From 63c9682dff1ffdd82d217dc9c0ec71b284e89469 Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Thu, 5 Mar 2026 18:21:57 -0500 Subject: [PATCH 1/5] - Added NAA v11.6\Administration\Schema directory and appropriate subdirectories - Re-formatted the NAA_SQL_DC_Schema_Documentation_11.6.md from dev/@sanjay-meghani for the doc site and easy navigation - Minimally fixed phrasing on the SQL Schema Overview page --- .../11.6/admin/schema/_category_.json | 10 + .../11.6/admin/schema/overview.md | 16 + .../11.6/admin/schema/sqldc/_category_.json | 10 + .../schema/sqldc/coretables/_category_.json | 10 + .../admin/schema/sqldc/coretables/overview.md | 994 ++++++++++++++++ .../schema/sqldc/enumeration/_category_.json | 10 + .../schema/sqldc/enumeration/overview.md | 277 +++++ .../admin/schema/sqldc/erd/_category_.json | 10 + .../11.6/admin/schema/sqldc/erd/overview.md | 469 ++++++++ .../schema/sqldc/functions/_category_.json | 10 + .../admin/schema/sqldc/functions/overview.md | 50 + .../sqldc/indexreference/_category_.json | 10 + .../schema/sqldc/indexreference/overview.md | 91 ++ .../11.6/admin/schema/sqldc/overview.md | 222 ++++ .../sqldc/reportingtables/_category_.json | 10 + .../schema/sqldc/reportingtables/overview.md | 1016 +++++++++++++++++ .../admin/schema/sqldc/views/_category_.json | 10 + .../11.6/admin/schema/sqldc/views/overview.md | 531 +++++++++ 18 files changed, 3756 insertions(+) create mode 100644 docs/accessanalyzer/11.6/admin/schema/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/erd/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/erd/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/functions/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/views/_category_.json create mode 100644 docs/accessanalyzer/11.6/admin/schema/sqldc/views/overview.md diff --git a/docs/accessanalyzer/11.6/admin/schema/_category_.json b/docs/accessanalyzer/11.6/admin/schema/_category_.json new file mode 100644 index 0000000000..a689c99859 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Database Schema", + "position": 100, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/overview.md b/docs/accessanalyzer/11.6/admin/schema/overview.md new file mode 100644 index 0000000000..1cecca017d --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/overview.md @@ -0,0 +1,16 @@ +# Database Schema + +This section provides comprehensive database schema documentation for the Access Analyzer 11.6 data collectors. Each data collector stores discovered configuration, permissions, and audit data in normalized tables, with denormalized reporting views for analysis and presentation. + +## [SQL Data Collector Schema](sqldc/overview.md) + +The SQL Data Collector discovers, audits, and reports on SQL Server instances, databases, principals, permissions, audit events, and sensitive data across the enterprise. The schema documentation covers: + +- **[Core Data Collection Tables](sqldc/coretables/overview.md)** — 44 normalized tables populated directly by data collectors with full foreign key relationships +- **[Reporting Tables](sqldc/reportingtables/overview.md)** — 56 denormalized report-ready tables with human-readable column names +- **[Views](sqldc/views/overview.md)** — 17 SQL views that join and denormalize data for querying +- **[Enumeration & Lookup Values](sqldc/enumeration/overview.md)** — Reference for coded values and lookup table contents +- **[Entity Relationship Diagrams](sqldc/erd/overview.md)** — Visual ERDs showing table relationships +- **[Index Reference](sqldc/indexreference/overview.md)** — Documentation of database indexes +- **[Functions & Stored Procedures](sqldc/functions/overview.md)** — SQL scalar functions and stored procedures + diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/_category_.json new file mode 100644 index 0000000000..5a6263de96 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "SQL Data Collector Schema", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/_category_.json new file mode 100644 index 0000000000..228b3a30e6 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Core Data Collection Tables", + "position": 10, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/overview.md new file mode 100644 index 0000000000..f0ffba48f0 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/coretables/overview.md @@ -0,0 +1,994 @@ +# Core Data Collection Tables + +## SA_SQLServer_Instances + +**Description:** Root entity table. Stores one row per discovered SQL Server instance (including Azure SQL). All other data collection tables reference back to an instance. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Auto-incrementing surrogate primary key | +| name | nvarchar | 128 | No | | | | Fully qualified SQL Server instance name (e.g., `SERVER\INSTANCE`) | +| sql_instance_id | int | | Yes | | | | FK reference to the shared `SA_SQL_Instances` table for cross-module linkage | + +**Primary Key:** `PK_SA_SQLServer_Instances` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_Instances_Name` on `name` + +**Foreign Keys:** None (root table) + +--- + +## SA_SQLServer_Databases + +**Description:** Stores one row per database discovered on each SQL Server instance. Supports soft-delete via `sa_delete_date` to track removed databases. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Auto-incrementing surrogate primary key | +| instance_id | int | | No | | FK | | Reference to `SA_SQLServer_Instances.id` | +| database_id | int | | Yes | | | | Native SQL Server `database_id` from `sys.databases` | +| name | nvarchar | 128 | No | | | | Database name | +| create_date | datetime | | Yes | | | | Database creation timestamp | +| sa_delete_date | datetime2 | | Yes | | | | Timestamp when NAA detected the database was deleted; NULL while active | + +**Primary Key:** `PK_SA_SQLServer_Databases` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_Databases` on `(instance_id, database_id, name, create_date, sa_delete_date)` + +**Indexes:** `SA_SQLServer_Databases_name_IDX` on `name` (nonclustered) + +**Extended Properties:** `instance_id` — "ref to SA_SQLServer_Instances.id" + +--- + +## SA_SQLServer_EventDatabases + +**Description:** Lightweight database reference used by the audit event subsystem. Decoupled from `SA_SQLServer_Databases` to avoid blocking event ingestion when databases are being scanned/deleted. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | | | Reference to the hosting SQL Server instance | +| active_database_id | int | | Yes | | FK | | FK to `SA_SQLServer_Databases.id`; links to the currently active database record | +| name | nvarchar | 128 | No | | | | Database name as recorded in audit events | +| minimum_event_datetime | datetime2 | | Yes | | | | Earliest event timestamp recorded for this database | + +**Primary Key:** `PK_SA_SQLServer_EventDatabases` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_EventDatabases` on `(instance_id, name)` + +**Foreign Keys:** +- `FK_SA_SQLServer_Active_Database_Id` → `SA_SQLServer_Databases.id` + +**Indexes:** `SA_SQLServer_EventDatabases_name_IDX` on `name` (nonclustered) + +--- + +## SA_SQLServer_Schemas + +**Description:** Stores database schemas discovered on target SQL Server instances. Maps the `sys.schemas` catalog view. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| database_id | int | | No | | | | Reference to `SA_SQLServer_Databases.id` | +| schema_id | int | | No | | | | Native SQL Server `schema_id` | +| name | nvarchar | 128 | Yes | | | | Schema name (e.g., `dbo`, `Sales`) | +| database_principal | int | | Yes | | | | Owning principal ID within the database | + +**Primary Key:** `PK_SA_SQLServer_Schemas` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_Schemas_IDs` on `(database_id, schema_id)` + +--- + +## SA_SQLServer_Objects + +**Description:** Stores database objects (tables, views, stored procedures, functions, etc.) discovered on target instances. Mirrors `sys.objects`. Supports soft-delete via `is_deleted`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | bigint | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | | | Reference to `SA_SQLServer_Instances.id` | +| database_id | int | | Yes | | | | Reference to `SA_SQLServer_Databases.id` | +| name | nvarchar | 128 | No | | | | Object name | +| object_id | int | | Yes | | | | Native SQL Server `object_id` | +| principal_id | int | | Yes | | | | Owner principal ID | +| schema_id | int | | Yes | | | | Schema ID the object belongs to | +| parent_object_id | int | | Yes | | | | Parent object (for triggers, constraints, etc.) | +| type | nchar | 2 | Yes | | | | Object type code (e.g., `U`, `V`, `P`, `FN`) | +| type_desc | nvarchar | 120 | Yes | | | | Object type description | +| create_date | datetime | | Yes | | | | Object creation date | +| modify_date | datetime | | Yes | | | | Last modification date | +| is_ms_shipped | bit | | Yes | | | | Whether the object is Microsoft-shipped | +| is_published | bit | | Yes | | | | Whether the object is published for replication | +| is_schema_published | bit | | Yes | | | | Whether the schema is published | +| is_deleted | bit | | No | | | `0` | Soft-delete flag; set to 1 when object no longer exists on target | + +**Primary Key:** `PK_SA_SQLServer_Objects` on `id` + +**Indexes:** +- `UQ_SA_SQLServer_Objects_Id` — UNIQUE on `(instance_id, database_id, object_id)` WHERE `object_id IS NOT NULL` +- `UQ_SA_SQLServer_Objects_Name` — UNIQUE on `(instance_id, database_id, name, schema_id)` WHERE `object_id IS NULL` +- `IX_SA_SQLServer_Objects_Database_Id_Object_Id` on `(database_id, object_id)` INCLUDE `(name, is_deleted)` +- `SA_SQLServer_Objects_Instance_Id_Object_Id_Is_Deleted_IX` on `(instance_id, object_id, is_deleted)` INCLUDE `(id, name)` + +--- + +## SA_SQLServer_Columns + +**Description:** Stores column metadata for database objects. Mirrors `sys.columns`. Cascades delete from `SA_SQLServer_Objects`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| object_id | bigint | | No | | FK | | FK to `SA_SQLServer_Objects.id` (CASCADE delete) | +| name | nvarchar | 128 | No | | | | Column name | +| column_id | int | | No | | | | Ordinal position of the column | +| system_type_id | tinyint | | Yes | | | | System data type ID | +| user_type_id | int | | Yes | | | | User-defined type ID | +| max_length | smallint | | Yes | | | | Maximum length in bytes | +| precision | tinyint | | Yes | | | | Numeric precision | +| scale | tinyint | | Yes | | | | Numeric scale | +| collation_name | nvarchar | 128 | Yes | | | | Column collation | +| is_nullable | bit | | Yes | | | | Whether column allows NULLs | +| is_ansi_padded | bit | | Yes | | | | ANSI padding setting | +| is_rowguidcol | bit | | Yes | | | | ROWGUIDCOL flag | +| is_identity | bit | | Yes | | | | Identity column flag | +| is_computed | bit | | Yes | | | | Computed column flag | +| is_filestream | bit | | Yes | | | | FILESTREAM flag | +| is_replicated | bit | | Yes | | | | Replication flag | +| is_non_sql_subscribed | bit | | Yes | | | | Non-SQL subscription flag | +| is_merge_published | bit | | Yes | | | | Merge publication flag | +| is_dts_replicated | bit | | Yes | | | | DTS replication flag | +| is_xml_document | bit | | Yes | | | | XML document flag | +| xml_collection_id | int | | Yes | | | | XML schema collection ID | +| default_object_id | int | | Yes | | | | Default constraint object ID | +| rule_object_id | int | | Yes | | | | Rule object ID | +| is_sparse | bit | | Yes | | | | Sparse column flag | +| is_column_set | bit | | Yes | | | | Column set flag | +| is_deleted | bit | | No | | | `0` | Soft-delete flag | + +**Primary Key:** None (no PK constraint — uses unique constraint as logical key) + +**Unique Constraints:** `UQ_SA_SQLServer_Columns_Name` on `(object_id, column_id, name)` + +**Foreign Keys:** `FK_SA_SQLServer_Columns_ObjectId` → `SA_SQLServer_Objects.id` (ON DELETE CASCADE) + +--- + +## SA_SQLServer_ServerPrincipalTypes + +**Description:** Lookup table for server principal type codes (e.g., S=SQL Login, U=Windows Login, R=Server Role, G=Windows Group). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| type | nchar | 1 | No | PK | | | Single-character principal type code | +| type_desc | nvarchar | 120 | No | | | | Human-readable description | + +**Primary Key:** `PK_SA_SQLServer_ServerPrincipalTypes` on `type` + +**Unique Constraints:** +- `UQ_SA_SQLServer_ServerPrincipalTypes_Type` on `type` +- `UQ_SA_SQLServer_ServerPrincipalTypes_TypeDesc` on `type_desc` + +--- + +## SA_SQLServer_DatabasePrincipalTypes + +**Description:** Lookup table for database principal type codes (e.g., S=SQL User, R=Database Role, U=Windows User). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| type | nchar | 1 | No | PK | | | Single-character principal type code | +| type_desc | nvarchar | 120 | No | | | | Human-readable description | + +**Primary Key:** `PK_SA_SQLServer_DatabasePrincipalTypes` on `type` + +**Unique Constraints:** +- `UQ_SA_SQLServer_DatabasePrincipalTypes_Type` on `type` +- `UQ_SA_SQLServer_DatabasePrincipalTypes_TypeDesc` on `type_desc` + +--- + +## SA_SQLServer_ServerPrincipals + +**Description:** Stores SQL Server-level principals (logins, server roles). Mirrors `sys.server_principals`. Supports soft-delete via `is_deleted`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | FK | | FK to `SA_SQLServer_Instances.id` (CASCADE) | +| principal_id | int | | Yes | | | | Native `principal_id` from `sys.server_principals` | +| principal_name | nvarchar | 128 | Yes | | | | Login/role name | +| principal_sid | varbinary | 85 | Yes | | | | Security identifier (SID) | +| type | nchar | 1 | Yes | | | | Principal type code (S, U, G, R, C, K) | +| is_disabled | bit | | Yes | | | | Whether the login is disabled | +| create_date | datetime | | Yes | | | | Creation date | +| modify_date | datetime | | Yes | | | | Last modification date | +| default_database | int | | Yes | | | | FK to `SA_SQLServer_Databases.id` | +| default_language_name | nvarchar | 128 | Yes | | | | Default language | +| credential_id | int | | Yes | | | | Associated credential ID | +| is_deleted | bit | | No | | | `0` | Soft-delete flag | +| owning_principal_id | int | | Yes | | | | Owning principal for server roles | +| is_fixed_role | bit | | Yes | | | | Whether this is a fixed server role | + +**Primary Key:** `PK_SA_SQLServer_ServerPrincipals` on `id` + +**Foreign Keys:** `FK_SA_SQLServer_ServerPrincipals_Instances` → `SA_SQLServer_Instances.id` (ON DELETE CASCADE) + +**Indexes:** +- `UQ_SA_SQLServer_ServerPrincipals_Id` — UNIQUE on `(instance_id, principal_id)` WHERE `is_deleted = 0` +- `UQ_SA_SQLServer_ServerPrincipals_NameId` — UNIQUE on `(instance_id, principal_id, principal_name)` WHERE `is_deleted = 0` +- `UQ_SA_SQLServer_ServerPrincipals_NameSid` — UNIQUE on `(instance_id, principal_sid, principal_name)` WHERE `is_deleted = 0` + +--- + +## SA_SQLServer_DatabasePrincipals + +**Description:** Stores database-level principals (users, database roles). Mirrors `sys.database_principals`. Supports soft-delete via `is_deleted`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| database_id | int | | No | | FK | | FK to `SA_SQLServer_Databases.id` (CASCADE) | +| principal_id | int | | Yes | | | | Native `principal_id` from `sys.database_principals` | +| principal_name | nvarchar | 128 | Yes | | | | User/role name | +| principal_sid | varbinary | 85 | Yes | | | | Security identifier (SID) | +| type | nchar | 1 | Yes | | FK | | FK to `SA_SQLServer_DatabasePrincipalTypes.type` (CASCADE) | +| default_schema_name | nvarchar | 128 | Yes | | | | Default schema for the principal | +| create_date | datetime | | Yes | | | | Creation date | +| modify_date | datetime | | Yes | | | | Last modification date | +| owning_principal | int | | Yes | | | | Owning principal ID (for roles) | +| is_fixed_role | bit | | Yes | | | | Whether this is a fixed database role | +| authentication_type | int | | Yes | | | | Authentication type code | +| authentication_type_desc | nvarchar | 60 | Yes | | | | Authentication type description | +| is_deleted | bit | | No | | | `0` | Soft-delete flag | + +**Primary Key:** `PK_SA_SQLServer_DatabasePrincipals` on `id` + +**Foreign Keys:** +- `FK_SA_SQLServer_DatabasePrincipals_Databases` → `SA_SQLServer_Databases.id` (ON DELETE CASCADE) +- `FK_SA_SQLServer_DatabasePrincipals_DatabasePrincipalTypes` → `SA_SQLServer_DatabasePrincipalTypes.type` (ON DELETE CASCADE) + +**Indexes:** +- `UQ_SA_SQLServer_DatabasePrincipals_Id` — UNIQUE on `(database_id, principal_id)` WHERE `is_deleted = 0` +- `UQ_SA_SQLServer_DatabasePrincipals_NameId` — UNIQUE on `(database_id, principal_id, principal_name)` WHERE `is_deleted = 0` +- `UQ_SA_SQLServer_DatabasePrincipals_NameSid` — UNIQUE on `(database_id, principal_sid, principal_name)` WHERE `is_deleted = 0` +- `IX_SA_SQLServer_Objects_Database_Id_Principal_Id` on `(database_id, principal_id)` + +--- + +## SA_SQLServer_EventServerPrincipals + +**Description:** Lightweight server principal reference for audit events. Decoupled from `SA_SQLServer_ServerPrincipals` so events can reference principals that may no longer exist in the current scan. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | FK | | FK to `SA_SQLServer_Instances.id` (CASCADE) | +| principal_id | int | | Yes | | | | Server principal ID from the audit event | +| principal_name | nvarchar | 128 | Yes | | | | Principal name from the audit event | +| principal_sid | varbinary | 85 | Yes | | | | SID from the audit event | + +**Primary Key:** `PK_SA_SQLServer_EventServerPrincipals` on `id` + +**Foreign Keys:** `FK_SA_SQLServer_EventServerPrincipals_Instances` → `SA_SQLServer_Instances.id` (ON DELETE CASCADE) + +**Indexes:** `UQ_SA_SQLServer_EventServerPrincipals_IdNameSid` — UNIQUE on `(instance_id, principal_id, principal_sid, principal_name)` + +--- + +## SA_SQLServer_EventDatabasePrincipals + +**Description:** Lightweight database principal reference for audit events. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| database_id | int | | No | | FK | | FK to `SA_SQLServer_EventDatabases.id` (CASCADE) | +| principal_id | int | | Yes | | | | Database principal ID from the audit event | +| principal_name | nvarchar | 128 | Yes | | | | Principal name from the audit event | + +**Primary Key:** `PK_SA_SQLServer_EventDatabasePrincipals` on `id` + +**Foreign Keys:** `FK_SA_SQLServer_EventDatabasePrincipals_EventDatabases` → `SA_SQLServer_EventDatabases.id` (ON DELETE CASCADE) + +**Indexes:** `UQ_SA_SQLServer_EventDatabasePrincipals_IdNameSid` — UNIQUE on `(database_id, principal_id, principal_name)` + +--- + +## SA_SQLServer_SqlLogins + +**Description:** Stores SQL authentication-specific properties for server principals of type SQL Login. Extends `SA_SQLServer_ServerPrincipals`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| server_principal | int | | No | | FK | | FK to `SA_SQLServer_ServerPrincipals.id` (CASCADE) | +| is_policy_checked | bit | | No | | | | Whether password policy is enforced | +| is_expiration_checked | bit | | No | | | | Whether password expiration is enforced | +| password_hash | varbinary | 256 | Yes | | | | Hashed password value | +| is_locked | bit | | Yes | | | | Account lockout status | +| is_expired | bit | | Yes | | | | Password expiration status | +| is_must_change | bit | | Yes | | | | Whether password must be changed at next login | +| password_hash_algorithm | int | | Yes | | | | Algorithm used for hashing (SHA-1, SHA-512, etc.) | + +**Primary Key:** `PK_SA_SQLServer_SqlLogins` on `id` + +**Foreign Keys:** `FK_SA_SQLServer_SqlLogins_ServerPrincipals` → `SA_SQLServer_ServerPrincipals.id` (ON DELETE CASCADE) + +--- + +## SA_SQLServer_ServerRoleMembers + +**Description:** Maps server role membership relationships. Each row represents one principal's membership in one server role. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| role_principal | int | | No | | FK | | FK to `SA_SQLServer_ServerPrincipals.id` — the server role | +| member_principal | int | | No | | FK | | FK to `SA_SQLServer_ServerPrincipals.id` — the member | + +**Primary Key:** `PK_SA_SQLServer_ServerRoleMembers` on `id` + +**Foreign Keys:** +- `FK_SA_SQLServer_ServerRoleMembers_RolePrincipals` → `SA_SQLServer_ServerPrincipals.id` +- `FK_SA_SQLServer_ServerRoleMembers_MemberPrincipals` → `SA_SQLServer_ServerPrincipals.id` + +--- + +## SA_SQLServer_DatabaseRoleMembers + +**Description:** Maps database role membership relationships. Each row represents one principal's membership in one database role. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| role_principal | int | | No | | FK | | FK to `SA_SQLServer_DatabasePrincipals.id` — the database role | +| member_principal | int | | No | | FK | | FK to `SA_SQLServer_DatabasePrincipals.id` — the member | + +**Primary Key:** `PK_SA_SQLServer_DatabaseRoles` on `id` + +**Foreign Keys:** +- `FK_SA_SQLServer_DatabaseRoleMembers_RolePrincipals` → `SA_SQLServer_DatabasePrincipals.id` +- `FK_SA_SQLServer_DatabaseRoleMembers_MemberPrincipals` → `SA_SQLServer_DatabasePrincipals.id` + +--- + +## SA_SQLServer_EffectiveRoleMembership + +**Description:** Stores the fully resolved (transitive) role membership hierarchy. Includes nested memberships with the full `member_path` showing how a principal inherits a role through nested groups. This is a denormalized analysis table. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| instance_id | int | | Yes | | | | Instance reference | +| instance_name | nvarchar | 256 | Yes | | | | Instance name (denormalized) | +| database_id | int | | Yes | | | | Database reference (NULL for server roles) | +| database_name | nvarchar | 256 | Yes | | | | Database name (denormalized) | +| role_name | nvarchar | 128 | Yes | | | | Role name | +| role_id | int | | Yes | | | | Role principal ID | +| role_sid | varchar | 184 | Yes | | | | Role SID as string | +| role_member_name | nvarchar | 128 | Yes | | | | Member name | +| role_member_id | int | | Yes | | | | Member principal ID | +| role_member_sid | varchar | 184 | Yes | | | | Member SID as string | +| role_member_type | nvarchar | 27 | Yes | | | | Member type description | +| member_path | nvarchar | MAX | Yes | | | | Full nesting path (e.g., `Role1 > Role2 > User`) | +| nested_level | int | | Yes | | | | Depth of nesting (0 = direct member) | +| membership_source | int | | Yes | | | | Source system: 0=Unset, 1=SqlServer, 2=ADI, 3=AzureADI, 4=Azure SQL, 5=Azure SQL Managed | +| database_type | int | | Yes | | | | Database platform type | + +**Primary Key:** None (heap table) + +--- + +## SA_SQLServer_PermissionNames + +**Description:** Lookup table mapping SQL Server permission type codes to their names (e.g., `SL` → `SELECT`, `EX` → `EXECUTE`). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| type | nchar | 4 | No | PK | | | Permission type code from `sys.database_permissions` | +| permission_name | nvarchar | 128 | No | | | | Human-readable permission name | + +**Primary Key:** `PK_SA_SQLServer_PermissionNames` on `type` + +**Unique Constraints:** +- `UQ_SA_SQLServer_PermissionNames_Type` on `type` +- `UQ_SA_SQLServer_PermissionNames_PermissionName` on `permission_name` + +--- + +## SA_SQLServer_PermissionClasses + +**Description:** Lookup table mapping permission class codes to descriptions (e.g., 0=SERVER, 1=DATABASE, 100=SERVER_PRINCIPAL). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| class | tinyint | | No | PK | | | Permission class ID from `sys.database_permissions` | +| class_desc | nvarchar | 120 | No | | | | Class description (DATABASE, OBJECT_OR_COLUMN, etc.) | + +**Primary Key:** `PK_PermissionClasses` on `class` + +**Unique Constraints:** +- `UQ_SA_SQLServer_PermissionClasses_Class` on `class` +- `UQ_SA_SQLServer_PermissionClasses_ClassDesc` on `class_desc` + +--- + +## SA_SQLServer_PermissionStates + +**Description:** Lookup table mapping permission state codes to descriptions (e.g., `G` → `GRANT`, `D` → `DENY`). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| state | nchar | 1 | No | PK | | | Permission state code | +| state_desc | nvarchar | 120 | No | | | | State description (GRANT, DENY, REVOKE, GRANT_WITH_GRANT_OPTION) | + +**Primary Key:** `PK_SA_SQLServer_PermissionStates` on `state` + +**Unique Constraints:** +- `UQ_SA_SQLServer_PermissionStates_State` on `state` +- `UQ_SA_SQLServer_PermissionStates_StateDesc` on `state_desc` + +--- + +## SA_SQLServer_ServerPermissions + +**Description:** Stores server-level permissions. Each row maps a grantee, grantor, permission type, and state for a server-scope securable. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | FK | | FK to `SA_SQLServer_Instances.id` (CASCADE) | +| class | tinyint | | No | | FK | | FK to `SA_SQLServer_PermissionClasses.class` (CASCADE) | +| major_id | int | | No | | | | Major securable ID | +| minor_id | int | | No | | | | Minor securable ID (column-level) | +| grantee_principal | int | | No | | FK | | FK to `SA_SQLServer_ServerPrincipals.id` | +| grantor_principal | int | | No | | FK | | FK to `SA_SQLServer_ServerPrincipals.id` | +| type | nchar | 4 | No | | FK | | FK to `SA_SQLServer_PermissionNames.type` (CASCADE) | +| state | nchar | 1 | No | | FK | | FK to `SA_SQLServer_PermissionStates.state` (CASCADE) | + +**Primary Key:** `PK_SA_SQLServer_ServerPermissions` on `id` + +**Foreign Keys:** +- `FK_SA_SQLServer_ServerPermissions_Instances` → `SA_SQLServer_Instances.id` (CASCADE) +- `FK_SA_SQLServer_ServerPermissions_PermissionClasses` → `SA_SQLServer_PermissionClasses.class` (CASCADE) +- `FK_SA_SQLServer_ServerPermissions_PermissionNames` → `SA_SQLServer_PermissionNames.type` (CASCADE) +- `FK_SA_SQLServer_ServerPermissions_PermissionStates` → `SA_SQLServer_PermissionStates.state` (CASCADE) +- `FK_SA_SQLServer_ServerPermissions_GranteeServerPrincipals` → `SA_SQLServer_ServerPrincipals.id` +- `FK_SA_SQLServer_ServerPermissions_GrantorServerPrincipals` → `SA_SQLServer_ServerPrincipals.id` + +--- + +## SA_SQLServer_DatabasePermissions + +**Description:** Stores database-level permissions. Each row maps a grantee, grantor, permission type, and state for a database-scope securable. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| database_id | int | | No | | FK | | FK to `SA_SQLServer_Databases.id` | +| class | tinyint | | No | | FK | | FK to `SA_SQLServer_PermissionClasses.class` (CASCADE) | +| major_id | int | | No | | | | Major securable ID (object, schema, etc.) | +| minor_id | int | | No | | | | Minor securable ID (column) | +| grantee_principal | int | | No | | FK | | FK to `SA_SQLServer_DatabasePrincipals.id` | +| grantor_principal | int | | No | | FK | | FK to `SA_SQLServer_DatabasePrincipals.id` | +| type | nchar | 4 | No | | FK | | FK to `SA_SQLServer_PermissionNames.type` | +| state | nchar | 1 | No | | FK | | FK to `SA_SQLServer_PermissionStates.state` | + +**Primary Key:** `PK_SA_SQLServer_DatabasePermissions` on `id` + +**Foreign Keys:** +- `FK_SA_SQLServer_DatabasePermissions_Databases` → `SA_SQLServer_Databases.id` +- `FK_SA_SQLServer_DatabasePermissions_GranteeDatabasePrincipals` → `SA_SQLServer_DatabasePrincipals.id` +- `FK_SA_SQLServer_DatabasePermissions_GrantorDatabasePrincipals` → `SA_SQLServer_DatabasePrincipals.id` +- `FK_SA_SQLServer_DatabasePermissions_PermissionClasses` → `SA_SQLServer_PermissionClasses.class` (ON DELETE CASCADE) +- `FK_SA_SQLServer_DatabasePermissions_PermissionNames` → `SA_SQLServer_PermissionNames.type` +- `FK_SA_SQLServer_DatabasePermissions_PermissionStates` → `SA_SQLServer_PermissionStates.state` + +**Indexes:** `SA_SQLServer_DatabasePermissions_Database_Id_Grantee_Principal_IX` on `(database_id, grantee_principal)` INCLUDE `(id, class, major_id, minor_id, grantor_principal, type, state)` + +--- + +## SA_SQLServer_AsymmetricKeys + +**Description:** Stores asymmetric key metadata discovered in databases. Maps `sys.asymmetric_keys`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| database_id | int | | No | | FK | | FK to `SA_SQLServer_Databases.id` | +| name | nvarchar | 128 | No | | | | Key name | +| database_principal | int | | Yes | | FK | | FK to `SA_SQLServer_DatabasePrincipals.id` | +| asymmetric_key_id | int | | Yes | | | | Native key ID | +| pvt_key_encryption_type | nchar | 2 | Yes | | | | Private key encryption type code | +| pvt_key_encryption_type_desc | nvarchar | 120 | Yes | | | | Encryption type description | +| thumbprint | varbinary | 32 | Yes | | | | Key thumbprint | +| algorithm | nchar | 2 | Yes | | | | Algorithm code | +| algorithm_desc | nvarchar | 120 | Yes | | | | Algorithm description | +| key_length | int | | Yes | | | | Key length in bits | +| public_key | varbinary | MAX | Yes | | | | Public key bytes | +| sid | varbinary | 85 | Yes | | | | SID mapped to the key | +| string_sid | nvarchar | 128 | Yes | | | | SID as string | +| attested_by | nvarchar | 260 | Yes | | | | Attestation path | +| provider_type | nvarchar | 120 | Yes | | | | Cryptographic provider type | +| cryptographic_provider_guid | uniqueidentifier | | Yes | | | | Provider GUID | +| cryptographic_provider_algid | sql_variant | | Yes | | | | Provider algorithm ID | + +**Primary Key:** None + +**Unique Constraints:** `UQ_SA_SQLServer_AsymmetricKeys_Type` on `(database_id, name)` + +**Foreign Keys:** +- `FK_SA_SQLServer_AsymmetricKeys_Databases` → `SA_SQLServer_Databases.id` +- `FK_SA_SQLServer_AsymmetricKeys_DatabasePrincipal` → `SA_SQLServer_DatabasePrincipals.id` + +--- + +## SA_SQLServer_AuditInformation + +**Description:** Stores SQL Server audit configuration metadata. Each row represents one audit definition on an instance. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | | | Reference to hosting instance | +| database_id | int | | Yes | | | | Database scope (used by Azure Activity) | +| audit_id | int | | No | | | | Native audit ID | +| name | nvarchar | 128 | No | | | | Audit name | +| audit_guid | uniqueidentifier | | Yes | | | | Audit GUID | +| create_date | datetime | | No | | | | Audit creation date | +| modify_date | datetime | | No | | | | Last modification date | +| principal_id | int | | Yes | | | | Owner principal | +| type | char | 2 | No | | | | Audit type (SL=Security Log, AL=Application Log, FL=File) | +| type_desc | nvarchar | 120 | Yes | | | | Type description | +| on_failure | tinyint | | Yes | | | | Failure action code | +| on_failure_desc | nvarchar | 120 | Yes | | | | Failure action description | +| is_state_enabled | bit | | Yes | | | | Whether audit is enabled | +| queue_delay | int | | Yes | | | | Queue delay in milliseconds | +| predicate | nvarchar | 3000 | Yes | | | | Filter predicate expression | +| status_desc | nvarchar | 512 | Yes | | | | Current status description | +| status_time | datetime2 | | Yes | | | | Status timestamp | +| event_session_address | varbinary | 8 | Yes | | | | Extended events session address | +| audit_file_path | nvarchar | 1024 | Yes | | | | File path for file-based audits | +| audit_file_size | bigint | | Yes | | | | Current audit file size | +| max_file_size | bigint | | Yes | | | | Maximum file size | +| max_rollover_files | int | | Yes | | | | Maximum rollover file count | +| max_files | int | | Yes | | | | Maximum total file count | +| reserve_disk_space | int | | Yes | | | | Disk space reservation | +| log_file_path | nvarchar | 1024 | Yes | | | | Log file path | +| log_file_name | nvarchar | 520 | Yes | | | | Log file name | + +**Primary Key:** `PK_SA_SQLServer_AuditInformation` on `id` + +--- + +## SA_SQLServer_AuditFiles + +**Description:** Stores audit file paths. Multiple files can be associated with one audit via rollover. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| audit_id | int | | Yes | | FK | | FK to `SA_SQLServer_AuditInformation.id` (CASCADE) | +| audit_file_path | nvarchar | 1024 | No | | | | Full path to the audit file | +| md5_audit_file_path | varbinary | 16 | Yes | | | | **Computed column:** `CONVERT(varbinary(16), HASHBYTES('MD5', audit_file_path))`. MD5 hash for uniqueness lookups | + +**Primary Key:** `PK_SA_SQLServer_AuditFiles` on `id` + +**Foreign Keys:** `FK_SA_SQLServer_AuditFiles_AuditId` → `SA_SQLServer_AuditInformation.id` (ON DELETE CASCADE) + +**Indexes:** `UQ_SA_SQLServer_AuditFiles_Path_Audit_Id` — UNIQUE on `(audit_id, md5_audit_file_path)` WHERE `audit_id IS NOT NULL` + +--- + +## SA_SQLServer_AuditClassType + +**Description:** Lookup table for audit class type codes used in audit events. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| class_type | nchar | 2 | No | PK | | | Two-character class type code | +| class_type_desc | nvarchar | 120 | No | | | | Class type description (e.g., SERVER, DATABASE) | +| securable_class_desc | nvarchar | 120 | No | | | | Associated securable class | + +**Primary Key:** `PK_SA_SQLServer_AuditClassType` on `class_type` + +--- + +## SA_SQLServer_AuditActions + +**Description:** Lookup table for audit action types. Maps action IDs to human-readable names. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| action_id | nvarchar | 4 | No | | | | Action code (e.g., LGIS, LGIF, SL, EX) | +| class_type | nchar | 2 | No | | | | Class type this action applies to | +| parent_class_type | nchar | 2 | Yes | | | | Parent class type (for nested actions) | +| name | nvarchar | 128 | No | | | | Action name (e.g., LOGIN_SUCCEEDED, SELECT) | + +**Primary Key:** None + +**Unique Constraints:** `UQ_SA_SQLServer_AuditActions` on `(action_id, class_type, parent_class_type)` + +--- + +## SA_SQLServer_Statements + +**Description:** Stores unique SQL statements captured in audit events. Uses MD5 deduplication to avoid storing identical statements repeatedly. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| statement | nvarchar | 4000 | No | | | | SQL statement text | +| md5_statement | varbinary | 16 | Yes | | | | **Computed column:** `CONVERT(varbinary(16), HASHBYTES('MD5', statement))`. MD5 hash for deduplication | + +**Primary Key:** `PK_SA_SQLServer_Queries` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_Statements_Statement` on `md5_statement` + +--- + +## SA_SQLServer_AdditionalInformation + +**Description:** Stores unique `additional_information` XML fragments from audit events. MD5-deduplicated. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| additional_information | nvarchar | 4000 | No | | | | Additional information text from audit event | +| md5_additional_information | varbinary | 16 | Yes | | | | **Computed column:** `CONVERT(varbinary(16), HASHBYTES('MD5', additional_information))`. MD5 hash for deduplication | + +**Primary Key:** `PK_SA_SQLServer_AdditionalInformation` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_AdditionalInformation_AdditionalInformation` on `md5_additional_information` + +--- + +## SA_SQLServer_UserEvents + +**Description:** Stores unique user-defined event information from audit records. MD5-deduplicated. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | | | Reference to hosting instance | +| user_defined_event_id | smallint | | No | | | | User event ID code | +| user_defined_information | nvarchar | 4000 | No | | | | User-defined event payload | +| md5_user_defined_information | varbinary | 16 | Yes | | | | **Computed column:** `CONVERT(varbinary(16), HASHBYTES('MD5', user_defined_information))`. MD5 hash for deduplication | + +**Primary Key:** `PK_SA_SQLServer_UserEvents` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_UserEvents_UserDefinedInformation` on `md5_user_defined_information` + +**Indexes:** `SA_SQLServer_UserEvents_user_defined_event_id_IDX` on `user_defined_event_id` (nonclustered) + +--- + +## SA_SQLServer_Events + +**Description:** Central audit event fact table. Stores one row per audit event. Has extensive foreign keys to dimension/lookup tables for normalization. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| event_time | datetime2(7) | | No | | | | Event timestamp with high precision | +| sequence_number | int | | No | | | | Sequence within the same timestamp | +| action_id | varchar | 4 | Yes | | | | Audit action code (e.g., LGIS, SL) | +| succeeded | bit | | No | | | | Whether the action succeeded | +| session_id | smallint | | No | | | | SQL Server session ID | +| object_id | int | | No | | | | Target object ID | +| object_name | nvarchar | 128 | Yes | | | | Target object name | +| class_type | varchar | 2 | Yes | | | | Audit class type code | +| schema_name | nvarchar | 128 | Yes | | | | Schema of the target object | +| audit_file_offset | bigint | | No | | | | Byte offset within the audit file | +| audit_schema_version | int | | Yes | | | | Audit schema version | +| sequence_group_id | varbinary | 85 | Yes | | | | Sequence group identifier | +| file_id | int | | Yes | | FK | | FK to `SA_SQLServer_AuditFiles.id` | +| instance_id | int | | Yes | | FK | | FK to `SA_SQLServer_Instances.id` | +| database_id | int | | Yes | | FK | | FK to `SA_SQLServer_EventDatabases.id` | +| server_principal | int | | Yes | | FK | | FK to `SA_SQLServer_EventServerPrincipals.id` | +| session_server_principal | int | | Yes | | FK | | FK to `SA_SQLServer_EventServerPrincipals.id` | +| database_principal | int | | Yes | | FK | | FK to `SA_SQLServer_EventDatabasePrincipals.id` | +| target_server_principal | int | | Yes | | FK | | FK to `SA_SQLServer_EventServerPrincipals.id` | +| target_database_principal | int | | Yes | | FK | | FK to `SA_SQLServer_EventDatabasePrincipals.id` | +| permission_bitmask | varbinary | 16 | Yes | | | | Permission bitmask | +| is_column_permission | bit | | Yes | | | | Whether this is a column-level permission | +| statement_id | int | | Yes | | FK | | FK to `SA_SQLServer_Statements.id` | +| additional_information_id | int | | Yes | | FK | | FK to `SA_SQLServer_AdditionalInformation.id` | +| user_event_id | int | | Yes | | FK | | FK to `SA_SQLServer_UserEvents.id` | +| client_ip | nvarchar | 128 | Yes | | | | Client IP address | +| application_name | nvarchar | 128 | Yes | | | | Application name from the connection | + +**Primary Key:** None (heap table — events are append-only) + +**Foreign Keys (11):** +- `FK_SA_SQLServer_Events_Instances` → `SA_SQLServer_Instances.id` +- `FK_SA_SQLServer_Events_EventDatabases` → `SA_SQLServer_EventDatabases.id` +- `FK_SA_SQLServer_Events_FileId` → `SA_SQLServer_AuditFiles.id` +- `FK_SA_SQLServer_Events_EventServerPrincipals` → `SA_SQLServer_EventServerPrincipals.id` +- `FK_SA_SQLServer_Events_SessionEventServerPrincipals` → `SA_SQLServer_EventServerPrincipals.id` +- `FK_SA_SQLServer_Events_TargetEventServerPrincipals` → `SA_SQLServer_EventServerPrincipals.id` +- `FK_SA_SQLServer_Events_EventDatabasePrincipals` → `SA_SQLServer_EventDatabasePrincipals.id` +- `FK_SA_SQLServer_Events_TargetEventDatabasePrincipals` → `SA_SQLServer_EventDatabasePrincipals.id` +- `FK_SA_SQLServer_Events_Statements` → `SA_SQLServer_Statements.id` +- `FK_SA_SQLServer_Events_AdditionalInformation` → `SA_SQLServer_AdditionalInformation.id` +- `FK_SA_SQLServer_Events_UserEvents` → `SA_SQLServer_UserEvents.id` + +**Indexes:** `UQ_SA_SQLServer_Events_StaleDataLookup` on `(file_id, event_time)` (nonclustered, non-unique despite UQ_ prefix) + +> **Note:** Despite the `UQ_` prefix used in some environments, this index is **not unique** per the live schema (`is_unique = 0`). + +--- + +## SA_SQLServer_ExpressionDependencies + +**Description:** Stores SQL expression dependencies between database objects. Mirrors `sys.sql_expression_dependencies`. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | bigint | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | | | Instance reference | +| database_id | int | | No | | | | Database reference | +| referencing_id | int | | No | | | | Object ID of the referencing entity | +| referencing_minor_id | int | | No | | | | Column ID of the referencing entity | +| referencing_class | tinyint | | Yes | | | | Referencing entity class | +| referencing_class_desc | nvarchar | 60 | Yes | | | | Referencing class description | +| is_schema_bound_reference | bit | | No | | | | Whether this is a schema-bound reference | +| referenced_class | tinyint | | Yes | | | | Referenced entity class | +| referenced_class_desc | nvarchar | 60 | Yes | | | | Referenced class description | +| referenced_server_name | nvarchar | 256 | Yes | | | | Cross-server reference target | +| referenced_database_name | nvarchar | 256 | Yes | | | | Cross-database reference target | +| referenced_schema_name | nvarchar | 256 | Yes | | | | Referenced schema | +| referenced_entity_name | nvarchar | 256 | Yes | | | | Referenced entity name | +| referenced_id | int | | Yes | | | | Referenced object ID | +| referenced_minor_id | int | | No | | | | Referenced column ID | +| is_caller_dependent | bit | | No | | | | Caller-dependent resolution flag | +| is_ambiguous | bit | | No | | | | Ambiguous reference flag | +| referencing_schema_name | nvarchar | 256 | Yes | | | | Referencing schema name | +| referencing_object_name | nvarchar | 256 | Yes | | | | Referencing object name | + +**Primary Key:** Auto-generated on `id` + +**Indexes:** `IDX_SA_SQLServer_ExpressionDependencies_Ids` on `(instance_id, database_id, referencing_id)` + +--- + +## SA_SQLServer_SDD_Criteria + +**Description:** Stores Sensitive Data Discovery (SDD) pattern criteria definitions. Each criterion defines a pattern to match (e.g., SSN, credit card numbers). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| name | nvarchar | MAX | No | | | | Criteria name (e.g., "Social Security Number") | +| pattern_guid | uniqueidentifier | | No | | | | Unique GUID identifying the pattern definition | + +**Primary Key:** `PK_SA_SQLServer_SDD_Criteria` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_SDD_Criteria_pattern` on `pattern_guid` + +--- + +## SA_SQLServer_SDD_InstanceCriteria + +**Description:** Junction table linking SDD criteria to instances they should be scanned against. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| instance_id | int | | No | | FK | | FK to `SA_SQLServer_Instances.id` | +| criteria_id | int | | No | | FK | | FK to `SA_SQLServer_SDD_Criteria.id` | + +--- + +## SA_SQLServer_SDD_DatabaseCriteria + +**Description:** Junction table linking SDD criteria to specific databases. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| database_id | int | | No | | FK | | FK to `SA_SQLServer_Databases.id` | +| criteria_id | int | | No | | FK | | FK to `SA_SQLServer_SDD_Criteria.id` | + +**Indexes:** `SA_SQLServer_SDD_DatabaseCriteria_database_id` on `database_id` + +--- + +## SA_SQLServer_SDD_ResourceTypes + +**Description:** Lookup table for SDD resource types (e.g., Table, Column, Instance, Database). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | tinyint | | No | PK | | | Resource type ID | +| type_desc | nvarchar | 100 | No | | | | Resource type description | + +**Primary Key:** `PK_SA_SQLServer_ResourceTypes` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_ResourceTypes_TypeDesc` on `type_desc` + +--- + +## SA_SQLServer_SDD_Resources + +**Description:** Stores scannable resources (instances, databases, tables, columns) for SDD. Each resource represents a specific scope that can be scanned for sensitive data. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | bigint | | No | PK | | IDENTITY | Surrogate primary key | +| type | tinyint | | No | | FK | | FK to `SA_SQLServer_SDD_ResourceTypes.id` | +| instance_id | int | | No | | FK | | FK to `SA_SQLServer_Instances.id` | +| database_id | int | | Yes | | FK | | FK to `SA_SQLServer_Databases.id` | +| object_id | bigint | | Yes | | FK | | FK to `SA_SQLServer_Objects.id` | +| column_id | int | | Yes | | | | Column ordinal (if column-level resource) | +| last_scanned | int | | Yes | | FK | | FK to `SA_SQLServer_SDD_ScanHistory.id` | + +**Primary Key:** `PK_SA_SQLServer_SDD_Resources` on `id` + +**Unique Constraints:** `UQ_SA_SQLServer_SDD_Resources_Resource` on `(type, instance_id, database_id, object_id, column_id)` + +**Indexes:** `SA_SQLServer_SDD_Resources_Database_Id_Object_Id_IX` on `(database_id, object_id)` (nonclustered) + +--- + +## SA_SQLServer_SDD_Matches + +**Description:** Stores aggregate match results — how many times a criteria pattern matched within a resource. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| resource_id | bigint | | No | | FK | | FK to `SA_SQLServer_SDD_Resources.id` | +| criteria_id | int | | No | | FK | | FK to `SA_SQLServer_SDD_Criteria.id` | +| match_count | int | | No | | | | Number of matches found | +| match_location | bigint | | No | | | `0` | Bitmask: 1=Content, 2=Metadata, 4=Filename | + +--- + +## SA_SQLServer_SDD_MatchHits + +**Description:** Stores individual match hit details — the actual data fragments that matched a criteria pattern. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| resource_id | bigint | | No | | FK | | FK to `SA_SQLServer_SDD_Resources.id` | +| criteria_id | int | | No | | FK | | FK to `SA_SQLServer_SDD_Criteria.id` | +| match_data | nvarchar | 1024 | No | | | | Matched data fragment (potentially masked) | +| hit_column | nvarchar | MAX | Yes | | | | Column name where the hit was found | +| match_location | bigint | | No | | | `0` | Location bitmask | + +--- + +## SA_SQLServer_SDD_MatchHits_SubjectProfile + +**Description:** Links SDD match hits to Subject Profile identities (e.g., mapping a discovered SSN to a known person). Cross-references `SA_SubjectProfile_*` tables. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| resource_id | bigint | | No | PK | FK | | FK to `SA_SQLServer_SDD_Resources.id` (CASCADE) | +| criteria_id | int | | No | PK | FK | | FK to `SA_SQLServer_SDD_Criteria.id` | +| source_id | int | | No | PK | FK | | FK to `SA_SubjectProfile_Sources.Id` | +| identity_id | bigint | | No | PK | FK | | FK to `SA_SubjectProfile_Identities.Id` | +| attribute_id | int | | No | PK | FK | | FK to `SA_SubjectProfile_AttributeValues` (composite) | +| order | int | | No | PK | | | Ordering within the attribute value set | + +**Primary Key:** Composite on `(resource_id, criteria_id, source_id, identity_id, attribute_id, order)` + +--- + +## SA_SQLServer_SDD_ScanHistory + +**Description:** Tracks SDD scan execution history with timestamps and completion status. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| instance_id | int | | No | | FK | | FK to `SA_SQLServer_Instances.id` | +| scan_date | datetime2(7) | | No | | | `GETUTCDATE()` | Scan start timestamp | +| aborted | bit | | No | | | `0` | Whether the scan was aborted | +| last_resource_scanned | bigint | | Yes | | FK | | FK to `SA_SQLServer_SDD_Resources.id` (CASCADE); resume point | + +**Primary Key:** `PK_SA_SQLServer_SDD_ScanHistory` on `id` + +--- + +## SA_SQLServer_SDD_SupportedDataTypes + +**Description:** Configuration table listing SQL Server data types that can be scanned by SDD, with conversion rules for binary types. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| id | int | | No | PK | | IDENTITY | Surrogate primary key | +| data_type | nvarchar | 64 | No | | | | SQL Server data type name (e.g., `varchar`, `int`) | +| is_converted | bit | | No | | | `0` | Whether the type requires conversion before scanning | +| is_enabled | bit | | No | | | `0` | Whether scanning is enabled for this type | +| converted_data_type | nvarchar | 128 | Yes | | | | Target data type after conversion | +| converted_data_byte_size | int | | Yes | | | | Byte size of converted type | +| converted_character_set | nvarchar | 128 | Yes | | | | Character set for conversion | + +**Primary Key:** `PK_SA_SQLServer_SDD_SupportedDataTypes` on `id` + +**Unique Constraints:** `IX_SA_SQLServer_SDD_SupportedDataTypes` on `data_type` + +--- + +## SA_SQL_Patches + +**Description:** Schema version tracking table used by the NAA patching system. Records which incremental schema patches have been applied to this database. The `SaSchemaUpdator` component checks this table at runtime to determine which patches are pending and applies them sequentially. Each `Patch_Source` represents a different data collector module, and `Patch_Version` is incremented with each schema change for that module. