Learn more about SQL Server tools



solving sql server problems for millions of dbas and developers since 2006 join MSSQLTips for free SQL Server tips













































   Got a SQL tip?
            We want to know!

SQL Server DDL Triggers to Track All Database Changes

MSSQLTips author Aaron Bertrand By:   |   Read Comments (40)   |   Related Tips: More > Triggers
Problem

In a perfect world, only the DBA would have sa privileges, F5 would only ever be hit on purpose, every change would go through rigorous source control procedures, and we would have full backups of all databases every minute. Of course, in reality, we deal with much different circumstances, and we can find ourselves (or overhear someone else) saying, "Oops... how do I fix that?" One of the more common scenarios I've seen involves someone editing a stored procedure multiple times between backups or within some kind of cycle, and then wishing they had version (current - 1) available. It's not in the backup yet, so can't be restored; and the user, of course, has closed his or her window without saving.

Solution

There are a lot of solutions to this issue, of course. They include tightening down server access, adopting a reliable source control system, and implementing a rigorous and well-documented deployment process. These things do not happen overnight, so in the meantime, DDL Triggers can provide a short-term fix that is both easy to implement and simple to manage. The approach is to take a snapshot of the current objects in the database, and then log all DDL changes from that point forward. With a well-managed log, you could easily see the state of an object at any point in time (assuming, of course, the objects are not encrypted).

 

So where do we start? First, I like to keep housekeeping items (monitoring, administration etc.) in their own database. This allows me to query things centrally and also to control growth separately. For this task, let's use a database called AuditDB:

CREATE DATABASE AuditDB;
GO

To keep things relatively simple, let's assume we are only interested in actions taken on stored procedures - create, alter, drop. We have a set of stored procedures already, and they are in a given state. We will need to capture that state, in addition to any changes that are made to them from that point forward. This way, we will always be able to get back to any state, including the original state.

In addition to the data specific to the actions taken on stored procedures, we can also think of several other pieces of information we would want to store about each event. For example:

  • database name
  • schema / object name
  • login information
  • host name / IP address (useful with SQL auth)

So here is the definition for a table to capture these events and the surrounding information about them:

USE AuditDB;
GO

CREATE TABLE dbo.DDLEvents ( EventDate DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, EventType NVARCHAR(64), EventDDL NVARCHAR(MAX), EventXML XML, DatabaseName NVARCHAR(255), SchemaName NVARCHAR(255), ObjectName NVARCHAR(255), HostName VARCHAR(64), IPAddress VARCHAR(32), ProgramName NVARCHAR(255), LoginName NVARCHAR(255) );

Yes, we could keep the table skinnier and use [object_id] instead of schema/object name, also protecting us from resolution problems due to renames. However, often stored procedures are dropped and re-created, in which case the system will generate a new [object_id]. I also prefer to use the database name to make ad hoc queries (and script automation) against specific databases easier. You can choose which metadata to rely on; personally, I'll trade the space for readability and scriptability.

Now that the table exists, we can easily grab a snapshot of our existing stored procedure definitions, leaving out some of the irrelevant auditing data, as follows (replacing 'my name' with whatever you want to display for the initial rows):

USE YourDatabase;
GO

INSERT AuditDB.dbo.DDLEvents ( EventType, EventDDL, DatabaseName, SchemaName, ObjectName, LoginName ) SELECT 'CREATE_PROCEDURE', OBJECT_DEFINITION([object_id]), DB_NAME(), OBJECT_SCHEMA_NAME([object_id]), OBJECT_NAME([object_id]), 'my name' FROM sys.procedures;

Now we're ready to start capturing actual changes to these procedures as they happen. You can create a DDL Trigger with the following code, that will record pertinent data to the above table when changes are made to stored procedures:

USE YourDatabase;
GO

CREATE TRIGGER DDLTrigger_Sample ON DATABASE FOR CREATE_PROCEDURE, ALTER_PROCEDURE, DROP_PROCEDURE AS BEGIN SET NOCOUNT ON; DECLARE @EventData XML = EVENTDATA(); DECLARE @ip VARCHAR(32) = ( SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID ); INSERT AuditDB.dbo.DDLEvents ( EventType, EventDDL, EventXML, DatabaseName, SchemaName, ObjectName, HostName, IPAddress, ProgramName, LoginName ) SELECT @EventData.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'), @EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'), @EventData, DB_NAME(), @EventData.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'), @EventData.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'), HOST_NAME(), @ip, PROGRAM_NAME(), SUSER_SNAME(); END GO

