Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

SQL Server Profiler - watch for permission denied on objects?

Tags:

sql-server

permissions

sql-server-profiler

I'm using SQL Profiler to watch some database activity, and I'm interested in watching "Permission Denied" for various objects in the database. There are about 50 different items in the "Security Audit" category, but none that seem to display "Permission denied" for an object. I can see Login Failed, and a few other failures, but nothing on the object level.

Example: A user has permission to a database, but not on a particular table. When they attempt to select from that table, they'll receive an error - can I have profiler watch for these errors?

like image 439
SqlRyan Avatar asked Jun 26 '09 15:06

SqlRyan

People also ask

What permissions are needed for SQL Profiler?

By default, running SQL Server Profiler requires the same user permissions as the Transact-SQL stored procedures that are used to create traces. To run SQL Server Profiler, users must be granted the ALTER TRACE permission.

How do I give permission to SQL Profiler?

Launch SQL Server Management Studio then connect to the server where the user wants to run SQL Server Profiler. Expand the "Security" folder then the "Login" folder and choose the login for which we will give permission to run Profiler.

What is Alter trace?

Use the MQSC command ALTER TRACE to change the trace events being traced for a particular active queue manager trace. ALTER TRACE stops the specified trace, and restarts it with the altered parameters.

Is SQL Server Profiler deprecated?

SQL Server Profiler is an interface to create and manage traces and analyze and replay trace results. Events are saved in a trace file that can later be analyzed or used to replay a specific series of steps when diagnosing a problem. SQL Trace and SQL Server Profiler are deprecated.

2 Answers

You want to capture the "User Error Message" event in the "Errors and Warnings" section. You can filter the Error column as you see fit. Error 229 is permission denied

like image 195
Mike Forman Avatar answered Oct 28 '22 09:10

Mike Forman

This might achieve the same:

Back in SQL 2000, you could modify error message 229 so "permission denied" is written to the SQL error log.

EXEC dbo.sp_altermessage 229, 'WITH_LOG', 'true'

I don't know if/how this works for SQL 2005+ probably not, says Connect but maybe we can now says Tibor Karaszi. I can't test myself, sorry.

Edit: This has the advantage that you don't need profiler or a tracer running...

like image 24
gbn Avatar answered Oct 28 '22 09:10

gbn
Sign in to Comment

Related questions

Running count for each 2 rows
How do I add a constant column value during data transfer from CSV to SQL?
Analysis Services Only Windows Authentication
How can I update my SQL Server database schema?
How Can I Sort A 'Version Number' Column Generically Using a SQL Server Query
How to store both IPv4 or IPv6 in single column in SQL Server?
Migrating from Postgres to SQL Server 2008
SQL Server 2005 Order BY with an expression
Can code-first Entity Framework do cross database queries with SQL Server DBs on the same box?
What .NET StringComparer is equivalent SQL's Latin1_General_CI_AS
Change Primary Key to Composite Key (Primary Key already exists)
substring of variable length
Delete Query by joining multiple columns
Get the Identity of Last Updated Row in SQL Server
Why are table valued parameters to SQL Server stored procedures required to be input READONLY?
CROSS JOIN with one empty table sql server
Can't connect to SQL Server 2014 Express
Why is query NOT using my index?
ASP.NET Core 3.0 - Can't Update-Database
How to find out which Service Pack is installed on SQL Server?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!