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| Patch_Source | nvarchar | 64 | No | PK | | | Data collector module identifier (e.g., `SqlServer`, `Oracle`, `DC`, `MySQL`, `PostgreSql`, `Db2LUW`, `AzureSqlStandalone`) | +| Patch_Version | int | | No | PK | | | Sequential patch version number; version 1 = initial table creation, versions 2+ = incremental schema modifications | + +**Primary Key:** `PK_SA_SQL_Patches` on `(Patch_Source, Patch_Version)` + +**Patching Architecture:** +- **Version 1** for each source is the initial `CREATE TABLE` script (marked `AlwaysRun = true` — re-executed every run for idempotent initialization) +- **Versions 2+** are incremental patches (e.g., `SqlServer_1_2.sql` through `SqlServer_1_15.sql`) that alter columns, add indexes, etc. +- Patches marked `IsCritical = true` (default) halt the updater on failure; non-critical patches log errors and continue +- The `SelfInsertsPatchRecord` flag allows patches to manage their own version tracking entry +- Thread-safe: `SaSchemaUpdator` uses a static lock to prevent concurrent schema modifications + +**Patch Levels:** + +| Patch_Source | Versions Applied | Latest Version | +|---|---|---| +| SqlServer | 1–15 | 15 | +| Oracle | 1–9 | 9 | +| DC | 3, 4, 5, 7, 8 | 8 | +| MySQL | 1–2 | 2 | +| PostgreSql | 1, 3 | 3 | +| Db2LUW | 1 | 1 | +| AzureSqlServer | 1 | 1 | + +--- + +## SA_SQL_Instances + +**Description:** Central cross-module instance registry table. Stores metadata about all monitored SQL Server instances and is referenced by the `sql_instance_id` column in `SA_SQLServer_Instances` and by multiple views via `database_usage_mode`. This table is shared across all database collector modules (SQL Server, Oracle, MySQL, PostgreSQL, Db2 LUW). + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| instance_id | int | | No | PK | | IDENTITY | Auto-incrementing surrogate primary key | +| instance_label | nvarchar | 256 | No | | | | Unique display label for the instance | +| service_name | nvarchar | 128 | Yes | | | | Named instance or service/database name | +| is_active | bit | | No | | | `1` | Whether the instance is currently active for data collection | +| enable_impersonation | bit | | No | | | `0` | Whether Windows impersonation is enabled for connecting to this instance | +| database_type | int | | No | | | | Database platform type (see Section 6.11) | +| host_name | nvarchar | 150 | No | | | | Server hostname or IP address | +| port_number | int | | No | | | | TCP port number | +| database_usage_mode | int | | No | | | `0` | Usage mode: 0=On-Premises, other values for cloud deployments | +| default_database_name | nvarchar | 150 | Yes | | | | Default database name for the connection | +| was_inspected | bit | | No | | | `0` | Whether the instance has been inspected/discovered | +| inspected_date | datetime2 | | No | | | `1950-01-01` | Timestamp of last inspection | +| connection_string | nvarchar | 1024 | Yes | | | | Stored connection string for the instance | + +**Primary Key:** `PK_SA_SQL_Instances` on `instance_id` + +**Unique Constraints:** +- `UQ_SA_SQL_Instances` on `instance_label` +- `UQ_SA_SQL_Instances_Host_Name_Service_Name_Port` on `(host_name, service_name, port_number)` + +--- + +## SA_SQL_PasswordIssues_LIST + +**Description:** Stores password audit list metadata used by the password issues scan. Tracks which password lists have been applied to which hosts, with versioning to detect when lists need updating. + +| Column Name | Data Type | Size | Nullable | PK | FK | Default | Description | +|---|---|---|---|---|---|---|---| +| SA_HOST | varchar | 255 | No | | | | Target host identifier | +| rowGUID | uniqueidentifier | | No | | | `NEWSEQUENTIALID()` | Unique row identifier | +| JobRunTimeKey | smalldatetime | | Yes | | | | Job execution timestamp key | +| HOST | varchar | 255 | Yes | | | | Host name | +| HOSTSTATUS | varchar | 20 | Yes | | | | Host processing status | +| SequenceID | varchar | 64 | Yes | | | | Sequence identifier | +| ListVersion | varchar | 256 | Yes | | | | Password list version | +| DbListVersion | varchar | 256 | Yes | | | | Database-stored list version | +| Updated | varchar | 5 | Yes | | | | Whether the list was updated (True/False) | +| TableName | varchar | 256 | Yes | | | | Target table name | +| ROWKEY | varchar | 1600 | Yes | | | | Row key for identifying records | + +**Indexes:** +- `SA_SQL_PasswordIssues_LIST_PK_Index` — UNIQUE on `rowGUID` +- `SA_SQL_PasswordIssues_LIST_Host_Index` on `SA_HOST` +- `SA_SQL_PasswordIssues_LIST_JobRuntimeKey_Index` on `JobRunTimeKey` + diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/_category_.json new file mode 100644 index 0000000000..1ae864a8b0 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Enumeration & Lookup Values Reference", + "position": 40, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/overview.md new file mode 100644 index 0000000000..8ff9afaedf --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/enumeration/overview.md @@ -0,0 +1,277 @@ +# Enumeration & Lookup Values Reference + +This section documents the possible values stored in lookup/enumeration tables and coded columns used throughout the schema. These serve as the domain constraints for foreign key and type columns in the core data collection tables. + +--- + +## Server Principal Types (`SA_SQLServer_ServerPrincipalTypes`) + +Referenced by `SA_SQLServer_ServerPrincipals.type`. Values are populated at runtime from `sys.server_principals` on each target instance. + +| Code | Description | +|---|---| +| `C` | CERTIFICATE_MAPPED_LOGIN | +| `E` | EXTERNAL_LOGIN | +| `G` | WINDOWS_GROUP | +| `K` | ASYMMETRIC_KEY_MAPPED_LOGIN | +| `R` | SERVER_ROLE | +| `S` | SQL_LOGIN | +| `U` | WINDOWS_LOGIN | + +:::note +Actual values present in the database depend on the SQL Server version and instance configuration. Types `E` (EXTERNAL_LOGIN) and `K` (ASYMMETRIC_KEY_MAPPED_LOGIN) may not be present on all instances. +::: +--- + +## Database Principal Types (`SA_SQLServer_DatabasePrincipalTypes`) + +Referenced by `SA_SQLServer_DatabasePrincipals.type`. Values are populated at runtime from `sys.database_principals` on each target instance. + +| Code | Description | +|---|---| +| `C` | CERTIFICATE_MAPPED_USER | +| `E` | EXTERNAL_USER | +| `G` | WINDOWS_GROUP | +| `K` | ASYMMETRIC_KEY_MAPPED_USER | +| `R` | DATABASE_ROLE | +| `S` | SQL_USER | +| `U` | WINDOWS_USER | +| `X` | EXTERNAL_GROUP | + +:::note +Actual values present in the database depend on the SQL Server version and instance configuration. Types `E` (EXTERNAL_USER), `K` (ASYMMETRIC_KEY_MAPPED_USER), and `X` (EXTERNAL_GROUP) may not be present on all instances. +::: +--- + +## Permission States (`SA_SQLServer_PermissionStates`) + +Referenced by `SA_SQLServer_ServerPermissions.state` and `SA_SQLServer_DatabasePermissions.state`. Values are populated at runtime from `sys.server_permissions` and `sys.database_permissions`. + +| Code | Description | +|---|---| +| `D` | DENY | +| `G` | GRANT | +| `R` | REVOKE | +| `W` | GRANT_WITH_GRANT_OPTION | + +:::note +These are the four standard SQL Server permission states. The most commonly encountered are `D` (DENY) and `G` (GRANT). +::: +--- + +## Permission Classes (`SA_SQLServer_PermissionClasses`) + +Referenced by `SA_SQLServer_ServerPermissions.class` and `SA_SQLServer_DatabasePermissions.class`. Values are populated at runtime from `sys.server_permissions` and `sys.database_permissions`. + +| Code | Description | +|---|---| +| `0` | DATABASE | +| `1` | OBJECT_OR_COLUMN | +| `3` | SCHEMA | +| `4` | DATABASE_PRINCIPAL | +| `5` | ASSEMBLY | +| `6` | TYPE | +| `10` | XML_SCHEMA_COLLECTION | +| `11` | MESSAGE_TYPE | +| `12` | SERVICE_CONTRACT | +| `13` | SERVICE | +| `14` | REMOTE_SERVICE_BINDING | +| `15` | ROUTE | +| `16` | FULLTEXT_CATALOG | +| `17` | SYMMETRIC_KEY | +| `18` | CERTIFICATE | +| `19` | ASYMMETRIC_KEY | +| `100` | SERVER | +| `105` | ENDPOINT | + +:::note + Actual values present in the database depend on the SQL Server version and which features are in use. Not all classes will be present on every instance. +::: +--- + +## Permission Names (`SA_SQLServer_PermissionNames`) + +Referenced by `SA_SQLServer_ServerPermissions.type` and `SA_SQLServer_DatabasePermissions.type`. Values are populated at runtime from `sys.server_permissions` and `sys.database_permissions`. The table below lists commonly encountered permission names; additional permissions may be present depending on SQL Server version and features in use. + +| Code | Permission Name | +|---|---| +| `AAES` | ALTER ANY EVENT SESSION | +| `ALAG` | ALTER ANY AVAILABILITY GROUP | +| `AUTH` | AUTHENTICATE SERVER | +| `CADB` | CONNECT ANY DATABASE | +| `CL` | CONTROL SERVER | +| `CO` | CONNECT | +| `COSQ` | CONNECT SQL | +| `CRTB` | CREATE TABLE | +| `DL` | DELETE | +| `EX` | EXECUTE | +| `IM` | IMPERSONATE | +| `IN` | INSERT | +| `RF` | REFERENCES | +| `SL` | SELECT | +| `UP` | UPDATE | +| `VW` | VIEW DEFINITION | +| `VWAD` | VIEW ANY DEFINITION | +| `VWCK` | VIEW ANY COLUMN ENCRYPTION KEY DEFINITION | +| `VWCM` | VIEW ANY COLUMN MASTER KEY DEFINITION | +| `VWDB` | VIEW ANY DATABASE | +| `VWSS` | VIEW SERVER STATE | + +--- + +## Audit Class Types (`SA_SQLServer_AuditClassType`) + +Referenced by `SA_SQLServer_AuditActions.class_type` and `SA_SQLServer_Events.class_type`. The full list contains 107 entries; the most commonly encountered types are shown below. + +| Code | Description | Code | Description | +|---|---|---|---| +| `A` | SERVER AUDIT | `OB` | OBJECT | +| `AK` | ASYMMETRIC KEY | `P` | STORED PROCEDURE | +| `AR` | APPLICATION ROLE | `PK` | PRIMARY KEY | +| `AS` | ASSEMBLY | `RL` | ROLE | +| `CR` | CERTIFICATE | `S` | TABLE SYSTEM | +| `DA` | DATABASE AUDIT SPECIFICATION | `SA` | SERVER AUDIT SPECIFICATION | +| `DB` | DATABASE | `SC` | SCHEMA | +| `EP` | ENDPOINT | `SE` | EVENT SESSION | +| `FN` | FUNCTION SCALAR SQL | `SG` | SERVER ROLE | +| `IF` | FUNCTION TABLE-VALUED INLINE SQL | `SK` | SYMMETRIC KEY | +| `IT` | INTERNAL TABLE | `SL` | SQL LOGIN | +| `IX` | INDEX | `SN` | SYNONYM | +| `LX` | LOGIN | `SO` | SEQUENCE OBJECT | +| `MK` | MASTER KEY | `SR` | SERVER | +| `U` | TABLE | `V` | VIEW | +| `US` | USER | `X` | STORED PROCEDURE EXTENDED | + +> **Full list:** 107 class types are defined. Additional types include `AF` (AGGREGATE), `AG` (AVAILABILITY GROUP), `AL` (ASYMMETRIC KEY LOGIN), `AQ` (ADHOC QUERY), `BN` (REMOTE SERVICE BINDING), `C` (CHECK CONSTRAINT), `CD` (CREDENTIAL), `CK` (COLUMN ENCRYPTION KEY), `CM` (COLUMN MASTER KEY), `CO` (SERVER CONFIG), `CP` (CRYPTOGRAPHIC PROVIDER), `CT` (CONTRACT), `DT` (TRIGGER DATABASE), `ED` (EXTERNAL DATA SOURCE), `EN` (EVENT NOTIFICATION), `FC` (FULLTEXT CATALOG), `FL` (FULLTEXT STOPLIST), `FP` (SEARCH PROPERTY LIST), `FS` (FUNCTION SCALAR ASSEMBLY), `FT` (FUNCTION TABLE-VALUED ASSEMBLY), `MT` (MESSAGE TYPE), `PC` (STORED PROCEDURE ASSEMBLY), `PF` (PARTITION FUNCTION), `PS` (PARTITION SCHEME), `RT` (ROUTE), `SQ` (QUEUE), `ST` (STATISTICS), `SV` (SERVICE), `SX` (XML SCHEMA COLLECTION), `TF` (FUNCTION TABLE-VALUED SQL), `TR` (TRIGGER), `TY` (TYPE), `WG` (WINDOWS GROUP), `WL` (WINDOWS LOGIN), `WU` (WINDOWS USER), and others. + +--- + +## Audit Actions (Common) (`SA_SQLServer_AuditActions`) + +Referenced by `SA_SQLServer_Events.action_id`. The full list contains 173 action definitions; frequently referenced actions are shown below. + +**Login / Logout Actions:** + +| Action ID | Action Name | +|---|---| +| `LGIS` | LOGIN SUCCEEDED | +| `LGIF` | LOGIN FAILED | +| `LGO` | LOGOUT | +| `LGDA` | DISABLE | +| `LGEA` | ENABLE | +| `LGDB` | CHANGE DEFAULT DATABASE | +| `LGLG` | CHANGE DEFAULT LANGUAGE | +| `LGNM` | NAME CHANGE | + +**DML / DDL Actions:** + +| Action ID | Action Name | +|---|---| +| `SL` | SELECT | +| `IN` | INSERT | +| `UP` | UPDATE | +| `DL` | DELETE | +| `EX` | EXECUTE | +| `CR` | CREATE | +| `AL` | ALTER | +| `DR` | DROP | + +**Permission Actions:** + +| Action ID | Action Name | +|---|---| +| `G` | GRANT | +| `D` | DENY | +| `R` | REVOKE | +| `GWG` | GRANT WITH GRANT | +| `DWC` | DENY WITH CASCADE | +| `RWC` | REVOKE WITH CASCADE | +| `RWG` | REVOKE WITH GRANT | + +**Audit Group Actions:** + +| Action ID | Action Name | +|---|---| +| `ADSP` | SERVER_ROLE_MEMBER_CHANGE_GROUP | +| `ADDP` | DATABASE_ROLE_MEMBER_CHANGE_GROUP | +| `GRDB` | DATABASE_PERMISSION_CHANGE_GROUP | +| `GRSV` | SERVER_PERMISSION_CHANGE_GROUP | +| `MNDB` | DATABASE_CHANGE_GROUP | +| `MNSP` | SERVER_PRINCIPAL_CHANGE_GROUP | +| `MNDP` | DATABASE_PRINCIPAL_CHANGE_GROUP | +| `BRDB` | BACKUP_RESTORE_GROUP | +| `LGFL` | FAILED_LOGIN_GROUP | +| `LGSD` | SUCCESSFUL_LOGIN_GROUP | +| `CNAU` | AUDIT_CHANGE_GROUP | + +--- + +## SDD Resource Types (`SA_SQLServer_SDD_ResourceTypes`) + +Referenced by `SA_SQLServer_SDD_Resources.type`. + +| ID | Description | +|---|---| +| `1` | DatabaseName | +| `2` | TableName | +| `3` | ColumnName | +| `4` | ColumnData | +| `5` | Object | +| `6` | TableRow | + +--- + +## SDD Match Location Bitmask + +Used in `SA_SQLServer_SDD_Matches.match_location` and `SA_SQLServer_SDD_MatchHits.match_location`. The underlying column stores an integer bitmask; views decode it to a human-readable string. + +| Value | Decoded String | +|---|---| +| `0` | None | +| `1` | Content | +| `2` | Metadata | +| `3` | Content,Metadata | +| `4` | Filename | +| `5` | Content,Filename | +| `6` | Metadata,Filename | +| `7` | Content,Metadata,Filename | + +--- + +## Membership Source (`SA_SQLServer_EffectiveRoleMembership.membership_source`) + +| Value | Description | +|---|---| +| `0` | Unset | +| `1` | SqlServer | +| `2` | ADI (Active Directory Inventory) | +| `3` | AzureADI (Azure Active Directory Inventory) | +| `4` | Azure SQL | +| `5` | Azure SQL Managed Instance | + +--- + +## Database Type (`SA_SQLServer_EffectiveRoleMembership.database_type`) + +Used to compute the `Database Type` column in `SA_SQLServer_EffectiveRoleMembershipView`. Values correspond to the `DatabaseSystemType` enum defined in `Stealthbits.StealthAUDIT.DataCollectors.Databases.Shared`. + +| Value | Enum Name | Description | +|---|---|---| +| `0` | Unset | Default / not yet determined | +| `1` | SqlServer | On-premise SQL Server | +| `2` | AzureSqlServer | Azure SQL Database (Standalone) | +| `3` | Oracle | Oracle Database | +| `4` | PostgreSql | PostgreSQL | +| `5` | MySql | MySQL | +| `6` | AzureSqlServerManagedInstance | Azure SQL Managed Instance | +| `7` | SaDataSource | StealthAUDIT Data Source | +| `8` | AWSPostgres | AWS PostgreSQL (not currently supported) | +| `9` | AWSMySql | AWS MySQL (not currently supported) | +| `10` | EDBPostgreSql | EDB PostgreSQL (not currently supported) | +| `11` | SqlServerCluster | SQL Server Cluster (not currently supported) | +| `12` | Db2LUW | IBM Db2 LUW | +| `20` | MongoDb | MongoDB | + +:::note +Within the SQL Server Data Collector context, only values `0` (Unset), `1` (SqlServer), `2` (AzureSqlServer), and `6` (AzureSqlServerManagedInstance) are applicable. The remaining values are used by other database collector modules that share the `SA_SQL_Instances` table. +::: \ No newline at end of file diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/erd/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/erd/_category_.json new file mode 100644 index 0000000000..a3cfe34ed4 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/erd/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Table Relationship Diagrams (ERD)", + "position": 50, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/erd/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/erd/overview.md new file mode 100644 index 0000000000..470c6aa2c3 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/erd/overview.md @@ -0,0 +1,469 @@ +# Table Relationship Diagrams (ERD) + +## High-Level Overview + +The schema is organized into four major subsystems, each detailed in the diagrams below. This overview shows only the top-level entities and how the subsystems connect. + +```mermaid +erDiagram + SA_SQL_Instances { + int instance_id PK + nvarchar instance_label + int database_type + } + + Instances["SA_SQLServer_Instances"] { + int id PK + nvarchar name + int sql_instance_id FK + } + + Databases["SA_SQLServer_Databases"] { + int id PK + int instance_id FK + nvarchar name + } + + Objects["SA_SQLServer_Objects"] { + bigint id PK + int database_id FK + nvarchar name + } + + ServerPrincipals["SA_SQLServer_ServerPrincipals"] { + int id PK + int instance_id FK + nvarchar principal_name + } + + DatabasePrincipals["SA_SQLServer_DatabasePrincipals"] { + int id PK + int database_id FK + nvarchar principal_name + } + + Events["SA_SQLServer_Events"] { + datetime2 event_time + int instance_id FK + int database_id FK + } + + SDD_Resources["SA_SQLServer_SDD_Resources"] { + bigint id PK + int instance_id FK + int database_id FK + } + + SA_SQL_Patches { + nvarchar Patch_Source PK + int Patch_Version PK + } + + SA_SQL_Instances ||--o| Instances : "registers" + Instances ||--o{ Databases : "hosts" + Instances ||--o{ ServerPrincipals : "has logins" + Databases ||--o{ DatabasePrincipals : "has users" + Databases ||--o{ Objects : "contains" + Instances ||--o{ Events : "audited on" + Instances ||--o{ SDD_Resources : "scanned on" + Objects ||--o{ SDD_Resources : "scanned as" +``` + +--- + +## Instance & Database Hierarchy + +Shows how SQL Server instances, databases, schemas, objects, and columns relate. Includes the cross-module instance registry and asymmetric keys. + +```mermaid +erDiagram + SA_SQL_Instances { + int instance_id PK + nvarchar instance_label + nvarchar host_name + int port_number + int database_type + int database_usage_mode + } + + Instances["SA_SQLServer_Instances"] { + int id PK + nvarchar name + int sql_instance_id FK + } + + Databases["SA_SQLServer_Databases"] { + int id PK + int instance_id FK + int database_id + nvarchar name + datetime create_date + datetime2 sa_delete_date + } + + EventDatabases["SA_SQLServer_EventDatabases"] { + int id PK + int instance_id + int active_database_id FK + nvarchar name + } + + Schemas["SA_SQLServer_Schemas"] { + int id PK + int database_id FK + int schema_id + nvarchar name + } + + Objects["SA_SQLServer_Objects"] { + bigint id PK + int instance_id FK + int database_id FK + nvarchar name + nchar type + bit is_deleted + } + + Columns["SA_SQLServer_Columns"] { + bigint object_id FK + nvarchar name + int column_id + bit is_deleted + } + + AsymmetricKeys["SA_SQLServer_AsymmetricKeys"] { + int database_id FK + nvarchar name + int database_principal FK + } + + ExprDeps["SA_SQLServer_ExpressionDependencies"] { + bigint id PK + int instance_id FK + int database_id FK + int referencing_id + } + + SA_SQL_Instances ||--o| Instances : "registers" + Instances ||--o{ Databases : "hosts" + Databases ||--o{ Schemas : "contains" + Databases ||--o{ Objects : "contains" + Databases ||--o{ AsymmetricKeys : "contains" + Objects ||--o{ Columns : "has columns (CASCADE)" + Objects ||--o{ ExprDeps : "referenced by" + EventDatabases }o--o| Databases : "active link" +``` + +--- + +## Principals & Permissions + +Shows server-level and database-level principals, role memberships, permissions, and their shared lookup tables. + +```mermaid +erDiagram + Instances["SA_SQLServer_Instances"] { + int id PK + nvarchar name + } + + Databases["SA_SQLServer_Databases"] { + int id PK + int instance_id FK + } + + SPTypes["SA_SQLServer_ServerPrincipalTypes"] { + nchar type PK + nvarchar type_desc + } + + DPTypes["SA_SQLServer_DatabasePrincipalTypes"] { + nchar type PK + nvarchar type_desc + } + + ServerPrincipals["SA_SQLServer_ServerPrincipals"] { + int id PK + int instance_id FK + nvarchar principal_name + nchar type + bit is_deleted + } + + DatabasePrincipals["SA_SQLServer_DatabasePrincipals"] { + int id PK + int database_id FK + nvarchar principal_name + nchar type FK + bit is_deleted + } + + SqlLogins["SA_SQLServer_SqlLogins"] { + int id PK + int server_principal FK + varbinary password_hash + } + + ServerRoleMembers["SA_SQLServer_ServerRoleMembers"] { + int id PK + int role_principal FK + int member_principal FK + } + + DatabaseRoleMembers["SA_SQLServer_DatabaseRoleMembers"] { + int id PK + int role_principal FK + int member_principal FK + } + + PermNames["SA_SQLServer_PermissionNames"] { + nchar type PK + nvarchar permission_name + } + + PermClasses["SA_SQLServer_PermissionClasses"] { + tinyint class PK + nvarchar class_desc + } + + PermStates["SA_SQLServer_PermissionStates"] { + nchar state PK + nvarchar state_desc + } + + ServerPerms["SA_SQLServer_ServerPermissions"] { + int id PK + int instance_id FK + int grantee_principal FK + int grantor_principal FK + nchar type FK + tinyint class FK + nchar state FK + } + + DatabasePerms["SA_SQLServer_DatabasePermissions"] { + int id PK + int database_id FK + int grantee_principal FK + int grantor_principal FK + nchar type FK + tinyint class FK + nchar state FK + } + + Instances ||--o{ ServerPrincipals : "has (CASCADE)" + Databases ||--o{ DatabasePrincipals : "has (CASCADE)" + SPTypes ||--o{ ServerPrincipals : "type lookup" + DPTypes ||--o{ DatabasePrincipals : "type lookup (CASCADE)" + ServerPrincipals ||--o{ SqlLogins : "extends (CASCADE)" + ServerPrincipals ||--o{ ServerRoleMembers : "role/member" + DatabasePrincipals ||--o{ DatabaseRoleMembers : "role/member" + ServerPrincipals ||--o{ ServerPerms : "grantee/grantor" + DatabasePrincipals ||--o{ DatabasePerms : "grantee/grantor" + Instances ||--o{ ServerPerms : "scoped to (CASCADE)" + PermNames ||--o{ ServerPerms : "type lookup" + PermNames ||--o{ DatabasePerms : "type lookup" + PermClasses ||--o{ ServerPerms : "class lookup" + PermClasses ||--o{ DatabasePerms : "class lookup" + PermStates ||--o{ ServerPerms : "state lookup" + PermStates ||--o{ DatabasePerms : "state lookup" +``` + +--- + +## Audit Events + +Shows the star-schema audit event fact table and all its dimension/lookup tables. The Events table is a heap (no PK) with 11 foreign keys. + +```mermaid +erDiagram + Instances["SA_SQLServer_Instances"] { + int id PK + } + + EventDatabases["SA_SQLServer_EventDatabases"] { + int id PK + int instance_id + nvarchar name + } + + EventServerPrincipals["SA_SQLServer_EventServerPrincipals"] { + int id PK + int instance_id FK + nvarchar principal_name + } + + EventDatabasePrincipals["SA_SQLServer_EventDatabasePrincipals"] { + int id PK + int database_id FK + nvarchar principal_name + } + + AuditInfo["SA_SQLServer_AuditInformation"] { + int id PK + int instance_id + nvarchar name + char type + } + + AuditFiles["SA_SQLServer_AuditFiles"] { + int id PK + int audit_id FK + nvarchar audit_file_path + } + + AuditClassType["SA_SQLServer_AuditClassType"] { + nchar class_type PK + nvarchar class_type_desc + } + + AuditActions["SA_SQLServer_AuditActions"] { + nvarchar action_id + nchar class_type + nvarchar name + } + + Statements["SA_SQLServer_Statements"] { + int id PK + nvarchar statement + varbinary md5_statement + } + + AddlInfo["SA_SQLServer_AdditionalInformation"] { + int id PK + nvarchar additional_information + } + + UserEvents["SA_SQLServer_UserEvents"] { + int id PK + int instance_id + nvarchar user_defined_information + } + + Events["SA_SQLServer_Events"] { + datetime2 event_time + int sequence_number + varchar action_id + bit succeeded + int file_id FK + int instance_id FK + int database_id FK + int server_principal FK + int database_principal FK + int statement_id FK + int additional_information_id FK + int user_event_id FK + } + + AuditInfo ||--o{ AuditFiles : "produces (CASCADE)" + AuditFiles ||--o{ Events : "sourced from" + Instances ||--o{ Events : "occurred on" + EventDatabases ||--o{ Events : "in database" + EventDatabases ||--o{ EventDatabasePrincipals : "contains (CASCADE)" + Instances ||--o{ EventServerPrincipals : "has (CASCADE)" + EventServerPrincipals ||--o{ Events : "server principal" + EventDatabasePrincipals ||--o{ Events : "database principal" + Statements ||--o{ Events : "SQL executed" + AddlInfo ||--o{ Events : "extra details" + UserEvents ||--o{ Events : "user event" +``` + +--- + +## Sensitive Data Discovery (SDD) + +Shows the SDD subsystem: criteria definitions, scannable resources, match aggregates, individual match hits, subject profile linkage, and scan history. + +```mermaid +erDiagram + Instances["SA_SQLServer_Instances"] { + int id PK + } + + Databases["SA_SQLServer_Databases"] { + int id PK + } + + Objects["SA_SQLServer_Objects"] { + bigint id PK + } + + Criteria["SA_SQLServer_SDD_Criteria"] { + int id PK + nvarchar name + uniqueidentifier pattern_guid + } + + InstanceCriteria["SA_SQLServer_SDD_InstanceCriteria"] { + int instance_id FK + int criteria_id FK + } + + DatabaseCriteria["SA_SQLServer_SDD_DatabaseCriteria"] { + int database_id FK + int criteria_id FK + } + + ResourceTypes["SA_SQLServer_SDD_ResourceTypes"] { + tinyint id PK + nvarchar type_desc + } + + Resources["SA_SQLServer_SDD_Resources"] { + bigint id PK + tinyint type FK + int instance_id FK + int database_id FK + bigint object_id FK + int last_scanned FK + } + + Matches["SA_SQLServer_SDD_Matches"] { + bigint resource_id FK + int criteria_id FK + int match_count + bigint match_location + } + + MatchHits["SA_SQLServer_SDD_MatchHits"] { + bigint resource_id FK + int criteria_id FK + nvarchar match_data + nvarchar hit_column + } + + MatchHitsSP["SA_SQLServer_SDD_MatchHits_SubjectProfile"] { + bigint resource_id PK + int criteria_id PK + int source_id PK + bigint identity_id PK + } + + ScanHistory["SA_SQLServer_SDD_ScanHistory"] { + int id PK + int instance_id FK + datetime2 scan_date + bit aborted + } + + SupportedTypes["SA_SQLServer_SDD_SupportedDataTypes"] { + int id PK + nvarchar data_type + bit is_enabled + } + + Criteria ||--o{ InstanceCriteria : "assigned to" + Criteria ||--o{ DatabaseCriteria : "assigned to" + Criteria ||--o{ Matches : "matched by" + Criteria ||--o{ MatchHits : "hit by" + Instances ||--o{ InstanceCriteria : "scoped to" + Databases ||--o{ DatabaseCriteria : "scoped to" + ResourceTypes ||--o{ Resources : "type lookup" + Instances ||--o{ Resources : "scanned on" + Databases ||--o{ Resources : "scanned in" + Objects ||--o{ Resources : "scanned as" + ScanHistory ||--o{ Resources : "last scan" + Instances ||--o{ ScanHistory : "scan history" + Resources ||--o{ Matches : "has matches" + Resources ||--o{ MatchHits : "has hits" + Resources ||--o{ MatchHitsSP : "profile link (CASCADE)" diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/_category_.json new file mode 100644 index 0000000000..1803747f7d --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Scalar Functions & Stored Procedures", + "position": 70, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md new file mode 100644 index 0000000000..664b1f83bc --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md @@ -0,0 +1,50 @@ +# Scalar Functions & Stored Procedures + +## SA_SQL_GetFriendlyName (Scalar Function) + +**Description:** Constructs a human-readable SQL Server instance name from its component parts (host, instance, port). Returns the format `HOST\INSTANCE,PORT`, omitting the instance and port segments when they are NULL or empty/zero. + +**Signature:** `SA_SQL_GetFriendlyName(@Host NVARCHAR(128), @Instance NVARCHAR(128), @PortNo INT) RETURNS NVARCHAR(512)` + +**Examples:** +- `('SERVER1', 'SQL2019', 1433)` → `SERVER1\SQL2019,1433` +- `('SERVER1', NULL, 0)` → `SERVER1` +- `('SERVER1', 'INST1', 0)` → `SERVER1\INST1` + +--- + +## SA_SQLServer_BinarySIDToString (Scalar Function) + +**Description:** Converts a binary SID (`VARBINARY(100)`) to its string representation (`VARCHAR(100)`) in the standard `S-1-...