Site sponsored by: Idera The gold standard of SQL Server performance monitoring & diagnostics.
SQL Server Performance

  • Home
  • Articles
  • Forums
  • Tips
  • Quiz
  • FAQ's
  • Blogs
  • Software
  • Books
  • About Us
RSS Feeds
Sign in | Join


Article Topics

All Articles
Performance Tuning
Audit
Business Intelligence
Clustering
Reporting Services
Developer
General DBA
ASP.NET / ADO.NET

Write for Us

Share your SQL Server knowledge with others and raise your profile in the community More...
Latest Articles

Recover Data Using Database Snapshots
Analyze and Fix Index Fragmentation in SQL Server 2008
Powerful Geographical Visualisations made easy with SQL 2008 Spatial (Part 2) ...
Backup User Databases Using a Maintenance Plan

More     
 
Latest FAQ's

How to alter a User Defined Data Type?
How to unzip a File in SSIS?
How to view previous query plans?
ALTER TABLE SWITCH statement failed because the object '%.*ls' is not ...

More     
   
Latest Software Reviews

Spotlight on ApexSQL Doc 2008
ApexSQL Enforce
Embarcadero Change Manager
SQL Server DBA Dashboard

More     
articles >> audit >> Automate Audit Requests

Automate Audit Requests

By : TJay Belt
May 26, 2008

Page 2 / 2


Tables
DatabaseRolesConfig
This table will contain a ServerName and an Enabled flag.  This allows us to setup multiple servers to be monitored, and enable and disable them at whim.  The fields for this table are as follows:
  ServerName sysname not null, 
  Enabled bit not null default 0

DatabaseRolesStaging
This table will allow us to store data we have pulled down from all the remote servers.  Once staged, we can query it and process it to our desires.  The fields in this table are as follows:
   Type sysname null default '', 
  ServerName sysname null default '',
  DBName sysname null default '',
  LoginName sysname null default '',
  UserName sysname null default '',
  db_owner varchar(3) null default '',
  db_accessadmin varchar(3) null default '',
  db_securityadmin varchar(3) null default '',
  db_ddladmin varchar(3) null default '',
  db_datareader varchar(3) null default '',
  db_datawriter varchar(3) null default '',
  db_denydatareader varchar(3) null default '',
  db_denydatawriter varchar(3) null default '',
  denylogin int null default '',
  hasaccess int null default '',
  isntname int null default '',
  isntgroup int null default '',
  isntuser int null default '',
  sysadmin int null default '',
  securityadmin int null default '',
  serveradmin int null default '',
  setupadmin int null default '',
  processadmin int null default '',
  diskadmin int null default '',
  dbcreator int null default '',
  bulkadmin int null default ''
All the fields accept a default of blank, for reporting purposes.  Not all fields for every row will have a value.  This eliminates the display of null values in the report.  This is just a simple step I chose to make life easy. 

DatabaseRolesHistory
This table is identical to the staging table, and will hold the processed data from the last execution for comparison to the next execution. 

DatabaseRolesArchive
This table is identical to the staging table, except that it has an added Identity field for uniqueness, and a [Date] field that will contain the date of the archived data.  This will be a holding area for all the data processes and displayed from past executinos.  The extra fields are as follows:
  ID integer not NULL IDENTITY(1,1),
  [Date] datetime not null default getdate(),

DatabaseRolesDisplay
This table is similar to the above two tables.  We’ve added an Identity field for uniqueness.  A Version field to keep track of the previous version (Type).  This will be the table that contains the processed data, grouped by type, and cleaned up.  We will report from this table, as it will have the result set of data after processing.  The fields of this table are as follows:
  ID integer not NULL IDENTITY(1,1),
  Version VARCHAR(8) not null,

Stored Procedures
sp_GetDBRoles
Thie procedure be passed a ServerName, DatabaseName and a UserName.  The last two params were never implemented.  But the ServerName determines which server we will be pulling data from.  We use dynamic sql to pull information from the syslogins from the remote server, and then store it in the DatabaseRolesStaging table, with a ServerName and Type included.

Then we create a cursor that will cycle thru each database in sysdatabases, except a few. 
Inside the cursor, we will dynamically call sql that pulls more data from sysmembers, sysusers and syslogins, retrieving those users that have roles set. This data is also stored in the staging table also.