Note that when you create a DDL Trigger, just like a DML Trigger, it is enabled and will start working immediately. To disable it, you can run the following code:

USE YourDatabase;
GO

DISABLE TRIGGER [DDLTrigger_Sample] ON DATABASE;

And then to re-enable:

USE YourDatabase;
GO

ENABLE TRIGGER [DDLTrigger_Sample] ON DATABASE;

So now you can test the auditing capabilities by altering an existing procedure. Right-click a procedure in Object Explorer and choose Modify. Add the following line somewhere in the body:

-- testing audit

Then you can run a query against the DDLEvents table:

SELECT *
    FROM AuditDB.dbo.DDLEvents
    WHERE EventType = 'ALTER_PROCEDURE';

Assuming your system is relatively quiet, all you should see is the change above. Now to go one step further, you can examine the differences between the initial object and its most recent state using a query like this:

;WITH [Events] AS
(
    SELECT
        EventDate,
        DatabaseName,
        SchemaName,
        ObjectName,
        EventDDL,
        rnLatest = ROW_NUMBER() OVER 
        (
            PARTITION BY DatabaseName, SchemaName, ObjectName
            ORDER BY     EventDate DESC
        ),
        rnEarliest = ROW_NUMBER() OVER
        (
            PARTITION BY DatabaseName, SchemaName, ObjectName
            ORDER BY     EventDate
        )        
    FROM
        AuditDB.dbo.DDLEvents
)
SELECT
    Original.DatabaseName,
    Original.SchemaName,
    Original.ObjectName,
    OriginalCode = Original.EventDDL,
    NewestCode   = COALESCE(Newest.EventDDL, ''),
    LastModified = COALESCE(Newest.EventDate, Original.EventDate)
FROM
    [Events] AS Original
LEFT OUTER JOIN
    [Events] AS Newest
    ON  Original.DatabaseName = Newest.DatabaseName
    AND Original.SchemaName   = Newest.SchemaName
    AND Original.ObjectName   = Newest.ObjectName
    AND Newest.rnEarliest = Original.rnLatest
    AND Newest.rnLatest = Original.rnEarliest
    AND Newest.rnEarliest > 1
WHERE
    Original.rnEarliest = 1;

If you are tracking down a specific object or an object in a specific schema, you could put additional WHERE clauses against Original.ObjectName or Original.SchemaName. From here, you can take the values for "OriginalCode" and "NewestCode" and put them through your favorite diff tool to see what changes there have been. And you can also change the query slightly to retrieve the latest version of any procedure, and the version that preceded it - I'll leave that as an exercise for the reader.

What the above does not capture are other peripheral changes that can happen to a stored procedure. For example, what about moving a procedure to a different schema? You can change the DDL Trigger above in the following way to capture the ALTER_SCHEMA event:

USE YourDatabase;
GO

ALTER TRIGGER DDLTrigger_Sample ON DATABASE FOR CREATE_PROCEDURE, ALTER_PROCEDURE, DROP_PROCEDURE, ALTER_SCHEMA AS BEGIN -- ...

And how about rename? Unfortunately in SQL Server 2005, DDL Triggers were unable to observe calls to sp_rename (or manual renames through Management Studio). In SQL Server 2008 and above, however, a rename can be captured with the aptly-named RENAME event:

USE YourDatabase;
GO

ALTER TRIGGER DDLTrigger_Sample ON DATABASE FOR CREATE_PROCEDURE, ALTER_PROCEDURE, DROP_PROCEDURE, ALTER_SCHEMA, RENAME AS BEGIN -- ...

(In a future tip, I'll demonstrate how to restrict these additional auditing rows to specific objects or object types, so that you're not capturing all kinds of irrelevant information about changes to objects other than stored procedures.)

Some other considerations:

  • You may want to put in a cleanup routine that gets rid of "noise" more than <n> days old (but still keeping the set of objects that are important to you).
  • To validate that your auditing process is capturing all changes, you can check modify_date in sys.procedures. Of course this only works for procedures that haven't been dropped - only if they have been created, modified, renamed, or transfered to a different schema.
  • Security might be an issue, depending on what you want to accomplish. Allow me to elaborate:

    DDL Triggers will not be transparent to users - first of all, they can see them in the Object Explorer tree, so it won't be a big secret that they are there and operational. They also appear in execution plans; if users have this option enabled when they create or modify objects in Management Studio, they will see the query plan for statements such as INSERT AuditDB.dbo.DDLEvents.

    If you want to hide the definition of the DDL Trigger, you can encrypt it as follows:

    USE YourDatabase;
    GO
    
    ALTER TRIGGER DDLTrigger_Sample ON DATABASE WITH ENCRYPTION FOR -- ...

    This way, when users want to see what the trigger is doing, they will right-click to generate a script, but the following is what will happen:

    TITLE: Microsoft SQL Server Management Studio
    ------------------------------
    Script failed for DatabaseDdlTrigger 'DDLTrigger_Sample'.
    Property TextHeader is not available for DatabaseDdlTrigger
    '[DDLTrigger_Sample]'. This property may not exist for this
    object, or may not be retrievable due to insufficient access
    rights.  The text is encrypted.
    ...
    

    But users with sufficient privileges can still disable the trigger, as described above. And you can't even capture this event, much less prevent it (which DDL Triggers are sometimes used for). For more information, see these Connect items:

    So, assuming SQL Server 2008 or above, you could use an audit specification to capture DDL events as a backup (or instead). But, given all of this, if you have to go to these lengths to prevent people from circumventing your auditing capabilites, then maybe your problems are larger and not all that technical. I suspect that in most reasonable environments, you'll sleep fine at night simply locking down the audit table.

I hope this provides a decent starting point to protect your environment(s) with DDL Triggers. However, given the manual aspect of this approach as well as its limitations, it will likely be best to consider this a short-term plan, and look into more robust source control and recovery techniques in the longer term.

Next Steps


Last Update: 8/9/2010


About the author
MSSQLTips author Aaron Bertrand
Aaron Bertrand is a Senior Consultant at SQL Sentry, Inc., and has been contributing to the community for over a decade, first earning the Microsoft MVP award in 1997.

View all my tips


print tip Print  
Become a paid author





join MSSQLTips for free SQL Server tips     



Learn more about SQL Server tools
Comments and Feedback:
Tuesday, March 22, 2011 - 10:52:26 AM - Muhammad Azim Read The Tip

Very precisely explained,

Is there a way for establishing a DML auditing for specific non-application users?

BR


Tuesday, March 22, 2011 - 11:02:38 AM - Aaron Bertrand Read The Tip

Sure, you can just check SUSER_SNAME() first and only log if the result is in the list you want to check.


Wednesday, March 23, 2011 - 4:54:52 AM - US Read The Tip

Hi,

article sounds as "SQL Server DDL Triggers to Track All Database Changes", but in fact changes tracking focuses on stored procedures only. What about changes on tables, views etc. ?


Wednesday, March 23, 2011 - 8:15:09 AM - Aaron Bertrand Read The Tip

I limited the scope to stored procedures specifically, but you can certainly employ the same techniques for all object types (with a single catch-all DDL trigger, or multiple dedicated ones).


Monday, April 11, 2011 - 2:28:04 PM - GB Read The Tip

This is some great stuff.

 

Quick question:  Has anyone tried to do this from a centralized server?  Meaning, I have one server that we use for monitoring/maintenance and I want the triggers to feed the data into a centralized table.  I'm having problems with the XML data type going through linkedservers.


Wednesday, August 17, 2011 - 9:04:02 AM - Arjun Read The Tip

Really it's a great stuff.

can any one tell me what wrong with this trigger creation in user database. I'm receiving the following error when creating this trigger.

Waiting for the reply.    :) :)

TRIGGER code

***************************************************************

USE xxxxxxxxx;
GO

CREATE TRIGGER DDLTrigger_Sample ON DATABASE FOR CREATE_PROCEDURE, ALTER_PROCEDURE, DROP_PROCEDURE AS BEGIN SET NOCOUNT ON; DECLARE @EventData XML = EVENTDATA(); DECLARE @ip VARCHAR(32) = ( SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID ); INSERT AuditDB.dbo.DDLEvents ( EventType, EventDDL, EventXML, DatabaseName, SchemaName, ObjectName, HostName, IPAddress, ProgramName, LoginName ) SELECT @EventData.value('(/EVENT_INSTANCE/EventType)[1]', 'NVARCHAR(100)'), @EventData.value('(/EVENT_INSTANCE/TSQLCommand)[1]', 'NVARCHAR(MAX)'), @EventData, DB_NAME(), @EventData.value('(/EVENT_INSTANCE/SchemaName)[1]', 'NVARCHAR(255)'), @EventData.value('(/EVENT_INSTANCE/ObjectName)[1]', 'NVARCHAR(255)'), HOST_NAME(), @ip, PROGRAM_NAME(), SUSER_SNAME(); END GO

***************************************************************

ERROR

***************************************************************

Msg 139, Level 15, State 1, Procedure DDLTrigger_Sample, Line 0

Cannot assign a default value to a local variable.

