:::: MENU ::::

Posts Categorized / Triggers

  • Jun 26 / 2009
  • 0
dbDigger, Security and Permissions, T-SQL Scripts, T-SQL Tips and Tricks, Triggers

How to disable or enable SQL Server logon trigger

In my previous post we discussed process to implement logon trigger for different purposes. Later some time it may be required to skip the customizations implemented through logon trigger. So for this you may disable the logon trigger rather than to drop it.
If we want to disable the trigger [RestrictSSMSLogIn] that we created during previous post, following is T-SQL command to disable the logon trigger


You may use following T-SQL command to enable the logon trigger later at any time

  • Jun 25 / 2009
  • 0
dbDigger, Logins and Users, Logon Triggers, Security and Permissions, T-SQL Scripts, T-SQL Tips and Tricks, Triggers

Restrict SQL Server login to connect from out side the application through logon trigger

There is a situation that I have a SQL Server login with rich rights in some of databases. It is used for connection through a .Net application. It is not assigned to any one for use in SSMS etc. I want to make sure that this login would not be used for connection to SQL Server out side the application. While looking at various possible options i ca,e to know LogOn triggers in SQL Server.
Logon triggers in SQL Server are used to carry out logon related customization and tasks. From onwards to SQL Server 2005 SP2, we can create logon triggers that are meant to be fired every time when a session is established to SQL Server. If a login is not successfully authenticated then logon trigger is not fired in that case.
Consider following example to implement the above requirement. We will restrict the user AppUser to connect to SQL Server through .Net application only.

 (SELECT TOP 1 Program_Name  
 FROM sys.dm_exec_sessions  
 WHERE is_user_process = 1  
 AND original_login_name = 'AppUser'  
 Order By Session_Id Desc)  
 <>'.Net SqlClient Data Provider'  

Trigger has been created and user ‘AppUser’ is no more able to connect to SQL Server through any means other than .Net application.
Logic implemented in if block may be modified to implement a large number of other customizations that are required.
Logon triggers are created in master database. And may be viewed in SSMS in server objects folder.

LogOn Trigger in SSMS

While trying to log in SSMS through logon trigger following message is generated, showing that created logion trigger is working fine.

LogOn Restricted through LogOn trigger

It is important to mention that be attentive while working with logon trigger, some wrong or missing conditions may block all SQL Server logins to log in to SQL Server. Best solution is that be logged in through any user in SSMS while testing logon trigger. If any problem occurs due to trigger you can use already logged in user to manage the situation.
Even if you do not have a log in connected and a problem occurs due to logon trigger then work according to this article.
Click here
to get T-SQL commands to enable or disable the SQL Server logon trigger

  • Jul 02 / 2008
  • 0
dbDigger, DDL, Triggers

DDL triggers

DDL triggers were introduced in SQL Server 2005. They execute T-SQL code when the structure of the table changes. The syntax is similar to that of DML triggers. DDL triggers are AFTER triggers that fire in response to DDL language events; they do not fire in response to system-stored procedures that perform DDL-like operations. They are fully transactional, and can be rolled back. You can run either Transact-SQL or CLR code in a DDL trigger. DDL triggers also support the EXECUTE AS clause similar to other modules.

SQL Server provides the information about the trigger event as untyped XML. It is available through a new, XML-emitting built-in function called EVENTDATA(). You can use XQuery expressions to parse the EVENTDATA() XML in order to discover event attributes like schema name, target object name, user name, as well as the entire Transact-SQL DDL statement that caused the trigger to fire in the first place. For examples, see EVENTDATA (Transact-SQL) in SQL Server Books Online.

Database-level DDL triggers fire on DDL language events at the database level and below. Examples are CREATE_TABLE, ALTER_USER, and so on. Server-level DDL triggers fire on DDL language events at the server level, for example CREATE_DATABASE, ALTER_LOGIN, etc. As an administrative convenience, you can use event groups like DDL_TABLE_EVENTS as shorthand to refer to all CREATE_TABLE, ALTER_TABLE, and DROP_TABLE events. The various DDL event groups and event types, and their associated XML EVENTDATA(), are documented in SQL Server Books Online.

Unlike DML trigger names, which are schema-scoped, DDL trigger names are database scoped or server-scoped.

Use this new catalog view to discover trigger metadata for DML triggers and database-level DDL triggers:

SELECT * FROM sys.triggers ;

If the parent_class_desc column has a value of ‘DATABASE’ then it is a DDL trigger and the name is scoped by the database itself. The body of a Transact-SQL trigger is found in the sys.sql_modules catalog view, and you can JOIN it to sys.triggers on the object_id column. The metadata about a CLR trigger is found in the sys.assembly_modules catalog view, and again, you can JOIN to sys.triggers on the object_id column.

Use this catalog view to discover metadata for server-scoped DDL triggers:

SELECT * FROM sys.server_triggers ;

The body of a Transact-SQL server-level trigger is found in the sys.server_sql_modules catalog view, and you can JOIN it to sys.server_triggers on the object_id column. The metadata about a CLR server-level trigger is found in the sys.server_assembly_modules catalog view, and again, you can JOIN to sys.server_triggers on the object_id column.

You can use DDL triggers to capture and audit DDL activity in a database. Create an audit table with an untyped XML column. Create an EXECUTE AS SELF DDL trigger for the DDL events or event groups you are interested in. The body of the DDL trigger can simply INSERT the EVENTDATA() XML into the audit table.

Another interesting use of DDL triggers is to fire on the CREATE_USER event and then add code to automate permissions management. For example, suppose you want all database users to get a GRANT EXECUTE on procedures P1, P2, and P3. The DDL trigger can extract the user name from the EVENTDATA() XML, dynamically formulate a statement like ‘GRANT EXECUTE ON P1 TO someuser’, and then EXEC() it.

Consult us to explore the Databases. Contact us