tags:

views:

445

answers:

4
Q: 

Anyway to create a SQL Server DDL trigger for "SELECT" statements?

I am dealing with some sensitive Accounting tables and I would like to audit any SELECT statement executed on the table or any views associated with them.

I did not find any DDL Events on BOL (Books Online) that had anything to do with SELECT statement. And DML triggers are for INSERT, UPDATE and DELETE only.

Is it possible to log who accesses table and views through SELECT statement?

A: 

Edit : Viewing and Analyzing Traces with SQL Server Profiler

anishmarokey  2009-10-04 04:42:17
+1  A: 

SQL Server 2008 Auditing may be able to capture it. Other than that, Profiler/Tracing is the only thing in SQL Server that can do it.

RBarryYoung  2009-10-04 05:03:27
I was also looking into SQL Server 2008 auditing but unfortunately, I am dealing with SQL Server 2005 right now. I wonder if I can create a link to production server (2005) from a dev server (2008) and then use auditing.
Sung Meister  2009-10-04 21:15:32
+1  A: 

You have 3 options:

  • allow access via stored procedures if you want to log (and remove table rights)
  • hide the table behind a view if you want to restrict and keep "direct" access
  • run a permanent trace

I'd go for options 1 or 2 because they are part of your application and self contained.

Although, this does sound a bit late to start logging: access to the table should have been restricted up front.

Also, any solution fails if end users do not correct directly (eg via web server or service account). Unless you use stored procs to send in the end user name...

View example:

CREATE VIEW dbo.MyTableMask
AS
SELECT *
FROM
    MyTable
    CROSS JOIN
    (SELECT 1 FROM SecurityList WHERE name = SUSER_SNAME())
--WHERE could use NOT EXISTS too with table
GO
gbn  2009-10-04 07:12:11
+1  A: 

Yes, it is possible by creating an Event Notification on the AUDIT_DATABASE_OBJECT_ACCESS_EVENT event. The cost of doing something like this would be overwhelming though.

It is much better to use the audit infrastructure, or using custom access wrapper as gbn recommends.

Remus Rusanu  2009-10-04 18:47:40
I haven't heard of Event Notification and it sounds promising so far.
Sung Meister  2009-10-04 21:19:52
I must stress again that generating an event for each object access check in the database will be extremely heavyweight.
Remus Rusanu  2009-10-04 23:32:12

related questions

In WPF Style, How can Trigger access a son Element of the Element it is attatched
How to constrain a database table so only one row can have a particular value in a column?
Can you use routed events with a MultiTrigger?
T-SQL - Is there a way to disable a trigger in the scope of a transaction?
Perforce trigger to deny submission of unchanged files?
Triggers vs Constraints
Using WPF, what is the best method to update the background for a custom button control?
Javascript: Trigger action on function exit
Database Duplicate Value Issue ( Filtering Based on Previous Value)
Best Method to Spawn Process from SQL Server Trigger
How to check if a trigger is invalid?
SQL - How do you compare a CLOB
SQL Server 2005 multiple database deployment/upgrading software suggestions
MySQL triggers + replication with multiple databases.
T-SQL triggers firing a "Column name or number of supplied values does not match table definition" error
How do you priortize multiple triggers of a table?
MySQL Trigger & Stored Procedure Replication
Setting Up MySQL Triggers
How can I get the definition (body) of a trigger in SQL Server?
PLS-00306 error on call to cursor
Trigger without a transaction?
Database triggers
Building an auditing system; MS Access frontend on SQL Server backend.
Timer-based event triggers
Throw Error In MySQL Trigger