` format. + +**Signature:** `SA_SQLServer_BinarySIDToString(@BinSID VARBINARY(100)) RETURNS VARCHAR(100)` + +**Example:** `0x010500000000000904000000FB01993B...` → `S-1-9-4-999883259-1304688998-...` + +--- + +## SA_SQLServer_GetAuditFileComparisonString (Scalar Function) + +**Description:** Transforms an audit file name into a LIKE-compatible comparison pattern by inserting `%` wildcards before the file extension and at the start. Used for matching audit file paths across rollover files. + +**Signature:** `SA_SQLServer_GetAuditFileComparisonString(@filename VARCHAR(260)) RETURNS VARCHAR(260)` + +--- + +## SA_SQLServer_CreateOrUpdateSDDResource (Stored Procedure) + +**Description:** Upserts a Sensitive Data Discovery resource record. Looks up an existing resource by its composite key (`type`, `instance_id`, `database_id`, `object_id`, `column_id`). If no match is found, inserts a new row and returns the new `id`. If a match exists, updates the `last_scanned` reference and returns the existing `id`. Handles NULL-safe comparison for optional columns (`database_id`, `object_id`, `column_id`). + +**Signature:** +```sql +SA_SQLServer_CreateOrUpdateSDDResource( + @Resource_Type INT, + @Instance_Id INT, + @Database_Id INT, + @Object_Id INT, + @Column_Id INT, + @ScanId INT +) +``` + +**Returns:** The `SA_SQLServer_SDD_Resources.id` of the inserted or updated resource (via `SELECT` / `OUTPUT INSERTED.[id]`). diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/_category_.json new file mode 100644 index 0000000000..4e9158bae9 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Index Reference", + "position": 60, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/overview.md new file mode 100644 index 0000000000..8097d6a157 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/indexreference/overview.md @@ -0,0 +1,91 @@ +# Index Reference + +## Complete Index Listing + +| Table | Index Name | Type | Unique | Columns | +|---|---|---|---|---| +| SA_SQLServer_AdditionalInformation | PK_SA_SQLServer_AdditionalInformation | CLUSTERED | Yes | id | +| SA_SQLServer_AdditionalInformation | UQ_SA_SQLServer_AdditionalInformation_AdditionalInformation | NONCLUSTERED | Yes | md5_additional_information | +| SA_SQLServer_AsymmetricKeys | UQ_SA_SQLServer_AsymmetricKeys_Type | NONCLUSTERED | Yes | database_id, name | +| SA_SQLServer_AuditActions | UQ_SA_SQLServer_AuditActions | NONCLUSTERED | Yes | action_id, class_type, parent_class_type | +| SA_SQLServer_AuditClassType | PK_SA_SQLServer_AuditClassType | CLUSTERED | Yes | class_type | +| SA_SQLServer_AuditFiles | PK_SA_SQLServer_AuditFiles | CLUSTERED | Yes | id | +| SA_SQLServer_AuditFiles | UQ_SA_SQLServer_AuditFiles_Path_Audit_Id | NONCLUSTERED | Yes | audit_id, md5_audit_file_path | +| SA_SQLServer_AuditInformation | PK_SA_SQLServer_AuditInformation | CLUSTERED | Yes | id | +| SA_SQLServer_Columns | UQ_SA_SQLServer_Columns_Name | NONCLUSTERED | Yes | object_id, column_id, name | +| SA_SQLServer_DatabasePermissions | PK_SA_SQLServer_DatabasePermissions | CLUSTERED | Yes | id | +| SA_SQLServer_DatabasePermissions | SA_SQLServer_DatabasePermissions_Database_Id_Grantee_Principal_IX | NONCLUSTERED | No | database_id, grantee_principal | +| SA_SQLServer_DatabasePrincipals | PK_SA_SQLServer_DatabasePrincipals | CLUSTERED | Yes | id | +| SA_SQLServer_DatabasePrincipals | UQ_SA_SQLServer_DatabasePrincipals_Id | NONCLUSTERED | Yes | database_id, principal_id | +| SA_SQLServer_DatabasePrincipals | UQ_SA_SQLServer_DatabasePrincipals_NameId | NONCLUSTERED | Yes | database_id, principal_id, principal_name | +| SA_SQLServer_DatabasePrincipals | UQ_SA_SQLServer_DatabasePrincipals_NameSid | NONCLUSTERED | Yes | database_id, principal_sid, principal_name | +| SA_SQLServer_DatabasePrincipals | IX_SA_SQLServer_Objects_Database_Id_Principal_Id | NONCLUSTERED | No | database_id, principal_id | +| SA_SQLServer_DatabasePrincipalTypes | PK_SA_SQLServer_DatabasePrincipalTypes | CLUSTERED | Yes | type | +| SA_SQLServer_DatabasePrincipalTypes | UQ_SA_SQLServer_DatabasePrincipalTypes_Type | NONCLUSTERED | Yes | type | +| SA_SQLServer_DatabasePrincipalTypes | UQ_SA_SQLServer_DatabasePrincipalTypes_TypeDesc | NONCLUSTERED | Yes | type_desc | +| SA_SQLServer_DatabaseRoleMembers | PK_SA_SQLServer_DatabaseRoles | CLUSTERED | Yes | id | +| SA_SQLServer_Databases | PK_SA_SQLServer_Databases | CLUSTERED | Yes | id | +| SA_SQLServer_Databases | SA_SQLServer_Databases_name_IDX | NONCLUSTERED | No | name | +| SA_SQLServer_Databases | UQ_SA_SQLServer_Databases | NONCLUSTERED | Yes | instance_id, database_id, name, create_date, sa_delete_date | +| SA_SQLServer_EventDatabasePrincipals | PK_SA_SQLServer_EventDatabasePrincipals | CLUSTERED | Yes | id | +| SA_SQLServer_EventDatabasePrincipals | UQ_SA_SQLServer_EventDatabasePrincipals_IdNameSid | NONCLUSTERED | Yes | database_id, principal_id, principal_name | +| SA_SQLServer_EventDatabases | PK_SA_SQLServer_EventDatabases | CLUSTERED | Yes | id | +| SA_SQLServer_EventDatabases | SA_SQLServer_EventDatabases_name_IDX | NONCLUSTERED | No | name | +| SA_SQLServer_EventDatabases | UQ_SA_SQLServer_EventDatabases | NONCLUSTERED | Yes | instance_id, name | +| SA_SQLServer_Events | UQ_SA_SQLServer_Events_StaleDataLookup | NONCLUSTERED | No | file_id, event_time | +| SA_SQLServer_EventServerPrincipals | PK_SA_SQLServer_EventServerPrincipals | CLUSTERED | Yes | id | +| SA_SQLServer_EventServerPrincipals | UQ_SA_SQLServer_EventServerPrincipals_IdNameSid | NONCLUSTERED | Yes | instance_id, principal_id, principal_sid, principal_name | +| SA_SQLServer_ExpressionDependencies | PK (auto) | CLUSTERED | Yes | id | +| SA_SQLServer_ExpressionDependencies | IDX_SA_SQLServer_ExpressionDependencies_Ids | NONCLUSTERED | No | instance_id, database_id, referencing_id | +| SA_SQLServer_Instances | PK_SA_SQLServer_Instances | CLUSTERED | Yes | id | +| SA_SQLServer_Instances | UQ_SA_SQLServer_Instances_Name | NONCLUSTERED | Yes | name | +| SA_SQLServer_Objects | PK_SA_SQLServer_Objects | CLUSTERED | Yes | id | +| SA_SQLServer_Objects | UQ_SA_SQLServer_Objects_Id | NONCLUSTERED | Yes | instance_id, database_id, object_id | +| SA_SQLServer_Objects | UQ_SA_SQLServer_Objects_Name | NONCLUSTERED | Yes | instance_id, database_id, name, schema_id | +| SA_SQLServer_Objects | IX_SA_SQLServer_Objects_Database_Id_Object_Id | NONCLUSTERED | No | name, is_deleted, database_id, object_id | +| SA_SQLServer_Objects | SA_SQLServer_Objects_Instance_Id_Object_Id_Is_Deleted_IX | NONCLUSTERED | No | id, name, instance_id, object_id, is_deleted | +| SA_SQLServer_PermissionClasses | PK_PermissionClasses | CLUSTERED | Yes | class | +| SA_SQLServer_PermissionClasses | UQ_SA_SQLServer_PermissionClasses_Class | NONCLUSTERED | Yes | class | +| SA_SQLServer_PermissionClasses | UQ_SA_SQLServer_PermissionClasses_ClassDesc | NONCLUSTERED | Yes | class_desc | +| SA_SQLServer_PermissionNames | PK_SA_SQLServer_PermissionNames | CLUSTERED | Yes | type | +| SA_SQLServer_PermissionNames | UQ_SA_SQLServer_PermissionNames_PermissionName | NONCLUSTERED | Yes | permission_name | +| SA_SQLServer_PermissionNames | UQ_SA_SQLServer_PermissionNames_Type | NONCLUSTERED | Yes | type | +| SA_SQLServer_PermissionStates | PK_SA_SQLServer_PermissionStates | CLUSTERED | Yes | state | +| SA_SQLServer_PermissionStates | UQ_SA_SQLServer_PermissionStates_State | NONCLUSTERED | Yes | state | +| SA_SQLServer_PermissionStates | UQ_SA_SQLServer_PermissionStates_StateDesc | NONCLUSTERED | Yes | state_desc | +| SA_SQLServer_Schemas | PK_SA_SQLServer_Schemas | CLUSTERED | Yes | id | +| SA_SQLServer_Schemas | UQ_SA_SQLServer_Schemas_IDs | NONCLUSTERED | Yes | database_id, schema_id | +| SA_SQLServer_SDD_Criteria | PK_SA_SQLServer_SDD_Criteria | CLUSTERED | Yes | id | +| SA_SQLServer_SDD_Criteria | UQ_SA_SQLServer_SDD_Criteria_pattern | NONCLUSTERED | Yes | pattern_guid | +| SA_SQLServer_SDD_DatabaseCriteria | SA_SQLServer_SDD_DatabaseCriteria_database_id | NONCLUSTERED | No | database_id | +| SA_SQLServer_SDD_MatchHits_SubjectProfile | PK_SA_SQLServer_SDD_MatchHits_SubjectProfile | CLUSTERED | Yes | resource_id, criteria_id, source_id, identity_id, attribute_id, order | +| SA_SQLServer_SDD_Resources | PK_SA_SQLServer_SDD_Resources | CLUSTERED | Yes | id | +| SA_SQLServer_SDD_Resources | SA_SQLServer_SDD_Resources_Database_Id_Object_Id_IX | NONCLUSTERED | No | database_id, object_id | +| SA_SQLServer_SDD_Resources | UQ_SA_SQLServer_SDD_Resources_Resource | NONCLUSTERED | Yes | type, instance_id, database_id, object_id, column_id | +| SA_SQLServer_SDD_ResourceTypes | PK_SA_SQLServer_ResourceTypes | CLUSTERED | Yes | id | +| SA_SQLServer_SDD_ResourceTypes | UQ_SA_SQLServer_ResourceTypes_TypeDesc | NONCLUSTERED | Yes | type_desc | +| SA_SQLServer_SDD_ScanHistory | PK_SA_SQLServer_SDD_ScanHistory | CLUSTERED | Yes | id | +| SA_SQLServer_SDD_SupportedDataTypes | PK_SA_SQLServer_SDD_SupportedDataTypes | CLUSTERED | Yes | id | +| SA_SQLServer_SDD_SupportedDataTypes | IX_SA_SQLServer_SDD_SupportedDataTypes | NONCLUSTERED | Yes | data_type | +| SA_SQLServer_ServerPermissions | PK_SA_SQLServer_ServerPermissions | CLUSTERED | Yes | id | +| SA_SQLServer_ServerPrincipals | PK_SA_SQLServer_ServerPrincipals | CLUSTERED | Yes | id | +| SA_SQLServer_ServerPrincipals | UQ_SA_SQLServer_ServerPrincipals_Id | NONCLUSTERED | Yes | instance_id, principal_id | +| SA_SQLServer_ServerPrincipals | UQ_SA_SQLServer_ServerPrincipals_NameId | NONCLUSTERED | Yes | instance_id, principal_id, principal_name | +| SA_SQLServer_ServerPrincipals | UQ_SA_SQLServer_ServerPrincipals_NameSid | NONCLUSTERED | Yes | instance_id, principal_sid, principal_name | +| SA_SQLServer_ServerPrincipalTypes | PK_SA_SQLServer_ServerPrincipalTypes | CLUSTERED | Yes | type | +| SA_SQLServer_ServerPrincipalTypes | UQ_SA_SQLServer_ServerPrincipalTypes_Type | NONCLUSTERED | Yes | type | +| SA_SQLServer_ServerPrincipalTypes | UQ_SA_SQLServer_ServerPrincipalTypes_TypeDesc | NONCLUSTERED | Yes | type_desc | +| SA_SQLServer_ServerRoleMembers | PK_SA_SQLServer_ServerRoleMembers | CLUSTERED | Yes | id | +| SA_SQLServer_SqlLogins | PK_SA_SQLServer_SqlLogins | CLUSTERED | Yes | id | +| SA_SQLServer_Statements | PK_SA_SQLServer_Queries | CLUSTERED | Yes | id | +| SA_SQLServer_Statements | UQ_SA_SQLServer_Statements_Statement | NONCLUSTERED | Yes | md5_statement | +| SA_SQLServer_UserEvents | PK_SA_SQLServer_UserEvents | CLUSTERED | Yes | id | +| SA_SQLServer_UserEvents | SA_SQLServer_UserEvents_user_defined_event_id_IDX | NONCLUSTERED | No | user_defined_event_id | +| SA_SQLServer_UserEvents | UQ_SA_SQLServer_UserEvents_UserDefinedInformation | NONCLUSTERED | Yes | md5_user_defined_information | +| SA_SQL_Instances | PK_SA_SQL_Instances | CLUSTERED | Yes | instance_id | +| SA_SQL_Instances | UQ_SA_SQL_Instances | NONCLUSTERED | Yes | instance_label | +| SA_SQL_Instances | UQ_SA_SQL_Instances_Host_Name_Service_Name_Port | NONCLUSTERED | Yes | host_name, service_name, port_number | +| SA_SQL_Patches | PK_SA_SQL_Patches | CLUSTERED | Yes | Patch_Source, Patch_Version | +| SA_SQL_PasswordIssues_LIST | SA_SQL_PasswordIssues_LIST_PK_Index | NONCLUSTERED | Yes | rowGUID | +| SA_SQL_PasswordIssues_LIST | SA_SQL_PasswordIssues_LIST_Host_Index | NONCLUSTERED | No | SA_HOST | +| SA_SQL_PasswordIssues_LIST | SA_SQL_PasswordIssues_LIST_JobRuntimeKey_Index | NONCLUSTERED | No | JobRunTimeKey | diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md new file mode 100644 index 0000000000..53513ad89c --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md @@ -0,0 +1,222 @@ +# SQL Data Collector Schema + +## Overview + +This is a comprehensive schema documentation for the **NAA 11.6 SQL Server Data Collector**. The SQL Server Data Collector is a component of the NAA 11.6 platform that discovers, audits, and reports on SQL Server instances, databases, principals, permissions, audit events, and sensitive data across the enterprise. + +## Schema Categories + +The tables fall into two categories: + +1. **Core Data Collection Tables** (44 tables) — Normalized tables populated directly by data collectors. These contain raw audit data with full foreign key relationships. Includes shared infrastructure tables (`SA_SQL_Instances`, `SA_SQL_Patches`) used across all database collector modules. + +2. **Reporting / Summary Tables** (56 tables) — Denormalized, report-ready tables populated by analysis jobs. These use human-readable column names (e.g., `"Instance"`, `"Database"`, `"Permission"`). + +--- + +### [Core Data Collection Tables](coretables/overview.md) + - [SA_SQLServer_Instances](coretables/overview.md#sa_sqlserver_instances) + - [SA_SQLServer_Databases](coretables/overview.md#sa_sqlserver_databases) + - [SA_SQLServer_EventDatabases](coretables/overview.md#sa_sqlserver_eventdatabases) + - [SA_SQLServer_Schemas](coretables/overview.md#sa_sqlserver_schemas) + - [SA_SQLServer_Objects](coretables/overview.md#sa_sqlserver_objects) + - [SA_SQLServer_Columns](coretables/overview.md#sa_sqlserver_columns) + - [SA_SQLServer_ServerPrincipalTypes](coretables/overview.md#sa_sqlserver_serverprincipaltypes) + - [SA_SQLServer_DatabasePrincipalTypes](coretables/overview.md#sa_sqlserver_databaseprincipaltypes) + - [SA_SQLServer_ServerPrincipals](coretables/overview.md#sa_sqlserver_serverprincipals) + - [SA_SQLServer_DatabasePrincipals](coretables/overview.md#sa_sqlserver_databaseprincipals) + - [SA_SQLServer_EventServerPrincipals](coretables/overview.md#sa_sqlserver_eventserverprincipals) + - [SA_SQLServer_EventDatabasePrincipals](coretables/overview.md#sa_sqlserver_eventdatabaseprincipals) + - [SA_SQLServer_SqlLogins](coretables/overview.md#sa_sqlserver_sqllogins) + - [SA_SQLServer_ServerRoleMembers](coretables/overview.md#sa_sqlserver_serverrolemembers) + - [SA_SQLServer_DatabaseRoleMembers](coretables/overview.md#sa_sqlserver_databaserolemembers) + - [SA_SQLServer_EffectiveRoleMembership](coretables/overview.md#sa_sqlserver_effectiverolemembership) + - [SA_SQLServer_PermissionNames](coretables/overview.md#sa_sqlserver_permissionnames) + - [SA_SQLServer_PermissionClasses](coretables/overview.md#sa_sqlserver_permissionclasses) + - [SA_SQLServer_PermissionStates](coretables/overview.md#sa_sqlserver_permissionstates) + - [SA_SQLServer_ServerPermissions](coretables/overview.md#sa_sqlserver_serverpermissions) + - [SA_SQLServer_DatabasePermissions](coretables/overview.md#sa_sqlserver_databasepermissions) + - [SA_SQLServer_AsymmetricKeys](coretables/overview.md#sa_sqlserver_asymmetrickeys) + - [SA_SQLServer_AuditInformation](coretables/overview.md#sa_sqlserver_auditinformation) + - [SA_SQLServer_AuditFiles](coretables/overview.md#sa_sqlserver_auditfiles) + - [SA_SQLServer_AuditClassType](coretables/overview.md#sa_sqlserver_auditclasstype) + - [SA_SQLServer_AuditActions](coretables/overview.md#sa_sqlserver_auditactions) + - [SA_SQLServer_Statements](coretables/overview.md#sa_sqlserver_statements) + - [SA_SQLServer_AdditionalInformation](coretables/overview.md#sa_sqlserver_additionalinformation) + - [SA_SQLServer_UserEvents](coretables/overview.md#sa_sqlserver_userevents) + - [SA_SQLServer_Events](coretables/overview.md#sa_sqlserver_events) + - [SA_SQLServer_ExpressionDependencies](coretables/overview.md#sa_sqlserver_expressiondependencies) + - [SA_SQLServer_SDD_Criteria](coretables/overview.md#sa_sqlserver_sdd_criteria) + - [SA_SQLServer_SDD_InstanceCriteria](coretables/overview.md#sa_sqlserver_sdd_instancecriteria) + - [SA_SQLServer_SDD_DatabaseCriteria](coretables/overview.md#sa_sqlserver_sdd_databasecriteria) + - [SA_SQLServer_SDD_ResourceTypes](coretables/overview.md#sa_sqlserver_sdd_resourcetypes) + - [SA_SQLServer_SDD_Resources](coretables/overview.md#sa_sqlserver_sdd_resources) + - [SA_SQLServer_SDD_Matches](coretables/overview.md#sa_sqlserver_sdd_matches) + - [SA_SQLServer_SDD_MatchHits](coretables/overview.md#sa_sqlserver_sdd_matchhits) + - [SA_SQLServer_SDD_MatchHits_SubjectProfile](coretables/overview.md#sa_sqlserver_sdd_matchhits_subjectprofile) + - [SA_SQLServer_SDD_ScanHistory](coretables/overview.md#sa_sqlserver_sdd_scanhistory) + - [SA_SQLServer_SDD_SupportedDataTypes](coretables/overview.md#sa_sqlserver_sdd_supporteddatatypes) + - [SA_SQL_Patches](coretables/overview.md#sa_sql_patches) + - [SA_SQL_Instances](coretables/overview.md#sa_sql_instances) + - [SA_SQL_PasswordIssues_LIST](coretables/overview.md#sa_sql_passwordissues_list) + +### [Reporting Tables](reportingtables/overview.md) +#### [Activity](reportingtables/overview.md#activity) + - [SA_SQLServer_Activity_Details](reportingtables/overview.md#sa_sqlserver_activity_details) + - [SA_SQLServer_Activity_UserDatabaseSummary](reportingtables/overview.md#sa_sqlserver_activity_userdatabasesummary) + - [SA_SQLServer_Activity_UserInstanceSummary](reportingtables/overview.md#sa_sqlserver_activity_userinstancesummary) + +#### [Authentication](reportingtables/overview.md#authentication) + - [SA_SQLServer_Authentication_Details](reportingtables/overview.md#sa_sqlserver_authentication_details) + - [SA_SQLServer_Authentication_Summary](reportingtables/overview.md#sa_sqlserver_authentication_summary) + +#### [Control Server](reportingtables/overview.md#control-server) + - [SA_SQLServer_ControlServer_Details](reportingtables/overview.md#sa_sqlserver_controlserver_details) + - [SA_SQLServer_ControlServer_DomainUsers](reportingtables/overview.md#sa_sqlserver_controlserver_domainusers) + - [SA_SQLServer_ControlServer_InstanceSummary](reportingtables/overview.md#sa_sqlserver_controlserver_instancesummary) + +#### [Database Principals](reportingtables/overview.md#database-principals) + - [SA_SQLServer_DatabasePrincipals_Details](reportingtables/overview.md#sa_sqlserver_databaseprincipals_details) + - [SA_SQLServer_DatabasePrincipals_InstanceSummary](reportingtables/overview.md#sa_sqlserver_databaseprincipals_instancesummary) + +#### [Database Size](reportingtables/overview.md#database-size) + - [SA_SQLServer_DatabaseSize_Details](reportingtables/overview.md#sa_sqlserver_databasesize_details) + - [SA_SQLServer_DatabaseSize_Summary](reportingtables/overview.md#sa_sqlserver_databasesize_summary) + +#### [Direct Permissions](reportingtables/overview.md#direct-permissions) + - [SA_SQLServer_DirectPermissions_DatabaseDetails](reportingtables/overview.md#sa_sqlserver_directpermissions_databasedetails) + - [SA_SQLServer_DirectPermissions_DatabaseSummary](reportingtables/overview.md#sa_sqlserver_directpermissions_databasesummary) + - [SA_SQLServer_DirectPermissions_SchemaDetails](reportingtables/overview.md#sa_sqlserver_directpermissions_schemadetails) + - [SA_SQLServer_DirectPermissions_SchemaSummary](reportingtables/overview.md#sa_sqlserver_directpermissions_schemasummary) + - [SA_SQLServer_DirectPermissions_ServerDetails](reportingtables/overview.md#sa_sqlserver_directpermissions_serverdetails) + - [SA_SQLServer_DirectPermissions_ServerSummary](reportingtables/overview.md#sa_sqlserver_directpermissions_serversummary) + +#### [Domain User Permissions](reportingtables/overview.md#domain-user-permissions) + - [SA_SQLServer_DomainUserPermissions_Details](reportingtables/overview.md#sa_sqlserver_domainuserpermissions_details) + - [SA_SQLServer_DomainUserPermissions_Summary](reportingtables/overview.md#sa_sqlserver_domainuserpermissions_summary) + +#### [Effective Role Members](reportingtables/overview.md#effective-role-members) + - [SA_SQLServer_EffectiveRoleMember_Summary](reportingtables/overview.md#sa_sqlserver_effectiverolemember_summary) + +#### [Instance Summary](reportingtables/overview.md#instance-summary) + - [SA_SQLServer_InstanceSummary](reportingtables/overview.md#sa_sqlserver_instancesummary) + +#### [Logons](reportingtables/overview.md#logons) + - [SA_SQLServer_Logons_Details](reportingtables/overview.md#sa_sqlserver_logons_details) + - [SA_SQLServer_Logons_Summary](reportingtables/overview.md#sa_sqlserver_logons_summary) + +#### [Password Issues](reportingtables/overview.md#password-issues) + - [SA_SQLServer_PasswordIssues_Details](reportingtables/overview.md#sa_sqlserver_passwordissues_details) + - [SA_SQLServer_PasswordIssues_Summary](reportingtables/overview.md#sa_sqlserver_passwordissues_summary) + +#### [Permission Changes](reportingtables/overview.md#permission-changes) + - [SA_SQLServer_PermissionChanges_Details](reportingtables/overview.md#sa_sqlserver_permissionchanges_details) + - [SA_SQLServer_PermissionChanges_InstanceSummary](reportingtables/overview.md#sa_sqlserver_permissionchanges_instancesummary) + +#### [Public Permissions](reportingtables/overview.md#public-permissions) + - [SA_SQLServer_PublicPermissions_Details](reportingtables/overview.md#sa_sqlserver_publicpermissions_details) + - [SA_SQLServer_PublicPermissions_DatabaseSummary](reportingtables/overview.md#sa_sqlserver_publicpermissions_databasesummary) + - [SA_SQLServer_PublicPermissions_InstanceSummary](reportingtables/overview.md#sa_sqlserver_publicpermissions_instancesummary) + - [SA_SQLServer_PublicPermissions_NonDefault](reportingtables/overview.md#sa_sqlserver_publicpermissions_nondefault) + +#### [Role Members](reportingtables/overview.md#role-members) + - [SA_SQLServer_RoleMember_Details](reportingtables/overview.md#sa_sqlserver_rolemember_details) + - [SA_SQLServer_RoleMember_Summary](reportingtables/overview.md#sa_sqlserver_rolemember_summary) + +#### [Security Assessment](reportingtables/overview.md#security-assessment) + - [SA_SQLServer_SecurityAssessment_Results](reportingtables/overview.md#sa_sqlserver_securityassessment_results) + - [SA_SQLServer_SecurityAssessment_CategorySummary](reportingtables/overview.md#sa_sqlserver_securityassessment_categorysummary) + +#### [Sensitive Data](reportingtables/overview.md#sensitive-data) + - [SA_SQLServer_SensitiveData_Details](reportingtables/overview.md#sa_sqlserver_sensitivedata_details) + - [SA_SQLServer_SensitiveData_DatabaseSummary](reportingtables/overview.md#sa_sqlserver_sensitivedata_databasesummary) + - [SA_SQLServer_SensitiveData_EnterpriseSummary](reportingtables/overview.md#sa_sqlserver_sensitivedata_enterprisesummary) + +#### [Sensitive