tags:

views:

1285

answers:

3
+6  Q: 

SQL Server: Modifying the "Application Name" property for auditing purposes

As we do not implement the users of our applications as users in SQL server, when the application server connects to a database each application always uses the same credentials to attach to each database.

This presents an auditing problem. Using triggers, we want to store every update, insert and delete and attribute each to a particular user. One possible solution is to add an "updated by user" column to every table and update this every time. This means a new column on every table and a new parameter on every stored procedure. It also means you can only do soft deletes.

Instead of this I propose using the Application Name property of the connection string and reading this with the App_Name() property inside the trigger. I tested this with a simple app and it seems to work (the format could be as so: App=MyApp|User=100).

The question for you guys is, is this a bad idea and do you have a better one?

A: 

We use the Application Name property to control auditing triggers and have not seen any problems using it, and haven't noticed any speed issues (though in our case, we're specifically not auditing for certain applications, so its hard to measure how much time not doing something takes :))

Ch00k  2008-11-27 11:17:33
That's good to hear. By the sounds of it you are using the same application name each time. I'm proposing modifying the application name for each connection to identify the current user. Can you see any problem with this (we do not pool connections)?
Chris Simpson  2008-11-27 11:22:51
We use two different Application Names, one for when we want auditing, and one for when we don't (because whatever is using the connection is handling the auditing manually).
Ch00k  2008-11-27 21:25:48
+1  A: 

It certainly seems like a feasible solution, although you'll need to inject the username into the connection string each time your application loads. Note that this solution probably wouldn't work with a web application, as your connection string will be different each time, which could lead to huge connection pooling issues.

Another option is to retrieve the hostname/IP address (SELECT host_name() ) and store that instead.

You wouldn't necessarily need a new parameter on each stored procedure, as you can modify each stored procedure (or the trigger) to automatically insert the App_Name/Hostname.

A potential drawback is that any modifications performed via Management Studio won't have the custom App_Name, and you'll be left with "Microsoft Management Studio" as the user.

Jim McLeod  2008-11-27 12:49:50
Though we used to do this, we no longer use connection pooling so each connection made is individual. The hostname/ip address would not work because this would come from the application server not the client.
Chris Simpson  2008-11-27 12:59:58
If only I had stumbled across this answer a few years ago... We use the App Name for exactly this purpose, for exactly this reason, and have connection pooling issues exactly as described... I'm now trying to find any way to set the "App Name" from an Open connection, so that we can keep the connection string constant and do away with the pool creep nasties.
Tao  2009-10-13 16:56:19
+5  A: 

I use SET CONTEXT_INFO for this. It's just what you need. Take a peek in BOL ..

Dave Markle  2008-11-27 14:27:11
Aha, that looks just the ticket. The varbinary is a bit annoying but shouldn't be a big headache. Cheers.
Chris Simpson  2008-11-27 15:48:10
Thank you! The great thing is: you can make it even work with concurrent direct database access, like from MS Access, and using the original connection's user name, by using something like this: COALESCE(CONVERT(VARCHAR(128), CONTEXT_INFO()), CURRENT_USER)
markus  2009-10-22 16:44:53

related questions

In WPF Style, How can Trigger access a son Element of the Element it is attatched
How to constrain a database table so only one row can have a particular value in a column?
Can you use routed events with a MultiTrigger?
T-SQL - Is there a way to disable a trigger in the scope of a transaction?
Perforce trigger to deny submission of unchanged files?
Triggers vs Constraints
Using WPF, what is the best method to update the background for a custom button control?
Javascript: Trigger action on function exit
Database Duplicate Value Issue ( Filtering Based on Previous Value)
Best Method to Spawn Process from SQL Server Trigger
How to check if a trigger is invalid?
SQL - How do you compare a CLOB
SQL Server 2005 multiple database deployment/upgrading software suggestions
MySQL triggers + replication with multiple databases.
T-SQL triggers firing a "Column name or number of supplied values does not match table definition" error
How do you priortize multiple triggers of a table?
MySQL Trigger & Stored Procedure Replication
Setting Up MySQL Triggers
How can I get the definition (body) of a trigger in SQL Server?
PLS-00306 error on call to cursor
Trigger without a transaction?
Database triggers
Building an auditing system; MS Access frontend on SQL Server backend.
Timer-based event triggers
Throw Error In MySQL Trigger