Re: AD groups and auditing
- From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
- Date: Thu, 11 Oct 2007 21:56:33 +0000 (UTC)
Russell Fields (russellfields@xxxxxxxxxx) writes:
SQL Server 2005 has the ORIGINAL_LOGIN() function. So, in 2005 the
EXECUTE AS should be manageable, provided that the original login is
what a person actually wants to see. Have you tried using it yet? (I
have not.)
Yes, I know about original_login().
One problem is that there may be code that uses SYSTEM_USER out of habit,
or because it was written for SQL 2000 originally.
Another is that original_login() may not give the user you are looking for.
Say that you authenticate the users in the middle tier. All connections to
SQL Server is made by a proxy user that impersonates the actual user
with the EXECUTE AS statement (or SETUSER). Then there is a stored procedure
with an EXECUTE AS clause. Now SYSTEM_USER will give the login of the
EXECUTE AS clause, and original_login() will give you the proxy login of the
application. The actual user is nowhere to be found. (There is still
SET CONTEXT_INFO and the context_info() function to save the show, but
that's certainly messier.)
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- Follow-Ups:
- Re: AD groups and auditing
- From: Russell Fields
- Re: AD groups and auditing
- References:
- Re: AD groups and auditing
- From: Russell Fields
- Re: AD groups and auditing
- From: Erland Sommarskog
- Re: AD groups and auditing
- From: Russell Fields
- Re: AD groups and auditing
- Prev by Date: Re: about script
- Next by Date: Re: Data and database security when outsourcing
- Previous by thread: Re: AD groups and auditing
- Next by thread: Re: AD groups and auditing
- Index(es):
Relevant Pages
|
