


In this article, we will un-riddle the ways to make use of the data definition language trigger (DDL Trigger), in order to monitor the progressions made to the database programming objects, View, Procedure or Function with a few real-time examples.


为什么要使用DDL触发器? (Why DDL Triggers?)

SQL Server DDL triggers are specifically used to control and review the changes taking place in the database. These triggers can be used to put the limit on the unauthorized clients to make DDL type of changes such as DROP VIEW, DROP PROCEDURE, DROP Function and so on using DDL Trigger. These triggers can also give permission to be able to make changes on specific database objects during a pre-decided time frames. The “Audit” is a majorly used for the implementation purpose of DDL triggers in the SQL Server. The Object Schema changes audit helps to follow who has performed the DDL proclamation. For instance, if we are keen on distinction who has dropped the Object or who has made changes to the Objects. The DDL triggers will be executed because as the Transact-SQL event all set on the database or on the server with characterize ON ALL SERVER or ON DATABASE. Here we need to know that the extent of the trigger depends upon the event.

SQL Server DDL触发器专门用于控制和查看数据库中发生的更改。 这些触发器可用于限制未授权客户端进行DDL类型的更改,例如使用DDL触发器进行DROP VIEW,DROP PROCEDURE,DROP Function等。 这些触发器还可以授予在预定时间范围内对特定数据库对象进行更改的权限。 “审核”主要用于SQL Server中DDL触发器的实现目的。 对象架构更改审核有助于跟踪谁执行了DDL声明。 例如,如果我们热衷于区分谁丢弃了对象或谁更改了对象。 之所以将执行DDL触发器,是因为所有Transact-SQL事件都是在数据库或服务器上设置的,其特征是ON ALL SERVER或ON DATABASE。 在这里,我们需要知道触发的程度取决于事件。

DDL触发器如何工作? (How DDL Trigger Works?)

Every DDL operation generates one Transaction in case of the DDL Trigger have been applied at the Database or the Server level. The SQL Server generates the events with relevant information in the same transaction following the operation. Prepare a metric with extracting the DDL event function(EVENTDATA()) to wraps a policy or standards for deployment:

如果在数据库或服务器级别应用了DDL触发器,则每个DDL操作都会生成一个事务。 该操作之后,SQL Server将在同一事务中生成具有相关信息的事件。 通过提取DDL事件函数( EVENTDATA() )准备一个度量标准,以包装用于部署的策略或标准:

The EVENTDATA() is an inbuilt function of the DDL trigger in SQL Server and that would return exchange occasion subtleties with the number of the fields in XML format

EVENTDATA()是SQL Server中DDL触发器的内置函数,它将以XML格式的字段数返回交换时机的细微差别

  • EventType (Create View, Alter View, Drop View, etc…) EventType (创建视图,更改视图,放置视图等)
  • PostTime (Event trigger time) PostTime (事件触发时间)
  • SPID (SQL Server session ID) SPID (SQL Server会话ID)
  • ServerName (SQL Server instance name) ServerName (SQL Server实例名称)
  • LoginName (SQL Server Login name) LoginName (SQL Server登录名)
  • UserName (username for login, by default dbo schema as username)
  • 用户名 (用于登录的用户名,默认情况下为dbo模式作为用户名)
  • DatabaseName (name of database where trigger was executed) DatabaseName (执行触发器的数据库的名称)
  • SchemaName (schema name of the View) SchemaName (视图的模式名称)
  • ObjectName (Name of the View) ObjectName (视图名称)
  • ObjectType (Object types. such as Table, view, procedure, etc…) ObjectType (对象类型,例如表格,视图,过程等)
  • TSQLCommand (Schema deployment Query which is executed by user) TSQLCommand (由用户执行的架构部署查询)
  • SetOptions (SET Option which are applied while Creating View or Modify it) SetOptions (在创建视图或修改视图时应用的SET选项)
  • CommandText (Create, Alter or Drop object command) CommandText (创建,更改或删除对象命令)

EVENTDATA() returns multiple fields in XML format as shown above and using those fields, we are able to create such metrics to track various events of DDL over the objects. In general, each DDL event of the object schema changes can be appended into the table, these event types are mentioned in the header body of ä trigger with the FOR CREATE_, ALTER_, DROP_,…

