Functional capabilities of MS SQL integration

All operations that the integration can perform on the target system are listed under: ObserveID > Identity Automation > Integrations > {a specific MS SQL integration} > Permissions > Operations Permissions

ObserveID provides an additional management layer over integration capabilities and enforces permission inheritance across integrations, allowing user-defined permission precedence to be configured for each operation. The table below outlines the integration operations available for an MS SQL integration.

MS SQL integration operationsMS SQL integration operations

Integration Operation

Description

Accessible with

Create Account

The MS SQL integration can create accounts. It requires Additional Properties to be established for accounts. The Additional Properties are coded with Provisioning Rules. The Additional Properties mandatory on the creation of a MS SQL account are:

  • Name

Access Request, Permanent Access Request, Temporary Access Request, Service Account Creation, Role Creation, Role Update, Identities Update, Onboarding, Reinstatement

Delete Account

The MS SQL integration can delete accounts. The respective history records are stored for every Identity.

Account Removal, the Finish action on Temporary Access Request, Offboarding, Emergency Deprovisioning

Detect Access

The MS SQL integration can help one track the user’s sessions on the Target. User sessions detected on the MS SQL target can be compiled into a report. The detected session records are provided with extra details:

  • system properties, such as: session ID, start\end time, account name, type, etc.
  • MS SQL-specific additional properties of the detected sessions are as follows:
    • Account Type
    • Application Name
    • AuthScheme
    • ClassType
    • ClientEmail
    • ClientName
    • ClientNetAddress
    • ConnectionId
    • Database Name
    • Database Principal Name
    • HostName
    • InstanceName
    • MachineName
    • ObjectName
    • OSUser
    • Server InstanceName
    • Server Pricipal Name
    • Server Principal SID and other

Audit Log report type in Analytics

Detect Access Text Logs

MS SQL provides a log of events and activities performed for every detected session. The information is presented with the following json-data schema:

  • Affected Rows
  • Application Name
  • ClientNetAddress
  • Class Type
  • Connection Id
  • Database Name
  • Database Principal Id
  • Database Principal Name
  • Duration Milliseconds
  • Host Name
  • Is Column Permission
  • Object Id
  • Object Name
  • Schema Name
  • Statement
  • Succeeded
  • Transaction Id and other

Text Log Events column in the Audit Log report type in Analytics

Detect Rejected Access

The MS SQL integration can help one track all blocked attempts to authenticate on the Target.

Access State column in the Audit Log report type in Analytics

Pull Data

Within the MS SQL integration, the Integration Data is imported from MS SQL to ObserveID. For what the Integration Data is fetched from MS SQL, refer to the schema of MS SQL integration data.

Data Import, Identities Update, most workflows

Grant and Revoke Account Entitlements

The MS SQL entitlements that can be assigned or revoked are:

  • ServerFixedRole
  • ServerGrant
  • DatabaseFixedRole
  • DatabaseGrant
  • DatabaseObjectGrant
  • DatabaseUserDefinedRole

Permanent Access Request, Temporary Access Request, Manage Access, Role Creation, Role Update, Identities Update

Lock and Unlock Account

When the MS SQL integration unlocks Privileged or Firecall accounts, it sets the usage period for the account. On the Finish button or on the end of the usage period, the unlocked account is locked back. When an MS SQL account is unlocked, its Login Status property on the MS SQL server changes from Disabled to Enabled. And when the account is locked, the property changes from Enabled to Disabled.

Privileged Unlock Request, Temporary Access Request, Firecall Unlock Request, Manage Access, Permanent Access Request

Manage Blocked List

If the Blocked List capability is configured, the Manage Blocked List operation allows or denies the corresponding tasks to read and write blocked list policies on the SQL Server.

PullBlackListsTask, PushBlackListsTask

Test Connection

It is possible to troubleshoot if there is a connection between ObserveID and the MS SQL target.

Data Import, Test Connection

Update Account Additional Properties

MS SQL account properties can be updated if an Identity’s property has changed. Provisioning Rules should be configured to pass an Identity’s property to the MS SQL account.

Identities Update

Update Account Credentials

A password can be set for an account on Account Creation, or updated with a workflow according to the Password Policy. For Privileged or Privileged Service account types, the password can be rotated. The password is rotated if ‘yes’ is established for a MS SQL account in its ‘Rotatable’ property.

Password Change Request, Privileged Access Management Request, Firecall Unlock Request