Msg 102, Level 15, State 1, Procedure DDLTrigger_Sample, Line 14

Incorrect syntax near '('.

Msg 137, Level 15, State 2, Procedure DDLTrigger_Sample, Line 35

Must declare the scalar variable "@EventData".

***************************************************************

Regards

 


Wednesday, August 17, 2011 - 9:32:03 AM - Aaron Bertrand Read The Tip

Sorry Arjun, the code was written for 2008+. In order to get past the syntax errors, you need to use:

    DECLARE 
@EventData XML,
  @ip VARCHAR(32);

SELECT @EventData = EVENTDATA(); SELECT @ip = client_net_address FROM sys.dm_exec_connections WHERE session_id = @@SPID;

Sorry about that.


Thursday, August 18, 2011 - 8:42:46 AM - Arjun Read The Tip

So nice to see your reply Aaron.

I have implemented the same it's working. :)

Can we get login name also in the result set who has changed this SP?

Regards,

Arjun

 

 


Thursday, August 18, 2011 - 10:32:11 AM - Aaron Bertrand Read The Tip

I don't understand. The trigger stores LoginName, so can't you just add it to your eventual query?


Wednesday, October 05, 2011 - 12:39:41 PM - Jonathan Scion Read The Tip

Very good article. if anybody wants a shorter way to implement the same thing - which is not free (499$) but is very reliable and has a nice GUI to go with it, check out:

 

http://nobhillsoft.com/Randolph.aspx


Monday, December 12, 2011 - 10:29:08 AM - Scott C Read The Tip

Another way the DDL trigger may not be transparent to users is if they do not have INSERT rights on the logging table.  You can enable the guest user in AuditDB and GRANT INSERT ON DDLEvents TO public to avoid problems.

I have had issues with TRANSACTION DOOMED IN TRIGGER errors on DDL changes if inconsistent settings are used for ANSI_PADDING.  Using SET ANSI_PADDING ON in all CREATE and ALTER scripts is one solution.


Wednesday, December 14, 2011 - 3:11:24 PM - Jim Curry Read The Tip

Great post. How about a follow up article on how to set up policy to verify the DDL triggers exist and are enabled on all databases?


Monday, April 30, 2012 - 3:57:43 PM - Fabio Nunes Read The Tip

In your example, how to get the command would be executed by the Query Analyzer? Insert, Update, Delete tables, without specifying the table name?


Tuesday, June 05, 2012 - 7:04:37 AM - Johny Read The Tip

Hi there,

     I have a question -- if, as you have mentioned in this article, I wanted to get the latest version of the stored procedure and the one preceding it, then how should I do it ? A little commenting for statements in the CTE would the article a world of good. Anyways, great post sans my issue :->


Friday, June 29, 2012 - 11:11:21 AM - Amanda Read The Tip

I really want to use a server level trigger for all this.  I've tried and tried, with different permissions, and it just doesn't seem to work.  I've read all the articles I can find, and it truly seems that it is just not possible to create a server level trigger to capture all DDL and Security changes.

Is this true?

 

Amanda


Wednesday, February 13, 2013 - 5:10:35 AM - Jaya Read The Tip

Really it's a great stuff.

can any one tell me how to create a table with different prfix name and with same structure, on creation of a table using ddl triggers. I also need similarly for modification of the table structure to reflect on the other table.

Waiting for the reply.


Thursday, April 25, 2013 - 9:20:21 PM - Joseph Read The Tip

I tried including create,alter and drop views but I'm now getting an error whenever I try to do these operations. Anyone can tell me how to modify the code to include auditing of views as well?


Friday, April 26, 2013 - 2:33:48 PM - Aaron Bertrand Read The Tip

Joseph, could you be more specific? What errors?


Friday, April 26, 2013 - 3:27:53 PM - Aaron Bertrand Read The Tip

Amanda: sorry, this is not possible: database-level DDL needs to be caught at the database level, so you'll need a database DDL trigger on each database.


Thursday, May 09, 2013 - 2:16:36 AM - Elmozamil Elamir Hamid Read The Tip

Thanks for this post.

