Re: Auditing changes...By developers
- From: K. Brian Kelley <brian_kelley@xxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 20 Mar 2007 00:59:32 +0000 (UTC)
A couple of questions come to mind:
1) Do the developers need the ability to modify the data outside the application?
2) If so, how are they logging in? Do they know the single username/password the application is using?
As Sue posted, a server side trace will show when data is being modified because you can capture the statements. However, getting past the non-repudiation hurdle (being able to deny you did it) is hard to do unless they are logging in with an account whose password only they know and they aren't using shared accounts of any sort.
K. Brian Kelley, brian underscore kelley at sqlpass dot org
http://www.truthsolutions.com/
What is the best way to go to track changes by developers that are
privy to db usernames and passwords?
Not all application users have domain accounts, so we can't use
trusted connections. Instead, we have a single username that the
application (we only have one) uses to perform its work.
We have auditing at the internal application level...Now we need a way
to determine if any of the four developers are possibly manipulating
data.
I briefly looked at application roles, but considering that you can
run sp_setapprole from the QA, that doesn't seem worthwhile.
How is everyone else doing it? Our auditors assure us it is being
done...
Don't you love SOX?
Thanks!
Joseph
.
- Follow-Ups:
- Re: Auditing changes...By developers
- From: Joseph
- Re: Auditing changes...By developers
- References:
- Auditing changes...By developers
- From: Joseph
- Auditing changes...By developers
- Prev by Date: Re: Smo.Database - Set the path of thefiles
- Next by Date: Re: Auditing changes...By developers
- Previous by thread: Re: Auditing changes...By developers
- Next by thread: Re: Auditing changes...By developers
- Index(es):
Relevant Pages
|
|