Data Activity](reportingtables/overview.md#sensitive-data-activity) + - [SA_SQLServer_SensitiveDataActivity_Details](reportingtables/overview.md#sa_sqlserver_sensitivedataactivity_details) + - [SA_SQLServer_SensitiveDataActivity_UserSummary](reportingtables/overview.md#sa_sqlserver_sensitivedataactivity_usersummary) + +#### [Sensitive Data Permissions](reportingtables/overview.md#sensitive-data-permissions) + - [SA_SQLServer_SensitiveDataPermissions_Details](reportingtables/overview.md#sa_sqlserver_sensitivedatapermissions_details) + - [SA_SQLServer_SensitiveDataPermissions_DatabaseSummary](reportingtables/overview.md#sa_sqlserver_sensitivedatapermissions_databasesummary) + +#### [Server Permissions](reportingtables/overview.md#server-permissions) + - [SA_SQLServer_ServerPermission_Details](reportingtables/overview.md#sa_sqlserver_serverpermission_details) + - [SA_SQLServer_ServerPermission_InstanceSummary](reportingtables/overview.md#sa_sqlserver_serverpermission_instancesummary) + +#### [Server Principals](reportingtables/overview.md#server-principals) + - [SA_SQLServer_ServerPrincipals_Details](reportingtables/overview.md#sa_sqlserver_serverprincipals_details) + - [SA_SQLServer_ServerPrincipals_InstanceSummary](reportingtables/overview.md#sa_sqlserver_serverprincipals_instancesummary) + +#### [SysAdmins](reportingtables/overview.md#sysadmins) + - [SA_SQLServer_SysAdmins_Details](reportingtables/overview.md#sa_sqlserver_sysadmins_details) + - [SA_SQLServer_SysAdmins_DomainUsers](reportingtables/overview.md#sa_sqlserver_sysadmins_domainusers) + - [SA_SQLServer_SysAdmins_InstanceSummary](reportingtables/overview.md#sa_sqlserver_sysadmins_instancesummary) + +#### [Unusual Activity](reportingtables/overview.md#unusual-activity) + - [SA_SQLServer_UnusualHourlyUserActivity](reportingtables/overview.md#sa_sqlserver_unusualhourlyuseractivity) + - [SA_SQLServer_UnusualActivitySummary](reportingtables/overview.md#sa_sqlserver_unusualactivitysummary) + +#### [User Logins](reportingtables/overview.md#user-logins) + - [SA_SQLServer_UserLogins_Details](reportingtables/overview.md#sa_sqlserver_userlogins_details) + - [SA_SQLServer_UserLogins_Summary](reportingtables/overview.md#sa_sqlserver_userlogins_summary) + +#### [Best Practices](reportingtables/overview.md#best-practices) + - [SA_SQL_BestPractices](reportingtables/overview.md#sa_sql_bestpractices) + - [SA_SQL_BestPractices_Summary](reportingtables/overview.md#sa_sql_bestpractices_summary) + +#### [CMD Shell](reportingtables/overview.md#cmd-shell) + - [SA_SQL_CMDShell_Status](reportingtables/overview.md#sa_sql_cmdshell_status) + +#### [Linked Servers](reportingtables/overview.md#linked-servers) + - [SA_SQL_LinkedServer_Details](reportingtables/overview.md#sa_sql_linkedserver_details) + - [SA_SQL_LinkedServer_Summary](reportingtables/overview.md#sa_sql_linkedserver_summary) + +### [Views](views/overview.md) + - [SA_SQLServer_FullEventsView](views/overview.md#sa_sqlserver_fulleventsview) + - [SA_SQLServer_ServerPrincipalsView](views/overview.md#sa_sqlserver_serverprincipalsview) + - [SA_SQLServer_SqlLoginsView](views/overview.md#sa_sqlserver_sqlloginsview) + - [SA_SQLServer_DatabasePrincipalsView](views/overview.md#sa_sqlserver_databaseprincipalsview) + - [SA_SQLServer_PermissionsView](views/overview.md#sa_sqlserver_permissionsview) + - [SA_SQLServer_RoleMembersView](views/overview.md#sa_sqlserver_rolemembersview) + - [SA_SQLServer_SqlDatabaseView](views/overview.md#sa_sqlserver_sqldatabaseview) + - [SA_SQLServer_DailyLogonsView](views/overview.md#sa_sqlserver_dailylogonsview) + - [SA_SQLServer_SDD_ResourcesView](views/overview.md#sa_sqlserver_sdd_resourcesview) + - [SA_SQLServer_SDD_MatchesView](views/overview.md#sa_sqlserver_sdd_matchesview) + - [SA_SQLServer_SDD_MatchHitsView](views/overview.md#sa_sqlserver_sdd_matchhitsview) + - [SA_SQLServer_SensitiveDataPermissionsView](views/overview.md#sa_sqlserver_sensitivedatapermissionsview) + - [SA_SQLServer_SDD_MatchHits_SubjectProfileView](views/overview.md#sa_sqlserver_sdd_matchhits_subjectprofileview) + - [SA_SQLServer_SensitiveDataFullPermissionsView](views/overview.md#sa_sqlserver_sensitivedatafullpermissionsview) + - [SA_SQLServer_EffectiveRoleMembershipView](views/overview.md#sa_sqlserver_effectiverolemembershipview) + - [SA_SQL_SDD_MatchesView](views/overview.md#sa_sql_sdd_matchesview) + - [SA_SQL_SDD_MatchHitsView](views/overview.md#sa_sql_sdd_matchhitsview) + +### [Enumeration & Lookup Values Reference](enumeration/overview.md) + - [Server Principal Types](enumeration/overview.md#server-principal-types-sa_sqlserver_serverprincipaltypes) + - [Database Principal Types](enumeration/overview.md#database-principal-types-sa_sqlserver_databaseprincipaltypes) + - [Permission States](enumeration/overview.md#permission-states-sa_sqlserver_permissionstates) + - [Permission Classes](enumeration/overview.md#permission-classes-sa_sqlserver_permissionclasses) + - [Permission Names](enumeration/overview.md#permission-names-sa_sqlserver_permissionnames) + - [Audit Class Types](enumeration/overview.md#audit-class-types-sa_sqlserver_auditclasstype) + - [Audit Actions (Common)](enumeration/overview.md#audit-actions-common-sa_sqlserver_auditactions) + - [SDD Resource Types](enumeration/overview.md#sdd-resource-types-sa_sqlserver_sdd_resourcetypes) + - [SDD Match Location Bitmask](enumeration/overview.md#sdd-match-location-bitmask) + - [Membership Source](enumeration/overview.md#membership-source-sa_sqlserver_effectiverolemembershipmembership_source) + - [Database Type](enumeration/overview.md#database-type-sa_sqlserver_effectiverolemembershipdatabase_type) + +### [Table Relationship Diagrams (ERD)](erd/overview.md) + - [High-Level Overview](erd/overview.md#high-level-overview) + - [Instance & Database Hierarchy](erd/overview.md#instance--database-hierarchy) + - [Principals & Permissions](erd/overview.md#principals--permissions) + - [Audit Events](erd/overview.md#audit-events) + - [Sensitive Data Discovery (SDD)](erd/overview.md#sensitive-data-discovery-sdd) + +### [Index Reference](indexreference/overview.md) + - [Complete Index List](indexreference/overview.md#complete-index-listing) + +### [Scalar Functions & Stored Procedures](functions/overview.md) + - [SA_SQL_GetFriendlyName](functions/overview.md#sa_sql_getfriendlyname-scalar-function) + - [SA_SQLServer_BinarySIDToString](functions/overview.md#sa_sqlserver_binarysidtostring-scalar-function) + - [SA_SQLServer_GetAuditFileComparisonString](functions/overview.md#sa_sqlserver_getauditfilecomparisonstring-scalar-function) + - [SA_SQLServer_CreateOrUpdateSDDResource](functions/overview.md#sa_sqlserver_createorupdatesddresource-stored-procedure) + diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/_category_.json new file mode 100644 index 0000000000..de517fc06d --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Reporting Tables", + "position": 20, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md new file mode 100644 index 0000000000..84d2be86f2 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md @@ -0,0 +1,1016 @@ +# Reporting Tables + +The following 56 tables are **denormalized reporting tables** populated by NAA analysis jobs. They use human-readable column names with spaces (e.g., `"Database Type"`, `"Instance"`) and are designed for direct consumption by the NAA console and reports. They do not participate in foreign key relationships with the core tables. + +:::note +All reporting tables share a common `Database Type` column (varchar/nvarchar) that identifies the SQL Server platform variant (e.g., `"SQL Server"`, `"Azure SQL Database"`, `"Azure SQL Managed Instance"`). None of these tables have primary keys or foreign keys — they are heap tables optimized for bulk INSERT/TRUNCATE patterns. +::: + +--- + +## Activity + +### SA_SQLServer_Activity_Details + +**Description:** Stores detailed records of database activity events captured from SQL Server audit logs. Each row represents a single audited action performed by a user. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Target database name | +| Event Time | datetime | | Yes | | Timestamp of the activity event | +| Object | nvarchar | 128 | Yes | | Target database object name | +| User | nvarchar | 128 | Yes | | Principal who performed the action | +| Statement | nvarchar | 4000 | Yes | | SQL statement text executed | +| Action Name | nvarchar | 128 | Yes | | Audit action name (e.g., SELECT, INSERT, EXECUTE) | +| Column Permission | varchar | 5 | No | | Whether the action involved column-level permissions (True/False) | +| Has Login | varchar | 5 | No | | Whether the user has a corresponding server login (True/False) | +| Client | nvarchar | 128 | Yes | | Client IP address or hostname | +| Application | nvarchar | 128 | Yes | | Application name from the connection string | + +--- + +### SA_SQLServer_Activity_UserDatabaseSummary + +**Description:** Aggregates activity events by user, instance, and database, providing event counts and last event timestamps. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| User | nvarchar | 128 | Yes | | Principal name | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Event Count | int | | Yes | | Total number of activity events | +| Last Event | datetime | | Yes | | Timestamp of the most recent event | + +--- + +### SA_SQLServer_Activity_UserInstanceSummary + +**Description:** Aggregates activity events by user and instance (across all databases). + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| User | nvarchar | 128 | Yes | | Principal name | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Event Count | int | | Yes | | Total number of activity events across all databases | +| Last Event | datetime | | Yes | | Timestamp of the most recent event | + +--- + +## Authentication + +### SA_SQLServer_Authentication_Details + +**Description:** Reports per-instance authentication configuration: whether Windows-only authentication is enforced, whether the `sa` account has been renamed, and the count of SQL logins. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | varchar | 510 | Yes | | SQL Server instance name | +| Integrated Security Only | char | 5 | Yes | | Whether the instance is configured for Windows Authentication only (True/False) | +| Renamed 'sa' Account | char | 5 | Yes | | Whether the built-in `sa` login has been renamed (True/False) | +| Number of SQL Logins | int | | Yes | | Count of SQL Authentication logins on the instance | + +--- + +### SA_SQLServer_Authentication_Summary + +**Description:** Enterprise-level summary of authentication configurations across all instances. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Configuration | varchar | 32 | Yes | | Authentication configuration category | +| Number of Instances | int | | Yes | | Count of instances with this configuration | + +--- + +## Control Server + +### SA_SQLServer_ControlServer_Details + +**Description:** Lists all principals that hold the CONTROL SERVER permission (or equivalent), including those who inherit it through nested role memberships. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Grantee | nvarchar | 128 | Yes | | Principal directly granted the permission | +| Grantee Id | int | | Yes | | Grantee principal ID | +| Trustee | nvarchar | 128 | Yes | | Effective trustee who exercises the permission | +| Trustee Id | int | | Yes | | Trustee principal ID | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantor Id | int | | Yes | | Grantor principal ID | +| Source Trustee | nvarchar | 128 | Yes | | Original source of permission if inherited | +| Grantee Type | nvarchar | 120 | Yes | | Type of the grantee principal | +| Grantee SID | nvarchar | 128 | Yes | | Security Identifier of the grantee | +| Member Path | nvarchar | MAX | Yes | | Full nested role membership path | + +--- + +### SA_SQLServer_ControlServer_DomainUsers + +**Description:** Summarizes domain user access to CONTROL SERVER at the instance level with login type breakdown. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Permission Count | int | | Yes | | Total CONTROL SERVER permissions on this instance | +| SQL Logins | int | | Yes | | Count of SQL Authentication logins with CONTROL SERVER | +| Windows Logins | int | | Yes | | Count of Windows logins with CONTROL SERVER | +| Non Default Logins | int | | Yes | | Count of non-default logins with CONTROL SERVER | + +--- + +### SA_SQLServer_ControlServer_InstanceSummary + +**Description:** Per-instance count of principals with CONTROL SERVER permission. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Count | int | | Yes | | Number of principals with CONTROL SERVER | + +--- + +## Database Principals + +### SA_SQLServer_DatabasePrincipals_Details + +**Description:** Detailed inventory of database-level principals with type, creation/modification dates, and stale account detection. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Principal | nvarchar | 128 | Yes | | Principal name | +| Principal Type | nvarchar | 120 | Yes | | Type description (SQL_USER, WINDOWS_USER, DATABASE_ROLE, etc.) | +| Created | datetime | | Yes | | Principal creation date | +| Modified | datetime | | Yes | | Principal last modification date | +| Disabled | char | 5 | Yes | | Whether the associated login is disabled (True/False) | +| Stale Domain User | char | 5 | Yes | | Whether the domain account is stale in AD (True/False) | + +--- + +### SA_SQLServer_DatabasePrincipals_InstanceSummary + +**Description:** Per-instance summary of database principal counts broken down by type. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Domain Principal Count | int | | Yes | | Count of domain-based principals | +| SQL User Count | int | | Yes | | Count of SQL authentication users | +| Certificate Mapped User Count | int | | Yes | | Count of certificate-mapped users | +| Database Role Count | int | | Yes | | Count of database roles | + +--- + +## Database Size + +### SA_SQLServer_DatabaseSize_Details + +**Description:** Detailed database and file sizing information including space used, free space, and growth settings. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Host | nvarchar | 256 | Yes | | Host machine name | +| Instance | nvarchar | 256 | Yes | | SQL Server instance name | +| Database | nvarchar | 255 | Yes | | Database name | +| Database Size (GB) | decimal | (18,3) | Yes | | Total database size in gigabytes | +| Database Size (MB) | decimal | (18,3) | Yes | | Total database size in megabytes | +| Space Used (MB) | decimal | (18,3) | Yes | | Space used in megabytes | +| Free Space (MB) | decimal | (18,3) | Yes | | Free space in megabytes | +| File | nvarchar | 256 | Yes | | Database file logical name | +| File Path | nvarchar | 260 | Yes | | Physical file path | +| State | nvarchar | 255 | Yes | | File state (ONLINE, OFFLINE, etc.) | +| Growth (MB) | decimal | (18,3) | Yes | | Auto-growth increment in MB | +| Max Size (MB) | nvarchar | 60 | Yes | | Maximum file size (or UNLIMITED) | + +--- + +### SA_SQLServer_DatabaseSize_Summary + +**Description:** Per-host summary of total database storage consumption. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Host | nvarchar | 256 | Yes | | Host machine name | +| Size (GB) | decimal | (18,3) | Yes | | Total database size across all databases on the host | + +--- + +## Direct Permissions + +### SA_SQLServer_DirectPermissions_DatabaseDetails + +**Description:** Lists direct (non-inherited) permissions at the database level with grantee, trustee, and grantor resolution. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Grantee | nvarchar | 128 | Yes | | Principal directly granted the permission | +| Grantee Id | nvarchar | 128 | Yes | | Grantee identifier | +| Trustee | nvarchar | 128 | Yes | | Effective trustee exercising the permission | +| Trustee Id | nvarchar | 128 | Yes | | Trustee identifier | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantee SID | nvarchar | 128 | Yes | | Security Identifier of the grantee | + +--- + +### SA_SQLServer_DirectPermissions_DatabaseSummary + +**Description:** Count of direct permissions per database. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Direct Permissions | int | | Yes | | Total count of direct permissions | + +--- + +### SA_SQLServer_DirectPermissions_SchemaDetails + +**Description:** Lists direct permissions at the schema level. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Grantee | nvarchar | 128 | Yes | | Principal directly granted the permission | +| Grantee Id | nvarchar | 128 | Yes | | Grantee identifier | +| Trustee | nvarchar | 128 | Yes | | Effective trustee | +| Trustee Id | nvarchar | 128 | Yes | | Trustee identifier | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantee SID | nvarchar | 128 | Yes | | Security Identifier of the grantee | + +--- + +### SA_SQLServer_DirectPermissions_SchemaSummary + +**Description:** Count of direct schema-level permissions per database. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Direct Permissions | int | | Yes | | Total count of direct schema permissions | + +--- + +### SA_SQLServer_DirectPermissions_ServerDetails + +**Description:** Lists direct permissions at the server level. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Server | nvarchar | 128 | Yes | | SQL Server instance name | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Grantee | nvarchar | 128 | Yes | | Principal directly granted the permission | +| Grantee Id | nvarchar | 128 | Yes | | Grantee identifier | +| Trustee | nvarchar | 128 | Yes | | Effective trustee | +| Trustee Id | nvarchar | 128 | Yes | | Trustee identifier | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantee SID | nvarchar | 128 | Yes | | Security Identifier of the grantee | + +--- + +### SA_SQLServer_DirectPermissions_ServerSummary + +**Description:** Count of direct server-level permissions per instance. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Server | nvarchar | 128 | Yes | | SQL Server instance name | +| Direct Permissions | int | | Yes | | Total count of direct server permissions | + +--- + +## Domain User Permissions + +### SA_SQLServer_DomainUserPermissions_Details + +**Description:** Detailed listing of permissions held by domain user accounts, including effective permissions gained through role membership. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Trustee | nvarchar | 513 | Yes | | Domain user/group exercising the permission | +| Disabled | nvarchar | 5 | Yes | | Whether the account is disabled | +| Trustee Type | nvarchar | 128 | Yes | | Principal type (WINDOWS_LOGIN, WINDOWS_GROUP, etc.) | +| Trustee SID/ID | varchar | 184 | Yes | | Security Identifier or principal ID | +| Source Trustee | nvarchar | 128 | Yes | | Original source if permission is inherited | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Object | nvarchar | 128 | Yes | | Target securable object | +| Object Type | nvarchar | 120 | Yes | | Securable object type | +| Path | nvarchar | MAX | Yes | | Full role membership path to permission | + +--- + +### SA_SQLServer_DomainUserPermissions_Summary + +**Description:** Enterprise-level summary of domain user permissions. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Trustee | nvarchar | 128 | Yes | | Domain user/group name | +| SID/ID | nvarchar | 184 | Yes | | Security Identifier | +| Permissions | int | | Yes | | Total permission count | +| Instances | int | | Yes | | Number of instances where user has permissions | +| Stale Domain Account | varchar | 5 | Yes | | Whether the account is stale in AD (True/False) | + +--- + +## Effective Role Members + +### SA_SQLServer_EffectiveRoleMember_Summary + +**Description:** Per-instance summary of effective (transitive) role memberships with login type breakdown. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 256 | Yes | | SQL Server instance name | +| Role Membership Count | int | | Yes | | Total effective role memberships | +| Domain Login | int | | Yes | | Count of domain login memberships | +| SQL Login | int | | Yes | | Count of SQL login memberships | + +--- + +## Instance Summary + +### SA_SQLServer_InstanceSummary + +**Description:** High-level overview of scanned SQL Server instances with counts of key objects. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 10 | No | | SQL platform variant identifier | +| Instances | int | | Yes | | Total number of instances | +| Databases | int | | Yes | | Total number of databases | +| Tables | int | | Yes | | Total number of tables | +| Users | int | | Yes | | Total number of users/principals | +| Roles | int | | Yes | | Total number of roles | + +--- + +## Logons + +### SA_SQLServer_Logons_Details + +**Description:** Detailed login event records (both successful and failed) from audit logs. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 10 | No | | SQL platform variant identifier | +| Host | varchar | 100 | Yes | | Host machine name | +| Instance | varchar | 100 | Yes | | SQL Server instance name | +| Event Date | datetime | | Yes | | Date/time of the login event | +| Trustee | varchar | 1000 | Yes | | Principal who attempted to log in | +| Client | varchar | 250 | Yes | | Client IP or hostname | +| Type | varchar | 50 | Yes | | Login type (Successful/Failed) | + +--- + +### SA_SQLServer_Logons_Summary + +**Description:** Per-instance summary of login events with success/failure counts. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 10 | No | | SQL platform variant identifier | +| Host | varchar | 100 | Yes | | Host machine name | +| Instance | varchar | 100 | Yes | | SQL Server instance name | +| Failed Logins | int | | Yes | | Count of failed login attempts | +| Successful Logins | int | | Yes | | Count of successful logins | +| Trustee Count | int | | Yes | | Number of distinct principals who logged in | + +--- + +## Password Issues + +### SA_SQLServer_PasswordIssues_Details + +**Description:** Lists SQL logins with password policy violations (weak passwords, shared passwords, blank passwords, etc.). + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Username | nvarchar | 128 | Yes | | SQL login name | +| User Id | int | | Yes | | Principal ID | +| User SID | varchar | 128 | Yes | | Security Identifier | +| Type | nvarchar | 120 | Yes | | Principal type description | +| Issue | nvarchar | 56 | Yes | | Password issue type (Weak, Blank, Shared, etc.) | +| Disabled | nvarchar | 28 | Yes | | Whether the login is disabled | +| Created Date | datetime | | Yes | | Login creation date | +| Modified Date | datetime | | Yes | | Login last modification date | +| Value | nvarchar | 512 | Yes | | Additional context for the issue | +| Users with Shared Passwords | nvarchar | MAX | Yes | | List of other users sharing the same password hash | + +--- + +### SA_SQLServer_PasswordIssues_Summary + +**Description:** Per-instance count of weak passwords. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Weak Passwords | int | | Yes | | Count of SQL logins with password issues | + +--- + +## Permission Changes + +### SA_SQLServer_PermissionChanges_Details + +**Description:** Audit trail of permission modification events (GRANT, DENY, REVOKE operations). + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| User | nvarchar | 128 | Yes | | Principal who made the change | +| Action | nvarchar | 128 | Yes | | Action performed (GRANT, DENY, REVOKE) | +| Object | nvarchar | 128 | Yes | | Target object of the permission change | +| Date | datetime2 | | No | | Timestamp of the permission change | +| Client | nvarchar | 128 | Yes | | Client IP or hostname | +| Application | nvarchar | 128 | Yes | | Application name | + +--- + +### SA_SQLServer_PermissionChanges_InstanceSummary + +**Description:** Per-instance count of permission change events. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Permission Changes | int | | Yes | | Total number of permission change events | + +--- + +## Public Permissions + +### SA_SQLServer_PublicPermissions_Details + +**Description:** Lists all permissions granted to the `public` database role, which are inherited by every database user. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Object | nvarchar | 128 | Yes | | Securable object name | +| Object Type | nvarchar | 120 | Yes | | Object type description | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantee | nvarchar | 128 | Yes | | Grantee (always `public`) | +| Default SQL Object | varchar | 5 | No | | Whether this is a default SQL Server object (True/False) | + +--- + +### SA_SQLServer_PublicPermissions_DatabaseSummary + +**Description:** Per-database count of public role permissions. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Public Permissions | int | | Yes | | Count of permissions granted to public | + +--- + +### SA_SQLServer_PublicPermissions_InstanceSummary + +**Description:** Per-instance count of public role permissions across all databases. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Public Permissions | int | | Yes | | Total public permissions across all databases | + +--- + +### SA_SQLServer_PublicPermissions_NonDefault + +**Description:** Lists non-default public role permissions — permissions on objects not shipped by Microsoft. These represent potential security risks. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Object | nvarchar | 128 | Yes | | Securable object name | +| Object Type | nvarchar | 120 | Yes | | Object type description | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantee | nvarchar | 128 | Yes | | Grantee (always `public`) | +| Default SQL Object | varchar | 5 | No | | Always `False` (filtered to non-default only) | + +--- + +## Role Members + +### SA_SQLServer_RoleMember_Details + +**Description:** Detailed listing of direct role membership relationships at both server and database levels with type classification and stale account detection. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Instance Id | int | | Yes | | Internal instance ID | +| Database | nvarchar | 128 | Yes | | Database name (NULL for server roles) | +| Database Id | int | | Yes | | Internal database ID | +| Role | nvarchar | 128 | Yes | | Role name | +| Role Id | int | | No | | Role principal ID | +| Role SID String | varchar | 100 | Yes | | Role SID as human-readable string | +| Role Type | nvarchar | 27 | Yes | | Role type (SERVER_ROLE, DATABASE_ROLE) | +| Role Member | nvarchar | 128 | Yes | | Member principal name | +| Role Member Id | int | | No | | Member principal ID | +| Role Member Type | nvarchar | 27 | Yes | | Member type (SQL_LOGIN, WINDOWS_LOGIN, etc.) | +| Role Member SID String | varchar | 100 | Yes | | Member SID as human-readable string | +| Disabled | varchar | 5 | No | | Whether the member is disabled (True/False) | +| Stale Domain User | varchar | 5 | No | | Whether the domain account is stale (True/False) | + +--- + +### SA_SQLServer_RoleMember_Summary + +**Description:** Per-instance summary of role memberships broken down by server/database and login type. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Role Membership Count | int | | Yes | | Total role memberships | +| Server Role Membership | int | | Yes | | Server-level role memberships | +| Server Role Domain Login | int | | Yes | | Domain logins in server roles | +| Server Role SQL Login | int | | Yes | | SQL logins in server roles | +| Database Role Membership | int | | Yes | | Database-level role memberships | +| Database Role Domain User | int | | Yes | | Domain users in database roles | +| Database Role SQL User | int | | Yes | | SQL users in database roles | + +--- + +## Security Assessment + +### SA_SQLServer_SecurityAssessment_Results + +**Description:** Individual security check results with risk ratings. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Category | nvarchar | MAX | Yes | | Security check category | +| Check | nvarchar | MAX | Yes | | Name/description of the security check | +| Finding | int | | Yes | | Finding count (0 = pass) | +| Risk | nvarchar | MAX | Yes | | Risk level (No Findings, Low, Medium, High) | + +--- + +### SA_SQLServer_SecurityAssessment_CategorySummary + +**Description:** Aggregated security assessment results by category with risk distribution. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Category | nvarchar | MAX | Yes | | Security check category name | +| No Findings | int | | Yes | | Count of checks with no findings | +| Low | int | | Yes | | Count of low-risk findings | +| Medium | int | | Yes | | Count of medium-risk findings | +| High | int | | Yes | | Count of high-risk findings | +| Total Exceptions | int | | Yes | | Total number of exceptions/findings | + +--- + +## Sensitive Data + +### SA_SQLServer_SensitiveData_Details + +**Description:** Detailed SDD scan results showing which tables contain sensitive data, matched criteria, and hit counts. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Schema | nvarchar | 128 | Yes | | Schema name | +| Table | nvarchar | 128 | Yes | | Table name containing sensitive data | +| Criteria | nvarchar | MAX | Yes | | Matched SDD criteria name(s) | +| Table Row Count | bigint | | Yes | | Total rows in the table | +| Match Count | bigint | | Yes | | Number of sensitive data matches | +| Match Types | nvarchar | MAX | Yes | | Types of matches found | +| Match Hits | nvarchar | MAX | Yes | | Sample match hit data | + +--- + +### SA_SQLServer_SensitiveData_DatabaseSummary + +**Description:** Per-database summary of SDD findings. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Tables With Sensitive Data | int | | Yes | | Count of tables with SDD matches | +| Match Count | bigint | | Yes | | Total match count | + +--- + +### SA_SQLServer_SensitiveData_EnterpriseSummary + +**Description:** Enterprise-wide rollup of sensitive data findings by criteria category. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Category | nvarchar | 512 | Yes | | SDD criteria category name | +| Matches | bigint | | Yes | | Total matches across enterprise | +| Instances | bigint | | Yes | | Number of affected instances | +| Databases | bigint | | Yes | | Number of affected databases | +| Tables | bigint | | Yes | | Number of affected tables | + +--- + +## Sensitive Data Activity + +### SA_SQLServer_SensitiveDataActivity_Details + +**Description:** Activity events on tables that contain sensitive data, correlating audit events with SDD findings. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 266 | Yes | | SQL Server instance name | +| Activity Date | datetime | | Yes | | Timestamp of the activity event | +| User | nvarchar | 266 | Yes | | Principal who performed the action | +| Object | nvarchar | 128 | Yes | | Object name containing sensitive data | +| Object ID | bigint | | Yes | | Internal object ID | +| Column | nvarchar | 128 | Yes | | Column name if column-level access | +| Client | nvarchar | 128 | Yes | | Client IP or hostname | +| Application | nvarchar | 128 | Yes | | Application name | +| Action | nvarchar | 56 | Yes | | Action type (SELECT, INSERT, UPDATE, etc.) | +| Criteria | nvarchar | 256 | Yes | | SDD criteria name(s) for the object | +| Match Data | nvarchar | 256 | Yes | | Sample match data | + +--- + +### SA_SQLServer_SensitiveDataActivity_UserSummary + +**Description:** Per-user summary of activity on sensitive data objects. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 266 | Yes | | SQL Server instance name | +| User | nvarchar | 266 | Yes | | Principal name | +| Event Count | int | | Yes | | Total events on sensitive data | +| Last Event | datetime | | Yes | | Timestamp of the most recent event | + +--- + +## Sensitive Data Permissions + +### SA_SQLServer_SensitiveDataPermissions_Details + +**Description:** Lists principals with permissions on objects containing sensitive data, with trustee resolution through role membership. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Object | nvarchar | 128 | Yes | | Object name containing sensitive data | +| Criteria | nvarchar | MAX | Yes | | SDD criteria name(s) | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Grantee | nvarchar | 513 | Yes | | Grantee principal | +| Grantee Id | nvarchar | 128 | Yes | | Grantee identifier | +| Trustee | nvarchar | 128 | Yes | | Effective trustee | +| Trustee Id | nvarchar | 128 | Yes | | Trustee identifier | +| Grantor | nvarchar | 128 | Yes | | Grantor principal | +| Source Trustee | nvarchar | 128 | Yes | | Original permission source | +| Grantee SID | varchar | 184 | Yes | | Security Identifier | + +--- + +### SA_SQLServer_SensitiveDataPermissions_DatabaseSummary + +**Description:** Per-database count of permissions on sensitive data objects. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name | +| Sensitive Data Permissions | int | | Yes | | Count of permissions on sensitive data | +| Match Count | int | | Yes | | SDD match count in the database | + +--- + +## Server Permissions + +### SA_SQLServer_ServerPermission_Details + +**Description:** Detailed listing of server-level permissions with grantee, trustee, and path information for inherited permissions. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Grantee | nvarchar | 128 | Yes | | Principal directly granted the permission | +| Grantor | nvarchar | 128 | Yes | | Principal who granted the permission | +| Grantee Type | nvarchar | 128 | Yes | | Grantee principal type | +| Trustee | nvarchar | 128 | Yes | | Effective trustee | +| Grantee SID | nvarchar | 128 | Yes | | Security Identifier | +| Permission | nvarchar | 128 | Yes | | Permission name | +| Source Trustee | nvarchar | 128 | Yes | | Original permission source | +| Path | nvarchar | MAX | Yes | | Full role membership path | +| Grantable | nvarchar | 26 | Yes | | Whether the permission is grantable (WITH GRANT OPTION) | + +--- + +### SA_SQLServer_ServerPermission_InstanceSummary + +**Description:** Per-instance count of server-level permissions. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Count | int | | Yes | | Total server-level permissions | + +--- + +## Server Principals + +### SA_SQLServer_ServerPrincipals_Details + +**Description:** Detailed server principal inventory with role membership aggregation and stale account detection. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Principal | nvarchar | 128 | Yes | | Principal name | +| Disabled | varchar | 5 | No | | Whether the login is disabled (True/False) | +| Created | date | | Yes | | Creation date | +| Modified | date | | Yes | | Last modification date | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Principal Type | nvarchar | 120 | Yes | | Type description (SQL_LOGIN, WINDOWS_LOGIN, etc.) | +| Roles | nvarchar | MAX | Yes | | Comma-separated list of server roles | +| Stale Domain User | varchar | 5 | No | | Whether the domain account is stale (True/False) | + +--- + +### SA_SQLServer_ServerPrincipals_InstanceSummary + +**Description:** Per-instance count of server principals. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Principals | int | | Yes | | Total number of server principals | + +--- + +## SysAdmins + +### SA_SQLServer_SysAdmins_Details + +**Description:** Lists all members of the `sysadmin` fixed server role, including nested members with full membership path. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Role | nvarchar | 128 | Yes | | Role name (sysadmin or equivalent) | +| Member | nvarchar | 128 | Yes | | Member name | +| Member Type | nvarchar | 128 | Yes | | Member type description | +| Member Path | nvarchar | MAX | Yes | | Full nesting path to the role | + +--- + +### SA_SQLServer_SysAdmins_DomainUsers + +**Description:** Domain user details for sysadmin role members, enriched with Active Directory attributes. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| User | nvarchar | 513 | Yes | | Domain user name (DOMAIN\User format) | +| Display Name | nvarchar | 256 | Yes | | AD display name | +| Object SID/ID | varchar | 184 | Yes | | Security Identifier | +| DN | nvarchar | 450 | Yes | | Distinguished Name from AD | +| When Created | datetime | | Yes | | AD account creation date | +| Days Since Created | int | | Yes | | Number of days since creation | +| When Changed | datetime | | Yes | | AD account last change date | +| Days Since Changed | int | | Yes | | Number of days since last change | +| Mail | nvarchar | 256 | Yes | | Email address from AD | +| Last Logon | datetime | | Yes | | AD last logon timestamp | +| Days Since Last Logon | int | | Yes | | Number of days since last logon | +| Account Expires | datetime | | Yes | | AD account expiration date | +| Instance Count | smallint | | Yes | | Number of instances where user is sysadmin | + +--- + +### SA_SQLServer_SysAdmins_InstanceSummary + +**Description:** Per-instance count of sysadmin members. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Count | int | | Yes | | Number of sysadmin members | + +--- + +## Unusual Activity + +### SA_SQLServer_UnusualHourlyUserActivity + +**Description:** Stores hourly activity counts by user with statistical outlier detection using Modified Z-Score analysis. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Username | nvarchar | 128 | Yes | | Server principal name | +| Database User | nvarchar | 128 | Yes | | Database principal name | +| Action Name | nvarchar | 128 | Yes | | Audit action name | +| Date | date | | Yes | | Activity date | +| Day | nvarchar | 30 | Yes | | Day of week | +| Hour | nvarchar | 36 | Yes | | Hour of day | +| Count | int | | Yes | | Event count for this hour | +| Median | int | | Yes | | Median event count for this user/hour | +| Modified Z-score | decimal | (10,2) | Yes | | Statistical deviation score; values > 3.5 indicate outliers | + +--- + +### SA_SQLServer_UnusualActivitySummary + +**Description:** Per-instance count of detected activity outliers. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Number of Outliers | int | | Yes | | Count of detected unusual activity events | + +--- + +## User Logins + +### SA_SQLServer_UserLogins_Details + +**Description:** Comprehensive SQL login inventory with password policy, lockout, and expiration status. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Trustee | nvarchar | 128 | Yes | | Login name | +| SID | varchar | 100 | Yes | | Security Identifier | +| PrincipalType | varchar | 24 | Yes | | Principal type (SQL_LOGIN, WINDOWS_LOGIN, etc.) | +| Disabled | varchar | 5 | No | | Whether login is disabled (True/False) | +| Created | datetime | | Yes | | Login creation date | +| Last Modified | datetime | | Yes | | Login last modification date | +| Default DB | nvarchar | 128 | Yes | | Default database name | +| Policy Checked | varchar | 5 | No | | Whether password policy is enforced (True/False) | +| Expiration Checked | varchar | 5 | No | | Whether password expiration is enforced (True/False) | +| Locked | varchar | 5 | No | | Whether the login is locked out (True/False) | +| Expired | varchar | 5 | No | | Whether the password is expired (True/False) | +| Must Change | varchar | 5 | No | | Whether password must be changed at next login (True/False) | +| Permissions | bigint | | Yes | | Total number of permissions held | + +--- + +### SA_SQLServer_UserLogins_Summary + +**Description:** Per-instance summary of SQL login status with issue breakdown. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Login Count | int | | Yes | | Total SQL logins | +| Disabled Logins | int | | Yes | | Count of disabled logins | +| Policy Not Checked | int | | Yes | | Count of logins without password policy | +| Expiration Not Checked | int | | Yes | | Count of logins without expiration checking | +| Locked Logins | int | | Yes | | Count of locked out logins | +| Expired Logins | int | | Yes | | Count of expired logins | +| Must Change | int | | Yes | | Count of logins requiring password change | + +--- + +## Best Practices + +### SA_SQL_BestPractices + +**Description:** Stores individual best practice check results for SQL Server instances and databases. Each row is a single configuration setting evaluated against a known best practice recommendation. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Database | nvarchar | 128 | Yes | | Database name (NULL for instance-level checks) | +| Name | nvarchar | 256 | Yes | | Best practice check name | +| Value | nvarchar | 256 | Yes | | Current configuration value | +| Description | nvarchar | MAX | Yes | | Explanation of the best practice recommendation | +| Best Practice | nvarchar | 5 | Yes | | Whether the setting meets best practice (True/False) | + +--- + +### SA_SQL_BestPractices_Summary + +**Description:** Aggregates best practice results by instance, showing pass and fail counts. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | nvarchar | 128 | Yes | | SQL Server instance name | +| Pass | int | | Yes | | Number of best practice checks passed | +| Fail | int | | Yes | | Number of best practice checks failed | + +--- + +## CMD Shell + +### SA_SQL_CMDShell_Status + +**Description:** Stores xp_cmdshell and related security configuration status for SQL Server instances. Tracks dangerous server-level configuration options. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Instance | varchar | 510 | Yes | | SQL Server instance name | +| Name | varchar | 255 | Yes | | Configuration option name (e.g., xp_cmdshell) | +| Description | varchar | 255 | Yes | | Configuration option description | +| Configuration | char | 8 | Yes | | Configured value | +| Value in Use | varchar | 255 | Yes | | Current runtime value | + +--- + +## Linked Servers + +### SA_SQL_LinkedServer_Details + +**Description:** Stores detailed information about linked servers configured on SQL Server instances, including security configuration and access settings. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Server Id | int | | Yes | | Linked server ID | +| Server Name | varchar | 255 | Yes | | Linked server name | +| Instance | varchar | 255 | Yes | | Host SQL Server instance name | +| Product | varchar | 255 | Yes | | Product name (e.g., SQL Server, Oracle) | +| Provider | varchar | 255 | Yes | | OLE DB provider name | +| Provider String | varchar | 255 | Yes | | Provider connection string | +| Catalog | varchar | 255 | Yes | | Default catalog/database | +| Is Linked | varchar | 5 | Yes | | Whether it is a linked server (True/False) | +| Local Login | varchar | 255 | Yes | | Local login mapped to the linked server | +| Remote Login Name | varchar | 255 | Yes | | Remote login used on the linked server | +| Linked Server Security Status | varchar | 255 | Yes | | Security mapping status description | +| RPC Out Enabled | varchar | 5 | Yes | | Whether RPC out is enabled (True/False) | +| Data Access Enabled | varchar | 5 | Yes | | Whether data access is enabled (True/False) | +| Modify Date | datetime | | Yes | | Last modification date | + +--- + +### SA_SQL_LinkedServer_Summary + +**Description:** Aggregates linked server counts per instance. + +| Column Name | Data Type | Size | Nullable | Default | Description | +|---|---|---|---|---|---| +| Database Type | nvarchar | 56 | Yes | | SQL platform variant identifier | +| Server Name | varchar | 255 | Yes | | Server name | +| Instance | varchar | 255 | Yes | | SQL Server instance name | +| Linked Servers | int | | Yes | | Total number of linked servers configured | diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/views/_category_.json b/docs/accessanalyzer/11.6/admin/schema/sqldc/views/_category_.json new file mode 100644 index 0000000000..2c72e59702 --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/views/_category_.json @@ -0,0 +1,10 @@ +{ + "label": "Views", + "position": 30, + "collapsed": true, + "collapsible": true, + "link": { + "type": "doc", + "id": "overview" + } +} diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/views/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/views/overview.md new file mode 100644 index 0000000000..2d74f9ba6a --- /dev/null +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/views/overview.md @@ -0,0 +1,531 @@ +# Views + +## SA_SQLServer_FullEventsView + +**Description:** Denormalizes the `SA_SQLServer_Events` fact table by LEFT JOINing all dimension tables. Provides a single, flat view of audit events with human-readable names instead of FK IDs. Resolves action names via a distinct subquery on AuditActions. + +**Source Tables:** `SA_SQLServer_Events`, `SA_SQLServer_AuditFiles`, `SA_SQLServer_AuditInformation`, `SA_SQLServer_Instances`, `SA_SQL_Instances`, `SA_SQLServer_EventDatabases`, `SA_SQLServer_Databases`, `SA_SQLServer_EventServerPrincipals`, `SA_SQLServer_EventDatabasePrincipals`, `SA_SQLServer_Statements`, `SA_SQLServer_AdditionalInformation`, `SA_SQLServer_UserEvents`, `SA_SQLServer_AuditClassType`, `SA_SQLServer_AuditActions` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| Instance | int | | Yes | SA_SQLServer_Events.instance_id | FK to the SQL Server instance | +| Database | int | | Yes | SA_SQLServer_Events.database_id | FK to the database where the event occurred | +| event_time | datetime2 | | No | SA_SQLServer_Events.event_time | Timestamp of the audit event | +| sequence_number | int | | No | SA_SQLServer_Events.sequence_number | Sequence number within the audit record | +| action_id | varchar | 4 | Yes | SA_SQLServer_Events.action_id | Short code identifying the audit action (e.g., LGIS, SL) | +| action_name | nvarchar | 128 | Yes | SA_SQLServer_AuditActions.name | Human-readable name of the audit action | +| succeeded | bit | | No | SA_SQLServer_Events.succeeded | Whether the audited action succeeded | +| session_id | smallint | | No | SA_SQLServer_Events.session_id | SQL Server session ID | +| object_id | int | | Yes | SA_SQLServer_Events.object_id | ID of the object targeted by the action | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_Events.object_name | Name of the object targeted by the action | +| class_type | varchar | 2 | Yes | SA_SQLServer_AuditClassType.class_type | Two-character audit class type code | +| class_type_desc | nvarchar | 120 | Yes | SA_SQLServer_AuditClassType.class_type_desc | Description of the audit class type | +| schema_name | nvarchar | 128 | Yes | SA_SQLServer_Events.schema_name | Schema containing the target object | +| audit_file_offset | bigint | | No | SA_SQLServer_Events.audit_file_offset | Byte offset within the audit file | +| audit_schema_version | int | | Yes | SA_SQLServer_AuditInformation.audit_schema_version | Version of the audit schema | +| sequence_group_id | varbinary | 85 | Yes | SA_SQLServer_AuditInformation.sequence_group_id | Identifier for the sequence group | +| file_id | int | | Yes | SA_SQLServer_AuditFiles.file_id | FK to the audit file | +| client_ip | nvarchar | 128 | Yes | SA_SQLServer_Events.client_ip | IP address of the connecting client | +| application_name | nvarchar | 128 | Yes | SA_SQLServer_Events.application_name | Name of the client application | +| audit_file_path | nvarchar | 1024 | Yes | SA_SQLServer_AuditFiles.audit_file_path | File system path of the audit file | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_Databases.database_name | Name of the database | +| database_id | int | | Yes | SA_SQLServer_EventDatabases.database_id | Database ID from the event | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database (on-prem vs. Azure) | +| server_principal_id | int | | Yes | SA_SQLServer_EventServerPrincipals.server_principal_id | ID of the server principal who performed the action | +| server_principal_name | nvarchar | 128 | Yes | SA_SQLServer_EventServerPrincipals.server_principal_name | Name of the server principal | +| server_principal_sid | varbinary | 85 | Yes | SA_SQLServer_EventServerPrincipals.server_principal_sid | SID of the server principal | +| session_principal_id | int | | Yes | SA_SQLServer_EventServerPrincipals.session_principal_id | ID of the session-level principal | +| session_principal_name | nvarchar | 128 | Yes | SA_SQLServer_EventServerPrincipals.session_principal_name | Name of the session-level principal | +| session_principal_sid | varbinary | 85 | Yes | SA_SQLServer_EventServerPrincipals.session_principal_sid | SID of the session-level principal | +| database_principal_id | int | | Yes | SA_SQLServer_EventDatabasePrincipals.database_principal_id | ID of the database principal involved | +| database_principal_name | nvarchar | 128 | Yes | SA_SQLServer_EventDatabasePrincipals.database_principal_name | Name of the database principal | +| target_server_principal_id | int | | Yes | SA_SQLServer_EventServerPrincipals.target_server_principal_id | ID of the target server principal | +| target_server_principal_name | nvarchar | 128 | Yes | SA_SQLServer_EventServerPrincipals.target_server_principal_name | Name of the target server principal | +| target_server_principal_sid | varbinary | 85 | Yes | SA_SQLServer_EventServerPrincipals.target_server_principal_sid | SID of the target server principal | +| target_database_principal_id | int | | Yes | SA_SQLServer_EventDatabasePrincipals.target_database_principal_id | ID of the target database principal | +| target_database_principal_name | nvarchar | 128 | Yes | SA_SQLServer_EventDatabasePrincipals.target_database_principal_name | Name of the target database principal | +| permission_bitmask | varbinary | 16 | Yes | SA_SQLServer_Events.permission_bitmask | Bitmask of permissions relevant to the action | +| is_column_permission | bit | | Yes | SA_SQLServer_Events.is_column_permission | Whether the permission applies at the column level | +| statement | nvarchar | 4000 | Yes | SA_SQLServer_Statements.statement | The SQL statement that triggered the event | +| additional_information | nvarchar | 4000 | Yes | SA_SQLServer_AdditionalInformation.additional_information | Additional XML information about the event | +| user_defined_event_id | smallint | | Yes | SA_SQLServer_UserEvents.user_defined_event_id | ID for user-defined audit events | +| user_defined_information | nvarchar | 4000 | Yes | SA_SQLServer_UserEvents.user_defined_information | Custom information for user-defined events | + +**Logic:** LEFT JOINs Events to all dimension tables (AuditFiles, AuditInformation, Instances, EventDatabases, Databases, EventServerPrincipals, EventDatabasePrincipals, Statements, AdditionalInformation, UserEvents, AuditClassType) using FK columns. Resolves action names via a `SELECT DISTINCT` subquery on AuditActions. Joins to SA_SQL_Instances to obtain `database_usage_mode`. + +--- + +## SA_SQLServer_ServerPrincipalsView + +**Description:** Enriches `SA_SQLServer_ServerPrincipals` with type descriptions, instance names, default database names, and SID-to-string conversion via `SA_SQLServer_BinarySIDToString()`. Filters to active databases where `sa_delete_date IS NULL`. + +**Source Tables:** `SA_SQLServer_ServerPrincipals`, `SA_SQLServer_ServerPrincipalTypes`, `SA_SQLServer_Instances`, `SA_SQL_Instances`, `SA_SQLServer_Databases` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| server_principal_id | int | | No | SA_SQLServer_ServerPrincipals.id | Surrogate PK for the server principal record | +| instance_id | int | | No | SA_SQLServer_ServerPrincipals.