I need a way to audit when someone attempts to either ENABLE or DISABLE a trigger in our database. The DDL trigger alternative works great but only under the condition for when the user uses
ALTER TABLE <tableName> ENABLE TRIGGER <triggerName>
OR
ALTER TABLE <tableName> DISABLE TRIGGER <triggerName>
statement. From what I have determined, the DDL method renders useless if the user executes the following statements that bypass the ALTER command:
DISABLE TRIGGER <triggerName> ON <tableName>
ENABLE TRIGGER <triggerName> ON <tableName>
I have had several thoughts on capturing these events none of them work. One of which was if I could access the table underlying the sys.triggers view, I could place an insert/update trigger on that table and filter on the trigger name to acquire the audit; but my suspicion is that it would likely lead to an infinite recursion even if it were possible to do.
Does anyone here have any possible suggestions for alternative solutions to this problem? I don't understand why MS would allow enhanced versions of statements to escape the scope of audits. That is, auditing from the most simplest methods; using SQL profiler seems to be unneccesary overhead for this.
To view database level triggers, Login to the server using SQL Server management studio and navigate to the database. Expand the database and navigate to Programmability -> Database Triggers. To view triggers at the server level, Login to Server using SSMS and navigate to Server Objects and then Triggers folder.
Database administrators can employ various techniques to audit the use of SQL Server databases for security and regulatory compliance purposes. One of the most common methods is creating SQL Server audit triggers to automatically capture information about transactions and changes to database tables.
Disabling a trigger does not drop it. The trigger still exists as an object in the current database. However, the trigger will not fire when any INSERT, UPDATE, or DELETE statement on which it was programmed is executed. Triggers that are disabled can be reenabled.
I would first address this through permissions. No one except a few dbas should have alter table permissions on prod and thus cannot use enable or disable trigger. If an application is using it, that should stop it. There is no excuse for any user to need to alter tables. If you want to do that, you probaly have a design flaw. If you have people actualy disabling triggers, you definitely have a design flaw. Any code with disable trigger in it should be a huge red flag during a code review. It should be unacceptable to disable a trigger in application code. This is something that should only be done by dbas who have the experience to know when to do it. If you are writing application code and seem to need to disable a trigger to get your code to work, then your code is incorrect or the trigger needs to be rewritten, disabling triggers should only happen in the rarest of cases.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With