Created
April 4, 2019 11:41
-
-
Save kenorb/6849b8be77d697e20d7aff7bf7ed8f94 to your computer and use it in GitHub Desktop.
Prevent backup database or backup log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CREATE TRIGGER [rds_deny_backups_trigger] ON DATABASE WITH EXECUTE AS 'dbo' FOR | |
ADD_ROLE_MEMBER, GRANT_DATABASE AS BEGIN | |
SET NOCOUNT ON; | |
SET ANSI_PADDING ON; | |
DECLARE @data xml; | |
DECLARE @user sysname; | |
DECLARE @role sysname; | |
DECLARE @type sysname; | |
DECLARE @sql NVARCHAR(MAX); | |
DECLARE @permissions TABLE(name sysname PRIMARY KEY); | |
SELECT @data = EVENTDATA(); | |
SELECT @type = @data.value('(/EVENT_INSTANCE/EventType)[1]', 'sysname'); | |
IF @type = 'ADD_ROLE_MEMBER' BEGIN | |
SELECT @user = @data.value('(/EVENT_INSTANCE/ObjectName)[1]', 'sysname'), | |
@role = @data.value('(/EVENT_INSTANCE/RoleName)[1]', 'sysname'); | |
IF @role IN ('db_owner', 'db_backupoperator') BEGIN | |
SELECT @sql = 'DENY BACKUP DATABASE, BACKUP LOG TO ' + QUOTENAME(@user); | |
EXEC(@sql); | |
END | |
END ELSE IF @type = 'GRANT_DATABASE' BEGIN | |
INSERT INTO @permissions(name) | |
SELECT Permission.value('(text())[1]', 'sysname') FROM | |
@data.nodes('/EVENT_INSTANCE/Permissions/Permission') | |
AS DatabasePermissions(Permission); | |
IF EXISTS (SELECT * FROM @permissions WHERE name IN ('BACKUP DATABASE', | |
'BACKUP LOG')) | |
RAISERROR('Cannot grant backup database or backup log', 15, 1) WITH LOG; | |
END | |
END |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment