ansaurus

Question

Data Auditing in NHibernate and SqlServer

Answer 1

+2 A:

I prefer the CodeProject approach you mentioned.

One problem with database triggers is that it leaves you no choice but to use Integrated Security coupled with ActiveDirectory as access to your SQL Server. The reason for that is that your connection should inherit the identity of the user who triggered the connection; if your application uses a named "sa" account or other user accounts, the "user" field will only reflect "sa".

This can be overriden by creating a named SQL Server account for each and every user of the application, but this will be impractical for non-intranet, public facing web applications, for example.

Jon Limjap 2008-08-19 09:48:50

There are workarounds/alternatives to giving each user a SQL account or using integrated auth. You can have a "LastUpdatedByUser" column on your table being audited and send it down from the app whenever you update a record. The trigger can use that column's value to populate the audit records.

David Archer 2009-04-08 14:18:46

Answer 2

+4 A:

[EDIT]

Post NH2.0 release, please look at the Event Listeners as suggested below. My answer is outdated.

The IInterceptor is the recommended way to modify any data in nhibernate in a non-invasive fashion. It's also useful for decryption / encryption of data without your application code needing to know.

Triggers on the database are moving the responsibility of logging (an application concern) in to the DBMS layer which effectively ties your logging solution to your database platform. By encapsulating the auditing mechanics in the persistance layer you retain platform independance and code transportability.

I use Interceptors in production code to provide auditing in a few large systems.

DavidWhitney 2008-08-19 12:26:56

What I find a bit problematic with the IInterceptor solution, is that the 'LastUpdated' date for instance, is set to the date that is set at the clients workstation, and it's not the date of the DB server that is used.

Frederik Gheysels 2009-05-26 21:07:04

Answer 3

+1 A:

I do like the Interceptor approach mentioned, and use this on the project I'm currently working on.

However, one obvious disadvantage that deserves highlighting is that this approach will only audit data changes made via your application. Any direct data modifications such as ad-hoc SQL scripts that you may need to execute from time to time (it always happens!) won't be audited, unless you remember to perform the audit table insertions at the same time.

Ian Nelson 2008-08-20 11:18:15

Answer 4

A:

I have a similar need to do auditing regardless of whether it came from application or someone issuing some sql via other means. So this must be done at the database level. The database is Oracle. we looked at doing it via Triggers and also via something called Fine Grained Auditing that Oracle provides. In both cases, we turned on auditing on specific tables and specific columns. However, we found that Performance really sucks when we use either of these methods.

Since auditing is an absolute must due to regulations placed around data privacy, I am wondering what is best way to do this without significant performance degradations. If someone has Oracle specific experience with this, it will be helpful as well.

GotoError 2008-09-15 18:04:00

This sounds like a whole new question. You should ask it! You'll get a lot more rep that way. ;-)Not that rep-whoring should be encouraged, but I think you'll have a better chance of getting a good answer if it has a page on its own. ~I

IainMH 2008-09-15 20:18:30

Answer 5

+11 A:

For NHibernate 2.0, you should also look at Event Listeners. These are the evolution of the IInterceptor interface and we use them successfully for auditing.

Sean Carpenter 2008-09-27 02:16:25

Answer 6

+1 A:

As an entirely different approach, you could use the decorator pattern with your repositories.

Say I have

public interface IRepository<EntityType> where EntityType:IAuditably
{ 
    public void Save(EntityType entity);
}

Then, we'd have our NHibernateRepository:

public class NHibernateRepository<EntityType>:IRepository<EntityType>
{
   /*...*/
   public void Save ( EntityType entity )
   {
       session.SaveOrUpdate(entity);
   }
}

Then we could have an Auditing Repository:

public class AuditingRepository<EntityType>:IRepository<EntityType>
{
   /*...*/
   public void Save ( EntityType entity )
   {
       entity.LastUser = security.CurrentUser;
       entity.LastUpdate = DateTime.UtcNow;
       innerRepository.Save(entity)
   }
}

Then, using an IoC Framework (StructureMap, Castle Windsor, NInject) you could build it all up without the rest of your code every knowing you had auditing going on.

Of course, how you audit the elements of cascaded collections is another issue entirely...

David Kemp 2008-10-17 16:50:29

I don't think this is correct solution unless you call save explicitly and have somehow disable the Flush behaviour of NH. I.e. a change to an entity can get persisted even without call to save method!

Rashack 2009-08-17 07:27:31

You're using session.FlushMode = FlushMode.CommitOnly?

David Kemp 2009-08-18 14:27:01

Answer 7

+2 A:

I understand this is an old question. But I would like to answer this in the light of the new Event System in NH 2.0. Event Listeners are better for auditing-like-functions than Interceptors. Ayende wrote a great example on his blog last month. Here's the URL to his blog post -

ayende.com/Blog/archive/2009/04/29/nhibernate-ipreupdateeventlistener-amp-ipreinserteventlistener.aspx

Rohit Agarwal 2009-05-26 16:44:11

ansaurus

tags:

views:

answers:

Data Auditing in NHibernate and SqlServer

related questions