EVENTDATA()返回XML格式的多个字段,如上所示,并且使用这些字段,我们能够创建此类指标来跟踪对象上DDL的各种事件。 通常,可以将对象模式更改的每个DDL事件附加到表中,这些事件类型在ä触发器的标头主体中用FOR CREATE_,ALTER_,DROP_等表示。



CREATE TRIGGER audit_objects
ON database
INSERT INTO master.dbo.event_object_data(in_)--Inserting data into the table in XML format

View Script:


CREATE VIEW vw_roles
    SELECT role_id, role_name
    FROM tbl_roles

Using the above trigger for Creating, Altering or Dropping the View, Function or procedure, the transactions that were finished successfully or not can be monitored. Furthermore, at this moment we can check the event_object_data table to get the latest event data. We can see here that each detail of the above transaction has been included in the XML design:

使用上面的触发器来创建,更改或删除视图,函数或过程,可以监视是否成功完成的事务。 此外,此刻我们可以检查event_object_data表以获取最新的事件数据。 我们可以在这里看到上述事务的每个细节都已包含在XML设计中:

      <CommandText>CREATE VIEW vw_roles
    SELECT role_id, role_name
    FROM tbl_roles

In the above instance, we have rightfully sent out of the XML in the table. Despite that, in one of the correct methods for checking that XML has to be pulled out in the Column arrangement of the table. Talking of the same, underneath the XML command can assist with gathering the required columns of the event data.

在上面的例子中,我们正确地发送了表中的XML。 尽管如此,在检查XML的正确方法之一中,还是必须在表的Column排列中将其拔出。 谈论同样的事情,在XML命令下面可以帮助收集事件数据的所需列。

@xml.value('EventType[1]', 'VARCHAR(128)') AS 'Event Type'

Here, @xml is a EVENTDATA() with in a trigger only.

在这里,@ xml是仅在触发器中的EVENTDATA()。

授权登录以使用DDL部署对象 (Authorize Login to Deploy Objects using DDL)

The Development or the QA Server does not require restricting execution of the procedure or any other programming objects; however, on the production server, sometimes the client does not have access to some contents of the table or the associated database objects. The procedure above will allow getting executed from the application itself and no one can alter or drop the objects apart from an authorized login or authorized member of the designated role; hence, in a few certain situations, the confidential object can also be restricted in order to secure the privacy of the client’s data.

开发或QA服务器不需要限制过程或任何其他编程对象的执行; 但是,在生产服务器上,有时客户端无法访问表或关联的数据库对象的某些内容。 上面的过程将允许从应用程序本身执行,并且除了指定角色的授权登录或授权成员之外,没有人可以更改或删除对象; 因此,在某些情况下,也可以限制机密对象,以保护客户数据的私密性。

The Table and Information access can be handled with the help of different methodologies in SQL Server. However, for programming object schema changes, we are required to manage user and role policies to allow members to perform CREATE, ALTER and DROP operations (DDL). The DDL trigger allows us to fiddle with a particular type of object to authorized members and roles in the SQL Server.

可以使用SQL Server中的不同方法来处理对表和信息的访问。 但是,对于编程对象架构更改,我们需要管理用户和角色策略,以允许成员执行CREATE,ALTER和DROP操作(DDL)。 DDL触发器使我们能够对SQL Server中授权的成员和角色进行特殊类型的对象摆弄。

Most of the companies manage the release code branch to track the schema changes in the SQL Server to track down the information like, who, when and for what situation applied? In order to make it easy to get some reports or get details in tabular ways, the event data can be extracted to the table in a database. As the earlier mentioned EVENTDATA() returns each detail of transactions with the type of event with an object.

大多数公司都管理发布代码分支,以跟踪SQL Server中的架构更改,以跟踪信息,例如,谁,何时以及在什么情况下应用? 为了便于以表格方式获取一些报告或获取详细信息,可以将事件数据提取到数据库的表中。 如前所述,EVENTDATA()返回带有对象事件类型的事务的每个细节。

Event type can be differentiated by XML to supervise DDL events over the objects. As an example, authorized role members will only make schema changes or DROP afterward. Now using the below DDL Trigger we will be able to make authorization wrapper over the objects:

XML可以区分事件类型,以监督对象上的DDL事件。 例如,授权角色成员将仅在之后进行架构更改或DROP。 现在,使用下面的DDL触发器,我们将能够对对象进行授权包装:

CREATE TRIGGER audit_objects
ON database
	DECLARE @error_msg VARCHAR(1024);
	IF(@var_xml.value('(EVENT_INSTANCE/ObjectType)[1]', 'VARCHAR(128)') = 'VIEW' 
			AND @var_xml.value('(EVENT_INSTANCE/ObjectName)[1]', 'VARCHAR(128)') IN ('vw_roles')
			AND @var_xml.value('(EVENT_INSTANCE/LoginName)[1]', 'VARCHAR(128)') = 'myel')
		SET @error_msg = @var_xml.value('(EVENT_INSTANCE/LoginName)[1]', 'VARCHAR(128)') + ' is not allowed to ' 
				+ @var_xml.value('(EVENT_INSTANCE/EventType)[1]', 'VARCHAR(128)') + ' '
				+ @var_xml.value('(EVENT_INSTANCE/ObjectName)[1]', 'VARCHAR(128)') +'.';
		PRINT @error_msg;
		INSERT INTO master.dbo.event_object_data(in_)
		SELECT @var_xml;

In the above Trigger we have validated it using DDL with the condition that If the Object Type is ‘VIEW’ and the Object Name is ‘vw_roles’ and the Logged in user is ‘myel’ then DDL trigger audit_objects will not permit to make changes and the user will be acknowledged with the error message:

在上面的触发器中,我们已使用DDL对其进行了验证,条件是:如果对象类型为“ VIEW”,对象名称为“ vw_roles”,并且登录用户为“ myel”,则DDL触发器audit_objects将不允许进行更改,并且错误消息将确认用户:

As can be seen, the user gets an error on altering the view and event_object_data will get inserted as above with the event data. In the above example, we have one object name only in condition but that could be combined with multiple objects or the object types and user login as well.

可以看出,用户在更改视图时遇到错误,并且event_object_data将与事件数据如上插入。 在上面的示例中,我们仅在一个条件下有一个对象名称,但是可以与多个对象或对象类型和用户登录名结合使用。

In the above example, myel is not allowed to ALTER_VIEW vw_roles. The message gets logged and roll-back the transaction is performed. Simultaneously event data will get inserted in event_object_data table in the master database in XML format as shown below:

在上面的示例中,myel不允许使用ALTER_VIEW vw_roles。 该消息将被记录并回滚事务。 同时,事件数据将以XML格式插入主数据库的event_object_data表中,如下所示:

        <CommandText>ALTER VIEW vw_roles
        SELECT role_id, role_name
        FROM tbl_roles

The database administrator can drop or modify the trigger within SSMS as well, however, the user needs to have permissions to execute that action:


As a contraposition to this, the database authorized operators should get an alert in case a user who is trying to deploy the schema changes however the user is not permitted to deploy. Now to avoid this circumstance and to follow an add-on step, in a certain diverted way, a mail alert will be triggered inside the same DDL trigger with essential information. Anyhow, event data will get exported into the table to get detailed information about the occurrence; however, an alert that makes sense to keep an eye on the database as part of the security monitor:

与此相反,万一试图部署架构的用户发生更改,但不允许该用户部署,则数据库授权操作员应收到警报。 现在,为了避免这种情况,并按照某种附加的方式执行附加步骤,将在同一DDL触发器内触发包含基本信息的邮件警报。 无论如何,事件数据将被导出到表中以获取有关事件的详细信息。 但是,作为安全监视器的一部分,有必要注意数据库的警报:

EXEC msdb.dbo.sp_send_dbmail
	@profile_name = 'Database Administrator Alert',
	@recipients = '',
	@body = @body_html,
	@subject = @alert_subject

Finally, the subject can be obtained with the name of the object, object type, database name and server name for just simplicity to identify the mail alert. The recipients should be part of the group mail address of the responsible database administrator group. In this article code snippet, we explained views only, however, it can be other database objects as well like: procedures and functions mentioned in the DDL trigger header.

最后,可以使用主题名称,对象类型,数据库名称和服务器名称来获取主题,以简化邮件警报的识别。 收件人应该是负责的数据库管理员组的组邮件地址的一部分。 在本文的代码片段中,我们仅说明了视图,但是,它也可以是其他数据库对象,例如:DDL触发器标头中提到的过程和函数。