We will next use dynamic sql to pull more data from sysusers and syslogins, retrieving those users that do not have roles set. This data is also stored in the staging table.

sp_GetAllDBRoles
This will cycle thru the config table DatabaseRolesConfig and call the sp_GetDBRoles proc for each server that is enabled to be processed.

sp_ProduceDatabaseRolesResults
Since we have previously gathered records into the DatabaseRolesStaging table, we can now compare these results to some other tables of historical data.  We have a history table called DatabaseRolesHistory that contains the last set of data we gathered about Users. 

 

 

  1. We select the new values, and insert them into a memory table @DatabaseRolesStaging with a flag indicating they are ‘new’.

 

 

  1. We select the old values that have changed, and insert them into the table @DatabaseRolesStaging with a flag indicating they are ‘old’.
  2. We update the ‘new’ values that have changed.  We determine this if there is a new record, and an old with some of the same values (Servername, DBName, UserName and LoginName).  These are updated in the table @DatabaseRolesStaging with a flag indicating they are ‘changed’.
  3. We find the records that were removed from the DatabaseRolesHistory table, compared to the DatabaseRolesStaging table.  These records are inserted into the table @DatabaseRolesStaging with a flag indicating they are ‘removed’.
  4. Records that were simply altered are removed from the memory table @DatabaseRolesStaging.

 

This resulting data is now labled and ready to display to the requestor.  We process the data from the @DatabaseRolesStaging table, and order it with ‘Old’ and ‘Changed’ being first, then the ‘Removed’ records, followed by the ‘New’ records.  This just helps in the viewing of the data, with the important ones being first, and so on.  This resulting data is dumped into a real table called DatabaseRolesDisplay, and will live there until the next execution of this process.  This allows me to reselect from this data when needed between executions.  I used to have this simply returned once as part of the proc call, but would tend to need to look at the data subsequently; this solves that need.

sp_ProcessDatabaseRoles
This stored procedure takes a ServerName as a parameter.  If you use this option, it will call the procedure sp_GetDBRoles for just that ServerName.  If you leave the ServerName blank, then it will call sp_GetAllDBRoles and process all enabled ServerNames from the config table.  This proc will then get the user data into the staging table as described above.  It will then call the sp_ProduceDatabaseRolesResults procedure, which will process the data in the staging table, comparing it to the historical data.  Then the data in the history table will be pumped into the Archive table.  The history table will be truncated.  The current staging data will be pumped into the history table, and there await the next execution.  This is the Gem of the sytem, taking all other parts into account, and doing it all for you.  This can be called singly when the Auditor requests it.  Or you can schedule it to run as a job, and simply query the resulting data in the DatabaseRolesDisplay table.  There are many options you now have to follow, depending on your own needs.

This system will allow you to gather user information, stage it, and store it historically.  Allowing you the chance to see back into the past at a snapshot of what once was.  No more will you be stymied by auditors or others with the questions of what users do we have in the system, and how do they compare to a year ago.  You have the data, you are empowered, you are the DBA in control and informed. 

I hope that this system will help you gather the needed data and have it onhand to help out with your user reviews.

Download Article Code


<< Prev Page         







Home | Peformance Articles | Audit Articles | Business Intelligence Articles | Clustering Articles | Developer Articles | Reporting Services Articles | DBA Articles | ASP.NET / ADO.NET Articles | DBA FAQ's | Developer Peformance FAQ's | DBA Peformance FAQ's | Developer FAQ's | Clustering FAQ's | Error Messages | Audit Tool Reviews | Backup Tool Reviews | Coding Tool Reviews | Compare Tool Reviews | Documentation Tool Reviews | Design Tool Reviews | Monitoring Tool Reviews | Log Tool Reviews | Reporting Tool Reviews | Clustering Tool Reviews | Security Tool Reviews | Change Management Tool Reviews | Remote Access Tool Reviews | Book Reviews | Security Tool Reviews | QDPMA Performance Tuning | ADO.NET / ASP.NET | Administration | Analysis/OLAP Services | Application Development | Configuration | Components | ETL | Hardware | High Availability | Hints | Index | Misc | Operating Systems | Performance Tuning | Replication | T-SQL | Views


              © 1999-2008 by T10 Media. All rights reserved