Anyway to create a SQL Server DDL trigger for “SELECT” statements?

Question

I am dealing with some sensitive Accounting tables and I would like to audit any SELECT statement executed on the table or any views associated with them.

Answer 1

CREATE PROCEDURE sp_Product_Select @User_Name VarChar(128), @ID Int AS
INSERT INTO My_Trace_Table (Table_Name, User_Name, Table_ID, Select_DateTime)
VALUES ('Products', @User_Name, @ID, GetDate())

SELECT *
FROM Products
WHERE ID = @ID
RETURN
GO

Answer 2

Edit : Viewing and Analyzing Traces with SQL Server Profiler

Answer 3

    --In the master database create a server audit
USE master
GO
CREATE SERVER AUDIT [Audit_Select_HumanResources_Employee]
TO FILE
(     FILEPATH = N'C:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Backup'
      ,MAXSIZE = 0 MB
      ,MAX_ROLLOVER_FILES = 2147483647
      ,RESERVE_DISK_SPACE = OFF)
WITH
(QUEUE_DELAY = 1000, state=  on)

ALTER SERVER AUDIT Audit_Select_HumanResources_Employee 
WITH (STATE = ON) ;
GO
--In the database to monitor create a database audit
USE [AdventureWorks2012]
go

CREATE DATABASE AUDIT SPECIFICATION [Database-Audit]
FOR SERVER AUDIT [Audit_Select_HumanResources_Employee]
--In this example, we are monitoring the humanResources.employee
ADD (SELECT ON OBJECT::[HumanResources].[Employee] BY [dbo])
with (state=on)

--Now you can see the activity in the audit file created
SELECT * FROM sys.fn_get_audit_file ('c:\Program Files\Microsoft SQL Server\MSSQL12.MSSQLSERVER\MSSQL\Backup\Audit_Select_HumanResources_Employee.sqlaudit',default,default);
GO

I just added some code for you. The code creates a server audit, a database audit for select activities and finally the sys.fn_get_audit_file is used to retrieve the information from the file. You have to do that individually for each table. If you want a more automated query, you can use other tools like Apex SQL Audit or other third party tool of your preference.

Answer 4

SQL Server 2008 Auditing may be able to capture it. Other than that, Profiler/Tracing is the only thing in SQL Server that can do it.

Answer 5

Yes, it is possible by creating an Event Notification on the AUDIT_DATABASE_OBJECT_ACCESS_EVENT event. The cost of doing something like this would be overwhelming though.

It is much better to use the audit infrastructure, or using custom access wrapper as gbn recommends.

Answer 6

You have 3 options:

• allow access via stored procedures if you want to log (and remove table rights)
• hide the table behind a view if you want to restrict and keep "direct" access
• run a permanent trace

I'd go for options 1 or 2 because they are part of your application and self contained.

Although, this does sound a bit late to start logging: access to the table should have been restricted up front.

Also, any solution fails if end users do not correct directly (eg via web server or service account). Unless you use stored procs to send in the end user name...

View example:

CREATE VIEW dbo.MyTableMask
AS
SELECT *
FROM
    MyTable
    CROSS JOIN
    (SELECT 1 FROM SecurityList WHERE name = SUSER_SNAME())
--WHERE could use NOT EXISTS too with table
GO