Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Auditing web user operations 2

Status
Not open for further replies.
adam0101

adam0101

Programmer
Jun 25, 2002
1,952
US
My manager wants us to log any operation on any table in our database. The users have access to the database via a web application. The web application logs into the database with a hard coded username rather than the username of the user using the web application. What are some options for logging CRUD operations and tracing them back to a specific user?

Adam
 
Sort by date Sort by votes
This sounds like a web development design issue to me.

You could always write triggers for every data table, but the trick is, how does the database know the user? If the web application doesn't know the user, then the database won't, either.

Try turning on integrated authentication on your database. Or requiring username and password. Some how, some way, the web site has to know who the user is. If it doesn't, nothing can ever be done in the database.

[COLOR=#aa88aa black]Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt.[/color]
 
Upvote 0 Downvote
If all the traffic is coming through your web app then there is nothing you can do with changing your web app.
The Web App would have to capture the login and pass that to the database where you could store the user name in a log table. You would also then have to write a bunch of triggers that would log all your data changes. It wouldn't be a small task.

- Paul
- If at first you don't succeed, find out if the loser gets anything.
 
Upvote 0 Downvote
The user will be authenticated by the web app, so I'll have their username there. I have to continue to use just the one database username though to connect to the database. I guess I was hoping there was a way to pass in supplemental information to the connection object on the client that I could grab from within a trigger in the DB.

So if I have the username in the web app, is there a generic way to pass that information to a trigger without modifying a stored procedure (because stored procedures are not always used for data access)?

Adam
 
Upvote 0 Downvote
If your web app does connection pooling (which I should hope it does) then no matter what you do it's going to be a problem to determine from the databse the user who initiated a query.

You could use application role security; it won't do the trick.

You could use the context info that gets stored in the sysprocesses table; I think that's a bad idea.

Rewrite your web app to handle queries in a generic way that can handle the infrastructure of passing through and recording the user.

[COLOR=#aa88aa black]Cum catapultae proscriptae erunt tum soli proscript catapultas habebunt.[/color]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Cpreston
  • Locked
  • Question
Last date per userid 1
Replies
3
Views
294
Andrzejek
Andrzejek
Auguy
  • Locked
  • Question
Determine sa Password When Signed On As Administrator User Thru Windows Authentication 1
Replies
2
Views
208
Auguy
Auguy
G12Consult
  • Locked
  • Question
Consume web service data daily
Replies
3
Views
214
gmmastros
gmmastros
baran121
  • Locked
  • Question
sql user default language problem
Replies
7
Views
337
gmmastros
gmmastros
ghbeers
  • Locked
  • Question
Using single user entered attribute in where to match one of 4 different columns 1
Replies
9
Views
288
mharroff
mharroff

Part and Inventory Search

Sponsor

Back
Top