I'm using SQL Profiler to watch some database activity, and I'm interested in watching "Permission Denied" for various objects in the database. There are about 50 different items in the "Security Audit" category, but none that seem to display "Permission denied" for an object. I can see Login Failed, and a few other failures, but nothing on the object level.
Example: A user has permission to a database, but not on a particular table. When they attempt to select from that table, they'll receive an error - can I have profiler watch for these errors?
By default, running SQL Server Profiler requires the same user permissions as the Transact-SQL stored procedures that are used to create traces. To run SQL Server Profiler, users must be granted the ALTER TRACE permission.
Launch SQL Server Management Studio then connect to the server where the user wants to run SQL Server Profiler. Expand the "Security" folder then the "Login" folder and choose the login for which we will give permission to run Profiler.
Use the MQSC command ALTER TRACE to change the trace events being traced for a particular active queue manager trace. ALTER TRACE stops the specified trace, and restarts it with the altered parameters.
SQL Server Profiler is an interface to create and manage traces and analyze and replay trace results. Events are saved in a trace file that can later be analyzed or used to replay a specific series of steps when diagnosing a problem. SQL Trace and SQL Server Profiler are deprecated.
You want to capture the "User Error Message" event in the "Errors and Warnings" section. You can filter the Error column as you see fit. Error 229 is permission denied
This might achieve the same:
Back in SQL 2000, you could modify error message 229 so "permission denied" is written to the SQL error log.
EXEC dbo.sp_altermessage 229, 'WITH_LOG', 'true'
I don't know if/how this works for SQL 2005+ probably not, says Connect but maybe we can now says Tibor Karaszi. I can't test myself, sorry.
Edit: This has the advantage that you don't need profiler or a tracer running...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With