In this article, we will be discussing about a special security feature in SQL Server, that is Policy-Based Management.
Some time ago I promised publishing a post on Policy-Based Management in SQL Server. Well, it’s time to fulfill my promise! 🙂 This is a rather large post, I hope you find the information it contains useful! Note that this article and examples talk about SQL Server 2008, but it can easily apply to newer versions of SQL Server, maybe with some minor changes.
What is Exactly Policy-Based Management in SQL Server?
Policy-Based Management is indeed one of the greatest administration features originally shipped in SQL Server 2008. With this feature, you can easily manage one or more instances of SQL Server!
The main concept in Policy-Based Management, is that Policy Administrators can set up policies that are evaluated upon certain events within the scope of the monitored SQL Server instance(s). After setting up the policies, based on certain scenarios, the policies are evaluated and specific actions are automatically performed as set up in the active Policies.
To this end, there are four evaluation modes:
- On demand – This mode evaluates the policies when explicitly requested by the user.
- On change: prevent – This mode uses DDL triggers in order to prevent Policy violations.
- On change: log only – This mode allows Policy violations but it logs each violation using event notification. It logs the violations to the SQL Server logs and Windows Application logs.
- On schedule – This mode allows the user to schedule (using a SQL Agent job) when the policies will be evaluated.
Strengthen your SQL Server Administration Skills – Enroll to our Online Course!
Check our online course on Udemy titled “Essential SQL Server Administration Tips”
(special limited-time discount included in link).
Via the course, you will learn essential hands-on SQL Server Administration tips on SQL Server maintenance, security, performance, integration, error handling and more. Many live demonstrations and downloadable resources included!
A First Look at Policy-Based Management via SSMS
Let’s get a first look and feel at the Policy-Based Management set up dialogs in SSMS. In the following screenshot you can see the Policy Management module in the Object Explorer in SSMS:
Actions in SSMS:
- When right-clicking on Policies you can create a new Policy.
- When right-clicking on Conditions you can create a new condition and then assign it to an existing or a new Policy.
- The Facets is a collection of SQL Server objects that allow you to set up conditions and policies against their properties. By right-clicking on a Facet you can create a condition or a Policy.
Note that the Policy Management module falls under Management as its scope is for the entire SQL Server instance. Of course, via the Policies you create, you can evaluate multiple SQL Server instances, certain databases, even certain database objects!
OK! Now let’s proceed with an example, showing how we can set up policies based on the above-mentioned evaluation modes. For this post, I will be using the “AdventureWorks2008” sample database.
Policy-Based Management Evaluation Modes
We right-click on Policies and we select New Policy. We are presented with the following dialog where we provide a name for the Policy and then we either select the check condition or we create a new one. In this case we will be creating a new condition:
We click on the OK button and we are returned to the Policy:
You can see that the Policy now contains the “SPNames” condition we created in the previous step. Also, I set up the Evaluation Mode to “On Demand”. Though, this type of condition allows you to select any Evaluation Mode.
Also, in the “Against targets” list you can target specific databases against which the condition will be evaluated. Additionally, in the “Server restriction” you can select against which SQL Server instances the condition will be executed. Remember: Policy-Based Management allows managing multiple instances of SQL Server!
Now, let’s set the Policy to only evaluate the “AdventureWorks2008” database by clicking on the “In Every – Database” list item. Here’s the new condition for restricting the Policy’s evaluation on the specific database:
We click on OK and we are returned back to the Policy properties dialog:
I will not add a condition for the Server restriction as I am only using a single SQL Server instance for this post.
That’s it! We click on OK and the Policy is ready! As this Policy’s Evaluation Mode has been set to “On demand” we cannot enable it. It wouldn’t make any sense after all. We can only use it by right-clicking on it and selecting “Evaluate”. This is the purpose of the On Demand evaluation mode after all! 🙂
After running the Policy we get its evaluation results:
Now, what about adding a new procedure on the “AdventureWorks2008” database having the name “sp_SampleSP”? Let’s do so, re-run the Policy and check the evaluation results!
