Need to audit changes in permissions

  • My SOX requirements are that I need to monitor when any changes are made to user privileges - if someone is granted new access, etc. Ideally also when a new user is created.

    I have a trace running from SQL Profiler now but that is a pain because everytime the server is rebooted I have to stop the trace, save thefile and start a new trace.

    I have to monitor this on 6 different servers.

    Does anyone know of a better way to monitor this? Procedures or third part software?

     

    Thanks.

  • While I've never done this personally, it still may be a valid solution for you. Have you considered using server-side tracing, such as with sp_trace_create? Once that is created you could create a job that starts when SQL Agent starts (presumably on startup) that would run "sp_trace_status @traceid, 1" to start the trace. Hope that helps.

    Brian

  • We looked at doing a server side trace which worked. We decided for time and effort that it was better to purchased DB Audit. It does a server side trace but has a simple gui interface to view reports. Very easy to use

     

  • We did a server side trace as well. We use a SQL job with a DTS package to stop the traces, import the data to tables (for reporting purposes later) and then restart the traces every hour.

  • Rick,

    can you post more information on how you accomplished your tasks? code would be great!

    thanks

  • I have a similar situation.

    I plan to look into the "SQL Compliance Manager" product by Idera. I haven't evaluated it yet, other than reading their datasheet, so I can't offer an opinion about it one way or another.

    http://www.idera.com/Products/SQLcm/

    I currently use their SQLdm SQL Diagnostic software and have been pleased with it.  Like many of these types of products, they don't really tell you things you can't obtain otherwise, but they wrap them up into a convenient package that is easy to use.  So if you're not into "rolling your own" DB utilities and can spend some money it may be a reasonable solution.

  • Instead of using profiler trace, using event notification we can store records for required events in a table. Laster, using SSRS a report can be developed which displays changes done...

  • nitin.doshi (5/26/2009)


    Instead of using profiler trace, using event notification we can store records for required events in a table. Laster, using SSRS a report can be developed which displays changes done...

    I agree.

    Event Notifications would probably be the best option without using third-party tools but since this is posted in the SQL 2000 forum this would not be available.

    [font="Verdana"]Markus Bohse[/font]

  • HI Markus,

    I agree that for 2000 we need to do it by profiler or third party tool.

    For 2005, for events like security changes/schema changes I have tested using Notification. But could not find anything to audit changes like job creation/updation/deletion. Do U know how to monitor the same...

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply