedures to database roles. Users can only access data through the stored procedures provided.
I have a database (SQL Server) that is being used by 20 users, all members of the same security role. The role enables them to insert, delete and update to Table1, but they have no permissions for Table2.
Table1 has a trigger that fires a stored procedure, Table2_Refresh, that truncates Table2 and rebuilds it from Table1.
I have read in some places that the trigger and stored procedure automatically execute as the caller, and therefore uses the caller's permissions. However 19 of the 20 users are able to update Table1 and the trigger and SP execute fine. One user gets an error telling him that Table2 cannot be found.
I know I can put an 'EXECUTE AS' line in the SQL, but this is happening in multiple places, and it seems like it is an issue with the user, so I would like to solve it there if possible. Since the role memberships and permissions are identical, are there any other reasons why two users would be experiencing different behaviour from the database?
The role and permissions are clearly not identical...
Are they logging in the same way (e.g. are they all using Integrated Security)?
I suggest to check the default schema of the database user used by that special login.
If the table schema is dba but the default schema of the database user is dbo, querying the table without specifying the schema will fail.
I produce a windows App and the database is SQL Server 2005. In this database B I define a table for saving username and passwords. Now my company buys another app that has its own database with the same table for storing username and password.
They want to login to both applications with same username and password. what should I do in order to map the users of these two tables?
Depends on how quickly you need to know about a new user in the "other" app - you could:
create identical tables in the "other" database and periodically fill those from the master tables, e.g. with a nightly SSIS package job; with this, you have periodical updates, e.g. every night, every 4 hours etc., but the load on the server will be low
or:
have a trigger on the "master" table and "replicate" each operation on that table (insert, update, delete) to the "slave" table in the other database; you have immediate updates, but the load on the server might be quite high for this
or:
you could create a third database that contains just the user-management stuff, and have both "production" databases reference that "user" database for their user management; you could avoid any data duplication and both production systems would be using the same, up-to-date data at all times
or:
you could use Windows authentication in the first place and get rid of all "yet-another-user-and-permissions-table" in any of the databases...