It really amazing and covering the concept clearly and in understandable way.

 


Thursday, May 09, 2013 - 9:59:39 AM - mbourgon Read The Tip

(two years too late, probably)

@GB - while tracking changes across your environment using the DDL triggers is definitely doable, IMHO what you really want is Event Notifications.  Uses Service Broker and can track all the things the triggers can, some trace items, and a bunch of other things as well.  I presented on this for the virtual DBA chapter of PASS a couple of months ago.  Might be worth a watch/read. http://thebakingdba.blogspot.com/2012/10/master-of-all-i-survey-using-event.html and mms://passmedia.sqlpass.org/share/dba/MasterofAllISurvey_03272013.wmv.  Jonathon Kehayias has also done some amazing stuff with EN, I'd really recommend his articles on it, starting with http://www.sqlservercentral.com/articles/Event+Notifications/68831/ . Hope this helps someone! 


Friday, June 07, 2013 - 7:07:49 AM - Dipo Read The Tip

Many thanks for this very useful code!

Could you also provide link to a DML trigger is you have one?


Monday, July 01, 2013 - 10:59:16 AM - Saumil Read The Tip

Great post Aaron. I am currently creating a similar DDL trigger on a database for partitioned tables. I need to check if DDL is executed against partitioned tables and apply the same to another table in different schema on the same database.

Your post helped me in uderstanding how the database level triggers work. Is there a way you can guide me on how to apply the same for partitioned tables? or to be more precise, can i implement database tiggers for DDL executed against specific tables?


Monday, July 01, 2013 - 11:58:42 AM - Aaron Bertrand Read The Tip

Saumil sure, you can simply add an IF EXISTS check to see if the object_id affected by the DDL statement exists in sys.partitions with a partition_number > 1 or see these queries:

http://dba.stackexchange.com/questions/14996/how-do-i-get-a-list-of-all-the-partitioned-tables-in-my-database

http://dba.stackexchange.com/questions/25777/how-to-check-if-there-is-partitions-in-use-in-fact-tables


Monday, July 01, 2013 - 2:28:36 PM - Saumil Read The Tip

Thanks Aaron! Appreciate your help. Will check it out and post the outcomings.


Tuesday, July 16, 2013 - 10:38:50 AM - Saumil Read The Tip

Aaron! I was able to achive the DDL logging for partitioned tables using the method suggestd by you. I have two schemas dbo and Switch. I am trying to capture the events on dbo schema and after verifying the affected objects I am executing the same DDL on Switch schema by simply capturing the DDL and replacing the schema name to Switch.

However this approach fails when a user issues statements without specifying the schema name. Any suggestions how can I go about achiveing this functionality? 


Monday, November 04, 2013 - 12:13:54 PM - Adam Read The Tip

I am thinking about implementing this on a mirrored server to copy the logins from one server to the other.
Has anyone even attempted anything like this? I am just wondering how I will keep track of changes between the servers better then we currently are doing it.


Tuesday, November 05, 2013 - 12:25:42 PM - Aaron Bertrand Read The Tip

Adam, I'm sure you could take this script by Robert Davis:

http://www.sqlsoldier.com/wp/wp-content/uploads/Scripts/dba_CopyLogins.sql

Incorporate it into your DDL trigger, and have the DDL trigger run the generated dynamic SQL with a linked server, using EXEC linkedserver.master..sp_executesql @sql;


Tuesday, November 05, 2013 - 1:16:11 PM - Adam S Read The Tip

Excellent, thanks for the find.


Wednesday, November 06, 2013 - 3:56:03 PM - Forrest Read The Tip

A few versions of this code have been pasted around the net for a couple of years, and I have been using this for a couple of years. I did have issues with MS apps(SCOM) and at least one other app failing to upgrade when the trigger is enabled.

It appears that it is better to have the query say  select top 1 client_net_address   as some app installers do some conn trickery where that query comes back with multiple results.


Tuesday, January 28, 2014 - 10:41:26 AM - Elief Read The Tip

This is great!!

However, when I'm trying to apply this, I found a little problem.

I'm unable to catch the rename of a table or procedure...

Anyidea on how to do that? like a trigger on sys.objects for updating names?

Thank you


Tuesday, January 28, 2014 - 12:47:34 PM - Aaron Bertrand Read The Tip

Hi Elief, did you add RENAME as one of the DDL events, as I described toward the end of the article? Are you on 2008 or better? I don't know of a simple answer in 2005, maybe the default trace or a custom server-side trace...


Tuesday, March 11, 2014 - 12:45:15 PM - Forrest Read The Tip

I have been using this code on many systems (2008R2) from all types of applications. I've had two issues...I commented one above about using select top 1 client_net_address because some apps have multiples during installs and it bombs. The other issue is that bigfix runs its installer in snapshot isolation. You may want to run the following to allow triggered events from such cases to write to the table without error.

 

ALTER DATABASE <yourloggingdb>

SET ALLOW_SNAPSHOT_ISOLATION ON

GO


Thursday, April 03, 2014 - 6:05:14 AM - Danny Read The Tip

Hello,

is there any solution for DML instead of DDL?


Thursday, April 03, 2014 - 10:38:25 AM - Aaron Bertrand Read The Tip

Danny,

Are you asking if there is a generic way to write a trigger that will capture all DML activity regardless of table? No, there is nothing native that you could just turn on and call it a day.

You could add a trigger to every table you create, of course (it could even largely be handled automatically by a DDL trigger that responds to CREATE_TABLE events, but you'd have to have something watch for ALTERs as they could break the trigger code that gets generated). Or you could use features like Change Tracking, Change Data Capture, or Audit. You could even set up an Extended Events session or server-side trace to capture all DML statements, and mine that data, but that could be quite invasive.


Thursday, August 14, 2014 - 6:00:11 AM - Klaas Read The Tip

Hi Aaron

 

I 've been using such a trigger for a while, but I thought it would be nice to add the IP as you do, so I pasted that part in my trigger definition. Last night some jobs failed. Since the error said 'user does not have permission...' I checked if guest had insert permission in the audit table and since it did, I tried different ways to grant necessary rights, but any alter statement kept failing.

Now I found that the error was caused by the sys.dm_exec_connections DMV. So, a user who executes a DDL statement needs the VIEW SERVER STATE permission. I think that is a very important consequence. Do you advise to grant this to everyone, maintain a list of all users who need this or do you have another strategy to prevent this trigger from breaking the system?


Thursday, August 14, 2014 - 10:10:29 AM - Aaron Bertrand Read The Tip

@Klaas no, you don't need to grant everyone VIEW SERVER STATE. You can:

  1. Create a login with VIEW SERVER STATE
  2. Create a database user associated with that login in (a) all of the databases where your DDL trigger exists and (b) all of the databases where the DDL trigger(s) write to
  3. Grant the database user insert on the logging table
  4. Change the DDL trigger to EXECUTE AS 'database_user'

Wednesday, August 20, 2014 - 9:36:40 AM - Klaas Read The Tip

That doesn't seem to work:

'The user does not have permission to perform this action.'

 

Probably because "A context switch to a database user does not inherit the server-level permissions of that user" ?

http://technet.microsoft.com/en-us/library/ms181362(v=sql.105).aspx

 

 


Wednesday, August 20, 2014 - 9:53:11 AM - Klaas Read The Tip

I think I found it:

 

I first tried:

create trigger [DDLEventsToTable]

on database

WITH EXECUTE AS 'MyDomain\Myuser'

for ddl_database_level_events

as

begin

SET NOCOUNT ON;

DECLARE @auditdata XML,...

 

but it should be:

create trigger [DDLEventsToTable]

on database for ddl_database_level_events

as

begin

SET NOCOUNT ON;

EXECUTE AS LOGIN = 'MyDomain\Myuser'

DECLARE @auditdata XML,...


Wednesday, August 20, 2014 - 11:03:11 AM - Klaas Read The Tip

And still only privileged users could execute DDL.

After:

GRANT IMPERSONATE ON LOGIN::[MyDomain\MyUser] TO [PUBLIC]

it also worked for the service-account that executed partition switch.

Now I wonder if after all that trouble I'm actually safer than granting View Server State to everyone?



Post a Comment or Question

Keep it clean and stay on the subject or we may delete your comment.
Your email address is not published. Required fields are marked with an asterisk (*)

*Name   *Email Notify for updates



Comments
Get free SQL tips:

*Enter Code refresh code


 
Sponsor Information







Copyright (c) 2006-2014 Edgewood Solutions, LLC All rights reserved
privacy | disclaimer | copyright | advertise | about
authors | contribute | feedback | giveaways | free t-shirt | user groups | community | events | first timer?
Some names and products listed are the registered trademarks of their respective owners.