I am dealing with some sensitive Accounting tables and I would like to audit any SELECT statement executed on the table or any views associated with them.
I did not find any DDL Events on BOL (Books Online) that had anything to do with SELECT statement.
And DML triggers are for INSERT, UPDATE and DELETE only.
Is it possible to log who accesses table and views through SELECT statement?
You have 3 options:
I'd go for options 1 or 2 because they are part of your application and self contained.
Although, this does sound a bit late to start logging: access to the table should have been restricted up front.
Also, any solution fails if end users do not correct directly (eg via web server or service account). Unless you use stored procs to send in the end user name...
View example:
CREATE VIEW dbo.MyTableMask
AS
SELECT *
FROM
MyTable
CROSS JOIN
(SELECT 1 FROM SecurityList WHERE name = SUSER_SNAME())
--WHERE could use NOT EXISTS too with table
GO
Yes, it is possible by creating an Event Notification on the AUDIT_DATABASE_OBJECT_ACCESS_EVENT event. The cost of doing something like this would be overwhelming though.
It is much better to use the audit infrastructure, or using custom access wrapper as gbn recommends.
--In the master database create a server audit
USE master
GO
CREATE SERVER AUDIT [Audit_Select_HumanResources_Employee]
TO FILE
( FILEPATH = N'C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Backup'
,MAXSIZE = 0 MB
,MAX_ROLLOVER_FILES = 2147483647
,RESERVE_DISK_SPACE = OFF)
WITH
(QUEUE_DELAY = 1000, state= on)
ALTER SERVER AUDIT Audit_Select_HumanResources_Employee
WITH (STATE = ON) ;
GO
--In the database to monitor create a database audit
USE [AdventureWorks2012]
go
CREATE DATABASE AUDIT SPECIFICATION [Database-Audit]
FOR SERVER AUDIT [Audit_Select_HumanResources_Employee]
--In this example, we are monitoring the humanResources.employee
ADD (SELECT ON OBJECT::[HumanResources].[Employee] BY [dbo])
with (state=on)
--Now you can see the activity in the audit file created
SELECT * FROM sys.fn_get_audit_file ('c:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Backup\Audit_Select_HumanResources_Employee.sqlaudit',default,default);
GO
I just added some code for you. The code creates a server audit, a database audit for select activities and finally the sys.fn_get_audit_file is used to retrieve the information from the file. You have to do that individually for each table. If you want a more automated query, you can use other tools like Apex SQL Audit or other third party tool of your preference.
SQL Server 2008 Auditing may be able to capture it. Other than that, Profiler/Tracing is the only thing in SQL Server that can do it.
Edit : Viewing and Analyzing Traces with SQL Server Profiler
CREATE PROCEDURE sp_Product_Select @User_Name VarChar(128), @ID Int AS
INSERT INTO My_Trace_Table (Table_Name, User_Name, Table_ID, Select_DateTime)
VALUES ('Products', @User_Name, @ID, GetDate())
SELECT *
FROM Products
WHERE ID = @ID
RETURN
GO
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 疯言疯语 的文章《Anyway to create a SQL Server DDL trigger for “SEL》','https://www.manongdao.com/article-101660.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}