2 June 2017
2 June 2017

Simplifying the user access audit with SQL Census

SQL Census is the latest piece of technology to be developed within Redgate Foundry. Still early in its development, it’s a product that’s designed to help you explain to an auditor which of your colleagues are able to access business-critical SQL Server databases. As well as reporting on who can access these databases, it explains what they can do (ie, the capability their permissions give them) and how (ie, the ways in which they’ve inherited these capabilities).

In this blog post we’ll outline a couple of the most common scenarios we heard in our early research, and describe how SQL Census can be used to prepare for a smooth audit and easily provide your auditor with the information they need.

Getting an overview in preparation for an audit

We all work to best practices, but it’s not easy to get a good top down view of who can do what in your estate. We’ve designed SQL Census to give you that view at a click of a button. Let’s explore this scenario.

DBA Debs knows her audit is coming up and it’s going to cover the Accounts database. SQL Census is a SaaS hosted solution that covers your on-prem and Azure data estate and DBA Debs signs up on the site. She downloads a small gateway application that allows SQL Census to inspect her estate.

SQL Census - Start Screen
SQL Census Gateway Download
Debs connects to the Accounts database on her SQL Server and is shown an overview of all server logins and their effective permissions in Accounts. SQL Census knows all the ways that a server login can have permissions allocated: whether through server/database roles, object permissions, ownership and even less well known routes such as CONTROL permissions.

Debs notices that one of the Application Developers, Ali Daw, has DDL Admin privileges in production. She clicks View detail to find out what else Ali can do in Accounts.

User Permissions Overview
It looks like Ali also has rights to read and write data in Accounts too. Debs wants to understand how Ali ends up with these effective permissions so she clicks More detail to find out.

SQL Census inspects Ali’s permissions, not only looking through nested roles in the database and server, but walking through Active Directory to see which groups have permissions against Accounts that he is a member of. It also checks the Accounts server host to see which local machine groups he’s in.

SQL Census User Permissions Map
That’s interesting:  not only has Ali been added explicitly to the db_ddladmin group, he’s also in the AccountsAdmin role which is a member of db_ddladmin.

Now let’s look at these Read/Write permissions – it doesn’t look like Ali’s login has been granted anything specifically on the server. So what’s going on?

SQL Census had a look at Active Directory and found Ali in the AccountsTeam AD group – the accounts team obviously need Read/Write permissions to run the accounting app. This AD group is a login on the Accounts database and has been added to the AccountsUser role which has been granted SELECT, INSERT, UPDATE and DELETE.

Now it’s much easier for DBA Debs to see what’s going on, and take action if necessary.

Providing audit evidence

So Debs now knows the Accounts user access is up to scratch and it’s audit week. Last year, pulling all the user access evidence together for the auditor took hours. She ran custom PowerShell, SQL scripts and used spreadsheets to pull it all together, only to find that the auditor wasn’t happy with a bespoke report and still needed to sit with her to produce a bunch of screenshots in SQL Management Studio and Active Directory.

Our aim is that SQL Census becomes the standard-bearer for SQL Server audit reports. That’s why we’re working with auditors and IT audit consultants to make sure SQL Census creates reports that are easy for your auditor to follow, provides all the user access evidence needed for the audit, and is simple to export.

How? SQL Census understands how SQL Server’s 237 different permissions, 9 fixed server roles and 9 fixed database roles hang together and condenses these into 7 Capabilities:

  1. Server Administrator
  2. Database Administrator
  3. Database Owner
  4. Schema Admin
  5. Data Writer
  6. Data Reader
  7. Connect/Public

This information is collected in a report that’s easy to generate, simple to export and trusted.

What next?

We’ve got an Early Access Programme running. If you’re coming up to an audit, and can commit an hour per week guiding the development of SQL Census, then drop us an email – we’d love to work with you.

In the meantime, you can stay up to date with progress on SQL Census by signing up to hear more over at Redgate Foundry.

Share this post.

Share on FacebookShare on Google+Share on LinkedInTweet about this on Twitter

Related posts

Also in Audit & Compliance

Redgate and DLM Consultants: Working together to help data users become GDPR compliant

If you hold ‘personally identifiable information’ (PII) about EU citizens, the new General Data Protection Regulation (GDPR) applies to you. That’s true even if you aren’t in the EU, since t...

Also in Blog

Bringing DevOps to the database. Part 2: Continuous delivery

In part 1 of Bringing DevOps to the database, we saw how DevOps thinking is moving from the application to the database. By encouraging collaboration not competition between developers and Database Ad...

Also about Foundry

Would you like to see Redgate tools inside SQL Operations Studio?

You may already have heard about Microsoft’s new DevOps platform for database development, SQL Operations Studio, or “SQL Ops Studio”. The preview version was announced at PASS Summit on 1 Novem...

Also about SQL Census

SQL Census update: new server view

SQL Census is the latest prototype to come out of Foundry, Redgate’s research and development division. It helps you trace SQL Server user access permissions. You can use it to for free of charge by...