Get application username for Audit table

Question

I want to implement an audit table and I have no idea how am I supposed to get the username.

I am using C# and Sql Server. I have a Users table in my database. When I log in my windows form application I verify if the correct combination of username and password is used. But how do I inform the database of the current user? I thought of adding an extra column to my Users table in which to set on 1 the logged username. Is that a solution for single-user? But my application in supposed to support multi-user. What could be done in this case?

Answer 1

DECLARE @username varchar(128)
    SET @username = CONVERT(VarChar(128), CONTEXT_INFO());
    PRINT @username
    DECLARE @ID_User int
    SET @ID_User = ( SELECT Users.ID_User
                       FROM Users
                         WHERE Users.Username=@username )
    PRINT @ID_User

This is how I solved it. I inserted this piece of code in each update trigger.

Answer 2

Depending on your authentication scheme, you need to get the the User name.

for thick client applications,

Environment.Username

and

System.Security.Principal.WindowsIdentity.GetCurrent()

are a couple of options.

typically for audit tables, there is a column called 'ModifiedByUser' where you can log the user name provided by the win form app.

1. create the nvarchar and datetime columns (if not already) in your audit table.
2. one will stored the user name and the other the datetime of the audit action.
3. in your code, whenever you want to add an entry to the audit table, get Environment.Username or System.Security.Principal.WindowsIdentity.GetCurrent(), along with DateTime.UtcNow and pass it on to be saved to the DB into the Audit table.

Answer 3

SQL Server knows who you are. You can simply use SUSER_SNAME() or/and ORIGINAL_LOGIN() function as a default value for the username column in your audit table. Same for the time of audit event, use GetDate() function. There is no need to send this information from the client.

Answer 4

This is a very open-ended question but I think I understand what you are trying to do. You have application-specfic users that are defined in a Users table (as opposed to using database users or active directory users) and you need to log specific information for auditing purposes or drive security based off of the logins. Is that correct?

This can be done, but the logic for it will need to be written in your application.

Let’s pretend we are writing a program to send out an invoice to a customer. I used role based security where you can give users access to do specific tasks by granting them a role. For example, “Create New Invoice” could be a role. I usually have 2 tables for this:

1. SecuirtyRoleDefintion
2. SecurityRoleUsers

The fist table, Security Role Definition will have an ID column, the Description (“Create New Invoice”), and I usually have a Audit column to indicate if this action needs to be logged for Audit.

The second table, SecurityRoleUsers, is where I define if a user has permission to execute that role. Columns are usually something like this: a unique ID, User ID (foreign key to the Users table), RoleID (foreign key to SecurityRoleDefintion)

Now in your application we need a class to check if a user has a role. It needs to take in the role ID (or name) and the user ID. Example: public bool IsUserAuthorized(int RoleID, int UserID)

This method can run a query on your SecurityRoleUsers table to see if the user is in the table for that role. If so, it returns true. If not, it returns false.

Now back in the application when user click the “Create New Invoice” button it runs the IsUserAuthorized() method to check if a user can perform the operation.

If creating an audit log is necessary, you could do something similar. After the security check is done for “Create New Invoice” you can check to see if the Role needs to be audit logged, if so then write to an Audit table.