Here are the results:
The above is a very simple example of what a Policy can do. Imagine what else you can do with Policy-Based Management thus making your life easier! 🙂
Let’s delete now the sample stored procedure we earlier created. We need to comply after all! 🙂
On change: prevent
If we want to change the Evaluation Mode of the above Policy to “On change: prevent”, we can double-click on the Policy, change it and then enable the Policy:
On change: log only
Similarly, we can change the Evaluation Mode of the Policy to “On change: log only”. This will allow the stored procedure to be created but it will also add a log entry in SQL Server Logs and Windows Application Log reporting the violation of the Policy:
Last but not least, you can set up a schedule for when the Policy should be executed. This will create a SQL Server Agent job that will execute the Policy at the selected time.
Summary and Conclusions
This article was a very basic example on how you can use Policy-Based Management in SQL Server 2008 or later. You can build really advanced Policy scenarios where you can have multiple Policies and conditions, evaluating a large set of actions in more than one SQL Server instances.
The Policy-Based Management feature in SQL Server 2008 is extremely powerful and allows setting up strict Compliance scenarios ensuring the health and desired structure of the monitored SQL Server instances and the databases that exist within them.
The best way to learn more about Policy-Based Management in SQL Server is to get experimented with it in order to fully realize its potentials.
You can also check out this link for more information on Policy-Based Management in SQL Server.
Secure your SQL Server Instances with DBA Security Advisor
DBA Security Advisor, is our SQL Server security tool, which can help you assess your SQL Server instances against a rich set of security checks. The assessment report, includes recommendations and remediation scripts that can help you better secure your SQL Server instances and databases (learn more…).Try DBA Security Advisor free for 30 days!
Featured Online Courses:
- Boost SQL Server Database Performance with In-Memory OLTP
- Essential SQL Server Administration Tips
- SQL Server Fundamentals – SQL Database for Beginners
- Essential SQL Server Development Tips for SQL Developers
- The Philosophy and Fundamentals of Computer Programming
- .NET Programming for Beginners – Windows Forms with C#
- Introduction to Data Science and SQL Server Machine Learning
- Introduction to Azure SQL Database for Beginners
- SQL Server 2019: What’s New – New and Enhanced Features
- Entity Framework: Getting Started – Complete Beginners Guide
- How to Import and Export Data in SQL Server Databases
- Learn How to Install and Start Using SQL Server in 30 Mins
- A Guide on How to Start and Monetize a Successful Blog
Other SQL Server Security-Related Articles
- SQL Server Row Level Security by Example
- Why You Need to Secure Your SQL Server Instances
- Should Windows “Built-In\Administrators” Group be SQL Server SysAdmins?
- Frequent Password Expiration: Time to Revise it?
- Encrypting SQL Server Databases
- Transparent Data Encryption (TDE) in SQL Server
- 10 Facts About SQL Server Transparent Data Encryption
- Encrypting a SQL Server Database Backup
- …check all
Check our latest software releases!
Easily generate snippets with Snippets Generator!
Secure your databases using DBA Security Advisor!
Convert static T-SQL to dynamic and vice versa with Dynamic SQL Generator.
Rate this article:
Reference: SQLNetHub.com (https://www.sqlnethub.com)
Artemakis Artemiou is a Senior SQL Server Architect, Author, a 9 Times Microsoft Data Platform MVP (2009-2018) and a Udemy Instructor. He has over 15 years of experience in the IT industry in various roles. Artemakis is the founder of SQLNetHub and TechHowTos.com. Artemakis is the creator of the well-known software tools Snippets Generator and DBA Security Advisor. Also, he is the author of many eBooks on SQL Server. Artemakis currently serves as the President of the Cyprus .NET User Group (CDNUG) and the International .NET Association Country Leader for Cyprus (INETA). Moreover, Artemakis teaches on Udemy, you can check his courses here.