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| principal_id | int | | Yes | SA_SQLServer_ServerPrincipals.principal_id | SQL Server principal_id from sys.server_principals | +| principal_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipals.principal_name | Login or principal name | +| principal_sid | varbinary | 85 | Yes | SA_SQLServer_ServerPrincipals.principal_sid | Binary SID of the principal | +| principal_sid_string | varchar | 100 | Yes | UDF: SA_SQLServer_BinarySIDToString | Human-readable SID string (S-1-...) | +| type | nchar | 1 | Yes | SA_SQLServer_ServerPrincipals.type | Single-character type code (S, U, G, R, C, K, E, X) | +| type_desc | nvarchar | 120 | Yes | SA_SQLServer_ServerPrincipalTypes.type_desc | Friendly type description (e.g., SQL_LOGIN, WINDOWS_LOGIN) | +| is_disabled | bit | | Yes | SA_SQLServer_ServerPrincipals.is_disabled | Whether the login is disabled | +| create_date | datetime | | Yes | SA_SQLServer_ServerPrincipals.create_date | Date the principal was created | +| modify_date | datetime | | Yes | SA_SQLServer_ServerPrincipals.modify_date | Date the principal was last modified | +| default_database_id | int | | Yes | SA_SQLServer_ServerPrincipals.default_database_id | FK to the default database | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database (on-prem vs. Azure) | +| default_database | nvarchar | 128 | Yes | SA_SQLServer_Databases.database_name | Name of the default database | +| default_language_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipals.default_language_name | Default language for the login | +| credential_id | int | | Yes | SA_SQLServer_ServerPrincipals.credential_id | Associated credential ID | +| is_deleted | bit | | No | SA_SQLServer_ServerPrincipals.is_deleted | Soft-delete flag for the principal | + +**Logic:** JOINs ServerPrincipals to ServerPrincipalTypes for type descriptions and to Instances/SA_SQL_Instances for instance names and usage mode. LEFT JOINs to Databases to resolve default database name. Uses `SA_SQLServer_BinarySIDToString()` UDF to convert binary SID to human-readable `S-1-...` format. Filters where `sa_delete_date IS NULL` on the Databases table. + +--- + +## SA_SQLServer_SqlLoginsView + +**Description:** Combines SQL Login-specific properties (password policy, expiration, lock status) with the full server principal view via INNER JOIN. + +**Source Tables:** `SA_SQLServer_SqlLogins`, `SA_SQLServer_ServerPrincipalsView` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| server_principal_id | int | | No | SA_SQLServer_ServerPrincipalsView.server_principal_id | Surrogate PK from the server principals view | +| instance_id | int | | No | SA_SQLServer_ServerPrincipalsView.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipalsView.instance_name | Name of the SQL Server instance | +| principal_id | int | | Yes | SA_SQLServer_ServerPrincipalsView.principal_id | SQL Server principal_id | +| principal_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipalsView.principal_name | Login name | +| principal_sid | varbinary | 85 | Yes | SA_SQLServer_ServerPrincipalsView.principal_sid | Binary SID of the principal | +| principal_sid_string | varchar | 100 | Yes | SA_SQLServer_ServerPrincipalsView.principal_sid_string | Human-readable SID string | +| type | nchar | 1 | Yes | SA_SQLServer_ServerPrincipalsView.type | Single-character type code | +| type_desc | nvarchar | 120 | Yes | SA_SQLServer_ServerPrincipalsView.type_desc | Friendly type description | +| is_disabled | bit | | Yes | SA_SQLServer_ServerPrincipalsView.is_disabled | Whether the login is disabled | +| create_date | datetime | | Yes | SA_SQLServer_ServerPrincipalsView.create_date | Date the principal was created | +| modify_date | datetime | | Yes | SA_SQLServer_ServerPrincipalsView.modify_date | Date the principal was last modified | +| default_database_id | int | | Yes | SA_SQLServer_ServerPrincipalsView.default_database_id | FK to the default database | +| database_usage_mode | int | | Yes | SA_SQLServer_ServerPrincipalsView.database_usage_mode | Usage mode of the database | +| default_database | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipalsView.default_database | Name of the default database | +| default_language_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipalsView.default_language_name | Default language for the login | +| credential_id | int | | Yes | SA_SQLServer_ServerPrincipalsView.credential_id | Associated credential ID | +| is_deleted | bit | | No | SA_SQLServer_ServerPrincipalsView.is_deleted | Soft-delete flag | +| sqllogin_id | int | | No | SA_SQLServer_SqlLogins.id | Surrogate PK for the SQL login record | +| is_policy_checked | bit | | No | SA_SQLServer_SqlLogins.is_policy_checked | Whether password policy is enforced | +| is_expiration_checked | bit | | No | SA_SQLServer_SqlLogins.is_expiration_checked | Whether password expiration is enforced | +| password_hash | varbinary | 256 | Yes | SA_SQLServer_SqlLogins.password_hash | Hashed password value | +| is_locked | bit | | Yes | SA_SQLServer_SqlLogins.is_locked | Whether the account is currently locked out | +| is_expired | bit | | Yes | SA_SQLServer_SqlLogins.is_expired | Whether the password has expired | +| is_must_change | bit | | Yes | SA_SQLServer_SqlLogins.is_must_change | Whether the password must be changed at next login | +| password_hash_algorithm | int | | Yes | SA_SQLServer_SqlLogins.password_hash_algorithm | Algorithm used to hash the password | + +**Logic:** INNER JOINs SqlLogins to ServerPrincipalsView on the server_principal FK, combining login-specific properties with all inherited principal metadata. + +--- + +## SA_SQLServer_DatabasePrincipalsView + +**Description:** Enriches `SA_SQLServer_DatabasePrincipals` with instance, database, type, schema, and owning principal information. Uses `SA_SQLServer_BinarySIDToString()` UDF. Filters to active databases where `sa_delete_date IS NULL`. + +**Source Tables:** `SA_SQLServer_DatabasePrincipals`, `SA_SQLServer_Databases`, `SA_SQLServer_Instances`, `SA_SQL_Instances`, `SA_SQLServer_DatabasePrincipalTypes`, `SA_SQLServer_Schemas`, `SA_SQLServer_ServerPrincipals` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| id | int | | No | SA_SQLServer_DatabasePrincipals.id | Surrogate PK for the database principal record | +| instance_id | int | | Yes | SA_SQLServer_Databases.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| database_id | int | | No | SA_SQLServer_DatabasePrincipals.database_id | FK to the database | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_Databases.database_name | Name of the database | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database (on-prem vs. Azure) | +| principal_id | int | | Yes | SA_SQLServer_DatabasePrincipals.principal_id | SQL Server principal_id from sys.database_principals | +| principal_name | nvarchar | 128 | Yes | SA_SQLServer_DatabasePrincipals.principal_name | Database principal name | +| principal_sid | varbinary | 85 | Yes | SA_SQLServer_DatabasePrincipals.principal_sid | Binary SID of the database principal | +| principal_sid_string | varchar | 100 | Yes | UDF: SA_SQLServer_BinarySIDToString | Human-readable SID string (S-1-...) | +| type | nchar | 1 | Yes | SA_SQLServer_DatabasePrincipals.type | Single-character type code | +| type_desc | nvarchar | 120 | Yes | SA_SQLServer_DatabasePrincipalTypes.type_desc | Friendly type description (e.g., SQL_USER, DATABASE_ROLE) | +| default_schema_id | int | | Yes | SA_SQLServer_DatabasePrincipals.default_schema_id | FK to the default schema | +| default_schema | nvarchar | 128 | Yes | SA_SQLServer_Schemas.schema_name | Name of the default schema | +| create_date | datetime | | Yes | SA_SQLServer_DatabasePrincipals.create_date | Date the principal was created | +| modify_date | datetime | | Yes | SA_SQLServer_DatabasePrincipals.modify_date | Date the principal was last modified | +| owning_principal_id | int | | Yes | SA_SQLServer_DatabasePrincipals.owning_principal_id | FK to the owning server principal | +| owning_principal_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipals.principal_name | Name of the owning server principal | +| is_fixed_role | bit | | Yes | SA_SQLServer_DatabasePrincipals.is_fixed_role | Whether this is a fixed database role | +| authentication_type | int | | Yes | SA_SQLServer_DatabasePrincipals.authentication_type | Authentication type code | +| authentication_type_desc | nvarchar | 60 | Yes | SA_SQLServer_DatabasePrincipals.authentication_type_desc | Authentication type description | +| is_deleted | bit | | No | SA_SQLServer_DatabasePrincipals.is_deleted | Soft-delete flag for the principal | + +**Logic:** LEFT JOINs to Databases, Instances, SA_SQL_Instances, DatabasePrincipalTypes, Schemas, and ServerPrincipals to resolve all lookup values. Converts SID to string using `SA_SQLServer_BinarySIDToString()`. Resolves owning principal name from ServerPrincipals. Filters `sa_delete_date IS NULL` on the Databases table. + +--- + +## SA_SQLServer_PermissionsView + +**Description:** Unified view combining both server-level and database-level permissions into a single result set via UNION. Resolves grantee/grantor names, permission names, and target objects. CASE expressions map type codes to friendly names. Filters soft-deleted principals and objects. + +**Source Tables:** `SA_SQLServer_DatabasePermissions`, `SA_SQLServer_ServerPermissions`, `SA_SQLServer_Databases`, `SA_SQLServer_Instances`, `SA_SQL_Instances`, `SA_SQLServer_DatabasePrincipals`, `SA_SQLServer_ServerPrincipals`, `SA_SQLServer_PermissionClasses`, `SA_SQLServer_PermissionNames`, `SA_SQLServer_PermissionStates`, `SA_SQLServer_Objects` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| id | int | | No | SA_SQLServer_DatabasePermissions.id / SA_SQLServer_ServerPermissions.id | Surrogate PK for the permission record | +| instance_id | int | | Yes | SA_SQLServer_Databases.instance_id / SA_SQLServer_ServerPermissions.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_DatabasePermissions.database_id | FK to the database (NULL for server-level) | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_Databases.database_name | Name of the database (NULL for server-level) | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database | +| class | tinyint | | No | SA_SQLServer_DatabasePermissions.class / SA_SQLServer_ServerPermissions.class | Permission class code | +| class_desc | nvarchar | 120 | Yes | SA_SQLServer_PermissionClasses.class_desc | Description of the permission class | +| major_id | int | | No | SA_SQLServer_DatabasePermissions.major_id / SA_SQLServer_ServerPermissions.major_id | ID of the securable (object, schema, etc.) | +| object_id | bigint | | Yes | SA_SQLServer_Objects.id | Surrogate PK of the target object | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_Objects.object_name | Name of the target object | +| minor_id | int | | No | SA_SQLServer_DatabasePermissions.minor_id / SA_SQLServer_ServerPermissions.minor_id | Sub-object ID (e.g., column ordinal) | +| grantee_principal_id | int | | Yes | SA_SQLServer_DatabasePrincipals.principal_id / SA_SQLServer_ServerPrincipals.principal_id | SQL Server principal_id of the grantee | +| grantee_id | int | | Yes | SA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.id | Surrogate PK of the grantee principal | +| grantee_principal_sid | varbinary | 85 | Yes | SA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sid | Binary SID of the grantee | +| grantee_principal_name | nvarchar | 128 | Yes | SA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_name | Name of the grantee principal | +| grantee_type | nvarchar | 24 | Yes | Computed (CASE) | Friendly type name of the grantee (e.g., DATABASE_ROLE, SQL_USER) | +| grantor_principal_id | int | | Yes | SA_SQLServer_DatabasePrincipals.principal_id / SA_SQLServer_ServerPrincipals.principal_id | SQL Server principal_id of the grantor | +| grantor_id | int | | Yes | SA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.id | Surrogate PK of the grantor principal | +| grantor_principal_sid | varbinary | 85 | Yes | SA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sid | Binary SID of the grantor | +| grantor_principal_name | nvarchar | 128 | Yes | SA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_name | Name of the grantor principal | +| type | nchar | 4 | No | SA_SQLServer_PermissionNames.type | Four-character permission type code | +| permission_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionNames.permission_name | Human-readable permission name (e.g., SELECT, EXECUTE) | +| state | nchar | 1 | No | SA_SQLServer_PermissionStates.state | Single-character state code (G, D, R, W) | +| state_desc | nvarchar | 120 | Yes | SA_SQLServer_PermissionStates.state_desc | Permission state description (GRANT, DENY, REVOKE, GRANT_WITH_GRANT_OPTION) | + +**Logic:** UNION of database-level permissions (resolved via DatabasePrincipals, Objects) and server-level permissions (resolved via ServerPrincipals). Both halves use CASE expressions to map single-character type codes to friendly type names (e.g., `'R'` to `'DATABASE_ROLE'`, `'S'` to `'SQL_USER'`). Filters where `is_deleted = 0` on principals and `sa_delete_date IS NULL` on objects/databases. + +--- + +## SA_SQLServer_RoleMembersView + +**Description:** Unified view of server and database role memberships via UNION. Resolves role and member names with friendly type labels. Filters to non-deleted records. + +**Source Tables:** `SA_SQLServer_DatabaseRoleMembers`, `SA_SQLServer_ServerRoleMembers`, `SA_SQLServer_DatabasePrincipals`, `SA_SQLServer_ServerPrincipals`, `SA_SQLServer_Databases`, `SA_SQLServer_Instances`, `SA_SQL_Instances` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| instance_id | int | | Yes | SA_SQLServer_Databases.instance_id / SA_SQLServer_ServerRoleMembers.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_DatabaseRoleMembers.database_id | FK to the database (NULL for server-level) | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_Databases.database_name | Name of the database (NULL for server-level) | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database | +| role | int | | No | SA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.id | Surrogate PK of the role principal | +| role_sid | varbinary | 85 | Yes | SA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sid | Binary SID of the role | +| role_name | nvarchar | 128 | Yes | SA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_name | Name of the role | +| role_type | nvarchar | 27 | Yes | Computed (CASE) | Friendly type name of the role (e.g., DATABASE_ROLE, SERVER_ROLE) | +| member | int | | No | SA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.id | Surrogate PK of the member principal | +| member_sid | varbinary | 85 | Yes | SA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sid | Binary SID of the member | +| member_name | nvarchar | 128 | Yes | SA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_name | Name of the member | +| member_type | nvarchar | 27 | Yes | Computed (CASE) | Friendly type name of the member (e.g., SQL_USER, WINDOWS_LOGIN) | + +**Logic:** UNION of database role members (resolved via DatabasePrincipals, Databases) and server role members (resolved via ServerPrincipals). CASE expressions map single-character type codes to friendly names. Filters `is_deleted = 0` on principals and `sa_delete_date IS NULL` on databases. + +--- + +## SA_SQLServer_SqlDatabaseView + +**Description:** Simple convenience view joining databases to instances with database usage mode. Provides a quick lookup for instance-database relationships. + +**Source Tables:** `SA_SQLServer_Databases`, `SA_SQLServer_Instances`, `SA_SQL_Instances` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| id | int | | No | SA_SQLServer_Databases.id | Surrogate PK for the database record | +| instance_id | int | | No | SA_SQLServer_Databases.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | No | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_Databases.database_id | SQL Server database_id | +| database_name | nvarchar | 128 | No | SA_SQLServer_Databases.database_name | Name of the database | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database (on-prem vs. Azure) | + +**Logic:** JOINs Databases to Instances and SA_SQL_Instances to produce a flat listing of all databases with their instance names and usage modes. + +--- + +## SA_SQLServer_DailyLogonsView + +**Description:** Aggregates login events (successful and failed) by day, instance, and server principal. Filters to login action codes only. + +**Source Tables:** `SA_SQLServer_Events`, `SA_SQLServer_ServerPrincipals`, `SA_SQLServer_Instances`, `SA_SQLServer_AuditActions` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| event_date | date | | Yes | Computed: CAST(event_time AS DATE) | Date of the login events (day granularity) | +| action_id | varchar | 4 | Yes | SA_SQLServer_Events.action_id | Login action code (LGIS or LGIF) | +| name | nvarchar | 128 | Yes | SA_SQLServer_AuditActions.name | Human-readable action name (Login Succeeded / Login Failed) | +| principal_id | int | | Yes | SA_SQLServer_ServerPrincipals.principal_id | SQL Server principal_id of the login | +| principal_name | nvarchar | 128 | Yes | SA_SQLServer_ServerPrincipals.principal_name | Name of the server principal | +| principal_sid | varbinary | 85 | Yes | SA_SQLServer_ServerPrincipals.principal_sid | Binary SID of the server principal | +| count | int | | Yes | Computed: COUNT(*) | Number of login events for this day/instance/principal/action combination | + +**Logic:** Groups events by `CAST(event_time AS DATE)`, instance, principal, and action_id. Filters to `action_id IN ('LGIS', 'LGIF')` (Login Succeeded / Login Failed). Resolves principal and action names via JOINs. Excludes rows where principal_name IS NULL. + +--- + +## SA_SQLServer_SDD_ResourcesView + +**Description:** Enriches SDD resources with human-readable instance, database, object, and column names. LEFT JOINs to all dimension tables. Filters to active databases. + +**Source Tables:** `SA_SQLServer_SDD_Resources`, `SA_SQLServer_SDD_ResourceTypes`, `SA_SQLServer_Instances`, `SA_SQL_Instances`, `SA_SQLServer_Databases`, `SA_SQLServer_Objects`, `SA_SQLServer_Columns` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_Resources.id | Surrogate PK for the SDD resource | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_Resources.resource_type_id | FK to the resource type | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_ResourceTypes.resource_type | Human-readable resource type name | +| instance_id | int | | No | SA_SQLServer_SDD_Resources.instance_id | FK to the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_Resources.database_id | FK to the database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_Resources.object_id | FK to the database object | +| column_id | int | | Yes | SA_SQLServer_SDD_Resources.column_id | FK to the column (NULL for non-column resources) | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_Instances.instance_name | Name of the SQL Server instance | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_Databases.database_name | Name of the database | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_Objects.object_name | Name of the database object | +| column_name | nvarchar | 128 | Yes | SA_SQLServer_Columns.column_name | Name of the column | +| sql_instance_id | int | | Yes | SA_SQL_Instances.sql_instance_id | StealthAUDIT internal instance ID | +| database_usage_mode | int | | Yes | SA_SQL_Instances.database_usage_mode | Usage mode of the database (on-prem vs. Azure) | + +**Logic:** LEFT JOINs SDD_Resources to ResourceTypes, Instances, SA_SQL_Instances, Databases, Objects, and Columns to resolve all human-readable names. Filters where `sa_delete_date IS NULL` on the Databases table. + +--- + +## SA_SQLServer_SDD_MatchesView + +**Description:** Enriches SDD match aggregates with resource details and criteria names. Decodes the `match_location` bitmask to human-readable strings via a CASE expression. + +**Source Tables:** `SA_SQLServer_SDD_Matches`, `SA_SQLServer_SDD_ResourcesView`, `SA_SQLServer_SDD_Criteria` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_Matches.resource_id | FK to the SDD resource | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_ResourcesView.resource_type_id | Resource type ID from the resources view | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_ResourcesView.resource_type | Human-readable resource type name | +| instance_id | int | | No | SA_SQLServer_SDD_ResourcesView.instance_id | FK to the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_ResourcesView.database_id | FK to the database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_ResourcesView.object_id | FK to the database object | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.instance_name | Name of the SQL Server instance | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.database_name | Name of the database | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.object_name | Name of the database object | +| sql_instance_id | int | | Yes | SA_SQLServer_SDD_ResourcesView.sql_instance_id | StealthAUDIT internal instance ID | +| database_usage_mode | int | | Yes | SA_SQLServer_SDD_ResourcesView.database_usage_mode | Usage mode of the database | +| criteria_id | int | | No | SA_SQLServer_SDD_Matches.criteria_id | FK to the SDD criteria | +| criteria_name | nvarchar | MAX | No | SA_SQLServer_SDD_Criteria.criteria_name | Name of the SDD matching criteria | +| match_count | int | | No | SA_SQLServer_SDD_Matches.match_count | Number of matches found for this resource/criteria combination | +| match_location | varchar | 25 | No | Computed (CASE on bitmask) | Human-readable match location (Content, Metadata, Content/Metadata, Filename, etc.) | + +**Logic:** JOINs SDD_Matches to SDD_ResourcesView for resource details and to SDD_Criteria for criteria names. CASE expression decodes the `match_location` bitmask: 1=Content, 2=Metadata, 3=Content,Metadata, 4=Filename, 5=Filename,Content, 6=Filename,Metadata, 7=Filename,Content,Metadata. + +--- + +## SA_SQLServer_SDD_MatchHitsView + +**Description:** Enriches individual SDD match hits with resource and criteria details. Resolves column_id to column_name via Columns join. Decodes `match_location` bitmask via CASE expression. + +**Source Tables:** `SA_SQLServer_SDD_MatchHits`, `SA_SQLServer_SDD_ResourcesView`, `SA_SQLServer_SDD_Criteria`, `SA_SQLServer_Columns` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_MatchHits.resource_id | FK to the SDD resource | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_ResourcesView.resource_type_id | Resource type ID from the resources view | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_ResourcesView.resource_type | Human-readable resource type name | +| instance_id | int | | No | SA_SQLServer_SDD_ResourcesView.instance_id | FK to the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_ResourcesView.database_id | FK to the database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_ResourcesView.object_id | FK to the database object | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.instance_name | Name of the SQL Server instance | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.database_name | Name of the database | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.object_name | Name of the database object | +| sql_instance_id | int | | Yes | SA_SQLServer_SDD_ResourcesView.sql_instance_id | StealthAUDIT internal instance ID | +| database_usage_mode | int | | Yes | SA_SQLServer_SDD_ResourcesView.database_usage_mode | Usage mode of the database | +| criteria_id | int | | No | SA_SQLServer_SDD_MatchHits.criteria_id | FK to the SDD criteria | +| criteria_name | nvarchar | MAX | No | SA_SQLServer_SDD_Criteria.criteria_name | Name of the SDD matching criteria | +| match_data | nvarchar | 1024 | No | SA_SQLServer_SDD_MatchHits.match_data | The actual matched data content | +| column_name | nvarchar | MAX | Yes | SA_SQLServer_Columns.column_name | Name of the column where the match was found | +| column_id | int | | No | SA_SQLServer_SDD_MatchHits.column_id | FK to the column | +| match_location | varchar | 25 | No | Computed (CASE on bitmask) | Human-readable match location (Content, Metadata, etc.) | + +**Logic:** JOINs SDD_MatchHits to SDD_ResourcesView for resource details and to SDD_Criteria for criteria names. LEFT JOINs to Columns to resolve column_name from column_id. CASE expression decodes the `match_location` bitmask to human-readable strings. + +--- + +## SA_SQLServer_SensitiveDataPermissionsView + +**Description:** Cross-references SDD matches with database permissions to show which principals have access to sensitive data. Uses SELECT DISTINCT to eliminate duplicates. + +**Source Tables:** `SA_SQLServer_SDD_MatchesView`, `SA_SQLServer_PermissionsView` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_MatchesView.resource_id | FK to the SDD resource | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_MatchesView.resource_type_id | Resource type ID | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_MatchesView.resource_type | Human-readable resource type name | +| instance_id | int | | No | SA_SQLServer_SDD_MatchesView.instance_id | FK to the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_MatchesView.database_id | FK to the database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_MatchesView.object_id | FK to the database object | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchesView.instance_name | Name of the SQL Server instance | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchesView.database_name | Name of the database | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchesView.object_name | Name of the database object | +| sql_instance_id | int | | Yes | SA_SQLServer_SDD_MatchesView.sql_instance_id | StealthAUDIT internal instance ID | +| database_usage_mode | int | | Yes | SA_SQLServer_SDD_MatchesView.database_usage_mode | Usage mode of the database | +| criteria_id | int | | No | SA_SQLServer_SDD_MatchesView.criteria_id | FK to the SDD criteria | +| criteria_name | nvarchar | MAX | No | SA_SQLServer_SDD_MatchesView.criteria_name | Name of the SDD matching criteria | +| match_count | int | | No | SA_SQLServer_SDD_MatchesView.match_count | Number of matches | +| match_location | varchar | 25 | No | SA_SQLServer_SDD_MatchesView.match_location | Human-readable match location | +| grantee_principal_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.grantee_principal_name | Name of the principal granted access | +| grantor_principal_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.grantor_principal_name | Name of the principal who granted the permission | +| state_desc | nvarchar | 120 | Yes | SA_SQLServer_PermissionsView.state_desc | Permission state (GRANT, DENY, etc.) | +| permission_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.permission_name | Name of the permission (e.g., SELECT, EXECUTE) | + +**Logic:** JOINs SDD_MatchesView to PermissionsView on `(database_id, object_id)` to correlate sensitive data locations with the principals who have permissions on those objects. Uses SELECT DISTINCT to eliminate duplicate rows. + +--- + +## SA_SQLServer_SDD_MatchHits_SubjectProfileView + +**Description:** Links SDD match hits to Subject Profile identity records, enabling correlation of discovered sensitive data with known individuals. JOINs through Sources, Identities, and Attributes tables. + +**Source Tables:** `SA_SQLServer_SDD_MatchHits_SubjectProfile`, `SA_SQLServer_SDD_ResourcesView`, `SA_SQLServer_SDD_Criteria`, `SA_SubjectProfile_Sources`, `SA_SubjectProfile_Identities`, `SA_SubjectProfile_Attributes` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_MatchHits_SubjectProfile.resource_id | FK to the SDD resource | +| instance_id | int | | No | SA_SQLServer_SDD_ResourcesView.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.instance_name | Name of the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_ResourcesView.database_id | FK to the database | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.database_name | Name of the database | +| database_usage_mode | int | | Yes | SA_SQLServer_SDD_ResourcesView.database_usage_mode | Usage mode of the database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_ResourcesView.object_id | FK to the database object | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_ResourcesView.object_name | Name of the database object | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_ResourcesView.resource_type_id | Resource type ID | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_ResourcesView.resource_type | Human-readable resource type name | +| criteria_id | int | | No | SA_SQLServer_SDD_MatchHits_SubjectProfile.criteria_id | FK to the SDD criteria | +| criteria_name | nvarchar | MAX | No | SA_SQLServer_SDD_Criteria.criteria_name | Name of the SDD matching criteria | +| pattern_guid | uniqueidentifier | | No | SA_SQLServer_SDD_MatchHits_SubjectProfile.pattern_guid | GUID identifying the matching pattern | +| source_id | int | | No | SA_SubjectProfile_Sources.source_id | Subject Profile source identifier | +| source_name | varchar | 256 | No | SA_SubjectProfile_Sources.source_name | Name of the Subject Profile data source | +| source_object_id | uniqueidentifier | | No | SA_SubjectProfile_Sources.source_object_id | Unique ID of the source object | +| source_updated | datetime | | No | SA_SubjectProfile_Sources.source_updated | Last update timestamp for the source | +| source_usn | int | | No | SA_SubjectProfile_Sources.source_usn | Update sequence number for the source | +| identity_id | bigint | | No | SA_SubjectProfile_Identities.identity_id | Subject Profile identity identifier | +| identity_type | varchar | 256 | No | SA_SubjectProfile_Identities.identity_type | Type of the identity (e.g., person, account) | +| identity_name | nvarchar | 256 | No | SA_SubjectProfile_Identities.identity_name | Display name of the identity | +| identity_platform_id | varchar | 256 | No | SA_SubjectProfile_Identities.identity_platform_id | Platform-specific identifier for the identity | +| attribute_id | int | | No | SA_SubjectProfile_Attributes.attribute_id | Subject Profile attribute identifier | +| attribute_name | nvarchar | 256 | No | SA_SubjectProfile_Attributes.attribute_name | Name of the attribute matched | +| attribute_required | bit | | No | SA_SubjectProfile_Attributes.attribute_required | Whether the attribute is required for identification | + +**Logic:** JOINs SDD_MatchHits_SubjectProfile to SDD_ResourcesView for resource details and to SDD_Criteria for criteria names. Further JOINs to SubjectProfile_Sources, SubjectProfile_Identities, and SubjectProfile_Attributes to resolve identity information linked to the sensitive data match. + +--- + +## SA_SQLServer_SensitiveDataFullPermissionsView + +**Description:** Comprehensive view showing all permissions relevant to sensitive data -- both direct permissions on sensitive objects AND broad server/database permissions that grant implicit access. Uses UNION to combine both permission types. + +**Source Tables:** `SA_SQLServer_PermissionsView`, `SA_SQLServer_SDD_MatchesView` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| instance_id | int | | Yes | SA_SQLServer_PermissionsView.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.instance_name | Name of the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_PermissionsView.database_id | FK to the database | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.database_name | Name of the database | +| database_usage_mode | int | | Yes | SA_SQLServer_PermissionsView.database_usage_mode | Usage mode of the database | +| object_id | bigint | | Yes | SA_SQLServer_PermissionsView.object_id / SA_SQLServer_SDD_MatchesView.object_id | FK to the database object | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.object_name / SA_SQLServer_SDD_MatchesView.object_name | Name of the database object | +| grantee_principal_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.grantee_principal_name | Name of the principal granted access | +| grantor_principal_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.grantor_principal_name | Name of the principal who granted the permission | +| state_desc | nvarchar | 120 | Yes | SA_SQLServer_PermissionsView.state_desc | Permission state (GRANT, DENY, etc.) | +| permission_name | nvarchar | 128 | Yes | SA_SQLServer_PermissionsView.permission_name | Name of the permission | +| permission_class | tinyint | | No | SA_SQLServer_PermissionsView.class | Permission class code | +| permission_class_description | nvarchar | 120 | Yes | SA_SQLServer_PermissionsView.class_desc | Description of the permission class | + +**Logic:** UNION of (1) broad database-level permissions where `class IN (100, 101, 105)` with specific high-privilege permission types (e.g., CONTROL, ALTER, SELECT) that implicitly grant access to all objects, and (2) object-level permissions on tables that have SDD matches (joined via `database_id` and `object_id`). + +--- + +## SA_SQLServer_EffectiveRoleMembershipView + +**Description:** Presents the `SA_SQLServer_EffectiveRoleMembership` table with a computed `Database Type` column derived from the `database_type` integer field via a CASE expression. + +**Source Tables:** `SA_SQLServer_EffectiveRoleMembership` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| Database Type | varchar | 26 | No | Computed (CASE on database_type) | Human-readable database type: 'SQL Server' (default), 'Azure SQL Database' (2), 'Azure SQL Managed Instance' (6) | +| instance_id | int | | Yes | SA_SQLServer_EffectiveRoleMembership.instance_id | FK to the SQL Server instance | +| instance_name | nvarchar | 256 | Yes | SA_SQLServer_EffectiveRoleMembership.instance_name | Name of the SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_EffectiveRoleMembership.database_id | FK to the database | +| database_name | nvarchar | 256 | Yes | SA_SQLServer_EffectiveRoleMembership.database_name | Name of the database | +| role_name | nvarchar | 128 | Yes | SA_SQLServer_EffectiveRoleMembership.role_name | Name of the role | +| role_id | int | | Yes | SA_SQLServer_EffectiveRoleMembership.role_id | SQL Server principal_id of the role | +| role_sid | varchar | 184 | Yes | SA_SQLServer_EffectiveRoleMembership.role_sid | String representation of the role SID | +| role_member_name | nvarchar | 128 | Yes | SA_SQLServer_EffectiveRoleMembership.role_member_name | Name of the role member | +| role_member_id | int | | Yes | SA_SQLServer_EffectiveRoleMembership.role_member_id | SQL Server principal_id of the member | +| role_member_sid | varchar | 184 | Yes | SA_SQLServer_EffectiveRoleMembership.role_member_sid | String representation of the member SID | +| role_member_type | nvarchar | 27 | Yes | SA_SQLServer_EffectiveRoleMembership.role_member_type | Type description of the member | +| member_path | nvarchar | MAX | Yes | SA_SQLServer_EffectiveRoleMembership.member_path | Full nested membership path (e.g., RoleA > RoleB > User) | +| nested_level | int | | Yes | SA_SQLServer_EffectiveRoleMembership.nested_level | Depth of nesting (0 = direct member) | +| membership_source | int | | Yes | SA_SQLServer_EffectiveRoleMembership.membership_source | Source indicator for the membership record | +| database_type | int | | Yes | SA_SQLServer_EffectiveRoleMembership.database_type | Integer database type code from `DatabaseSystemType` enum (1=SqlServer, 2=AzureSqlServer, 6=AzureSqlServerManagedInstance) | + +**Logic:** Selects all columns from `SA_SQLServer_EffectiveRoleMembership` and adds a computed `Database Type` column using a CASE expression: `database_type = 2` maps to `'Azure SQL Database'`, `database_type = 6` maps to `'Azure SQL Managed Instance'`, all other values (including 0 and 1) map to `'SQL Server'`. + +--- + +## SA_SQL_SDD_MatchesView + +**Description:** Filtered wrapper over `SA_SQLServer_SDD_MatchesView` that restricts results to on-premises SQL Server instances only (where `database_usage_mode = 0` or `NULL`). Used by cross-module reporting that needs SDD match data for non-cloud instances. + +**Source Tables:** `SA_SQLServer_SDD_MatchesView` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_MatchesView.resource_id | SDD resource identifier | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_MatchesView.resource_type_id | Resource type code | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_MatchesView.resource_type | Resource type description | +| instance_id | int | | No | SA_SQLServer_SDD_MatchesView.instance_id | FK to SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_MatchesView.database_id | FK to database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_MatchesView.object_id | FK to database object | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchesView.instance_name | Instance name | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchesView.database_name | Database name | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchesView.object_name | Object name | +| sql_instance_id | int | | Yes | SA_SQLServer_SDD_MatchesView.sql_instance_id | FK to SA_SQL_Instances | +| database_usage_mode | int | | Yes | SA_SQLServer_SDD_MatchesView.database_usage_mode | Usage mode (always 0 or NULL in this view) | +| criteria_id | int | | No | SA_SQLServer_SDD_MatchesView.criteria_id | FK to SDD criteria | +| criteria_name | nvarchar | MAX | No | SA_SQLServer_SDD_MatchesView.criteria_name | Criteria pattern name | +| match_count | int | | No | SA_SQLServer_SDD_MatchesView.match_count | Number of matches found | +| match_location | varchar | 25 | No | SA_SQLServer_SDD_MatchesView.match_location | Decoded match location (Content, Metadata, Filename) | + +**Logic:** `SELECT * FROM SA_SQLServer_SDD_MatchesView WHERE (database_usage_mode = 0 OR database_usage_mode IS NULL)`. + +--- + +## SA_SQL_SDD_MatchHitsView + +**Description:** Filtered wrapper over `SA_SQLServer_SDD_MatchHitsView` that restricts results to on-premises SQL Server instances only (where `database_usage_mode = 0` or `NULL`). Used by cross-module reporting that needs individual SDD match hit data for non-cloud instances. + +**Source Tables:** `SA_SQLServer_SDD_MatchHitsView` + +| Column Name | Data Type | Size | Nullable | Source | Description | +|---|---|---|---|---|---| +| resource_id | bigint | | No | SA_SQLServer_SDD_MatchHitsView.resource_id | SDD resource identifier | +| resource_type_id | tinyint | | No | SA_SQLServer_SDD_MatchHitsView.resource_type_id | Resource type code | +| resource_type | nvarchar | 100 | Yes | SA_SQLServer_SDD_MatchHitsView.resource_type | Resource type description | +| instance_id | int | | No | SA_SQLServer_SDD_MatchHitsView.instance_id | FK to SQL Server instance | +| database_id | int | | Yes | SA_SQLServer_SDD_MatchHitsView.database_id | FK to database | +| object_id | bigint | | Yes | SA_SQLServer_SDD_MatchHitsView.object_id | FK to database object | +| instance_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchHitsView.instance_name | Instance name | +| database_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchHitsView.database_name | Database name | +| object_name | nvarchar | 128 | Yes | SA_SQLServer_SDD_MatchHitsView.object_name | Object name | +| sql_instance_id | int | | Yes | SA_SQLServer_SDD_MatchHitsView.sql_instance_id | FK to SA_SQL_Instances | +| database_usage_mode | int | | Yes | SA_SQLServer_SDD_MatchHitsView.database_usage_mode | Usage mode (always 0 or NULL in this view) | +| criteria_id | int | | No | SA_SQLServer_SDD_MatchHitsView.criteria_id | FK to SDD criteria | +| criteria_name | nvarchar | MAX | No | SA_SQLServer_SDD_MatchHitsView.criteria_name | Criteria pattern name | +| match_data | nvarchar | 1024 | No | SA_SQLServer_SDD_MatchHitsView.match_data | Matched data fragment | +| column_name | nvarchar | MAX | Yes | SA_SQLServer_SDD_MatchHitsView.column_name | Column where the hit was found | +| column_id | int | | No | SA_SQLServer_SDD_MatchHitsView.column_id | Column ordinal position | +| match_location | varchar | 25 | No | SA_SQLServer_SDD_MatchHitsView.match_location | Decoded match location (Content, Metadata, Filename) | + +**Logic:** `SELECT * FROM SA_SQLServer_SDD_MatchHitsView WHERE (database_usage_mode = 0 OR database_usage_mode IS NULL)`. From 0ea8052ed01a77a05e78c3ae2297376fdf17962f Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Fri, 6 Mar 2026 11:34:33 -0500 Subject: [PATCH 2/5] Update overview.md Correction : 59 tables instead of 56 --- docs/accessanalyzer/11.6/admin/schema/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/accessanalyzer/11.6/admin/schema/overview.md b/docs/accessanalyzer/11.6/admin/schema/overview.md index 1cecca017d..398c764625 100644 --- a/docs/accessanalyzer/11.6/admin/schema/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/overview.md @@ -7,7 +7,7 @@ This section provides comprehensive database schema documentation for the Access The SQL Data Collector discovers, audits, and reports on SQL Server instances, databases, principals, permissions, audit events, and sensitive data across the enterprise. The schema documentation covers: - **[Core Data Collection Tables](sqldc/coretables/overview.md)** — 44 normalized tables populated directly by data collectors with full foreign key relationships -- **[Reporting Tables](sqldc/reportingtables/overview.md)** — 56 denormalized report-ready tables with human-readable column names +- **[Reporting Tables](sqldc/reportingtables/overview.md)** — 59 denormalized report-ready tables with human-readable column names - **[Views](sqldc/views/overview.md)** — 17 SQL views that join and denormalize data for querying - **[Enumeration & Lookup Values](sqldc/enumeration/overview.md)** — Reference for coded values and lookup table contents - **[Entity Relationship Diagrams](sqldc/erd/overview.md)** — Visual ERDs showing table relationships From 05806e6479f08f1c0f6567b0c45dcc3fe879e107 Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Fri, 6 Mar 2026 11:34:55 -0500 Subject: [PATCH 3/5] Update overview.md Correction : 59 tables instead of 56 --- docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md index 53513ad89c..d1a7779780 100644 --- a/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/overview.md @@ -10,7 +10,7 @@ The tables fall into two categories: 1. **Core Data Collection Tables** (44 tables) — Normalized tables populated directly by data collectors. These contain raw audit data with full foreign key relationships. Includes shared infrastructure tables (`SA_SQL_Instances`, `SA_SQL_Patches`) used across all database collector modules. -2. **Reporting / Summary Tables** (56 tables) — Denormalized, report-ready tables populated by analysis jobs. These use human-readable column names (e.g., `"Instance"`, `"Database"`, `"Permission"`). +2. **Reporting / Summary Tables** (59 tables) — Denormalized, report-ready tables populated by analysis jobs. These use human-readable column names (e.g., `"Instance"`, `"Database"`, `"Permission"`). --- From 5efcb3c901f87dc5544668122c0b861f8c9cc95d Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Fri, 6 Mar 2026 11:35:27 -0500 Subject: [PATCH 4/5] Update overview.md Correction : 59 tables instead of 56 --- .../11.6/admin/schema/sqldc/reportingtables/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md index 84d2be86f2..024266a3db 100644 --- a/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/reportingtables/overview.md @@ -1,6 +1,6 @@ # Reporting Tables -The following 56 tables are **denormalized reporting tables** populated by NAA analysis jobs. They use human-readable column names with spaces (e.g., `"Database Type"`, `"Instance"`) and are designed for direct consumption by the NAA console and reports. They do not participate in foreign key relationships with the core tables. +The following 59 tables are **denormalized reporting tables** populated by NAA analysis jobs. They use human-readable column names with spaces (e.g., `"Database Type"`, `"Instance"`) and are designed for direct consumption by the NAA console and reports. They do not participate in foreign key relationships with the core tables. :::note All reporting tables share a common `Database Type` column (varchar/nvarchar) that identifies the SQL Server platform variant (e.g., `"SQL Server"`, `"Azure SQL Database"`, `"Azure SQL Managed Instance"`). None of these tables have primary keys or foreign keys — they are heap tables optimized for bulk INSERT/TRUNCATE patterns. From a8bdb9a8db78313149795a5bd6bac6c6952afb01 Mon Sep 17 00:00:00 2001 From: Tay Caliguiri Date: Fri, 6 Mar 2026 12:14:26 -0500 Subject: [PATCH 5/5] Apply suggestions from code review Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> --- .../11.6/admin/schema/sqldc/functions/overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md b/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md index 664b1f83bc..3a97575e7a 100644 --- a/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md +++ b/docs/accessanalyzer/11.6/admin/schema/sqldc/functions/overview.md @@ -33,7 +33,7 @@ ## SA_SQLServer_CreateOrUpdateSDDResource (Stored Procedure) -**Description:** Upserts a Sensitive Data Discovery resource record. Looks up an existing resource by its composite key (`type`, `instance_id`, `database_id`, `object_id`, `column_id`). If no match is found, inserts a new row and returns the new `id`. If a match exists, updates the `last_scanned` reference and returns the existing `id`. Handles NULL-safe comparison for optional columns (`database_id`, `object_id`, `column_id`). +**Description:** Inserts or updates a Sensitive Data Discovery resource record. Looks up an existing resource by its composite key (`type`, `instance_id`, `database_id`, `object_id`, `column_id`). If no match is found, inserts a new row and returns the new `id`. If a match exists, updates the `last_scanned` reference and returns the existing `id`. Handles NULL-safe comparison for optional columns (`database_id`, `object_id`, `column_id`). **Signature:** ```sql