Skip to main content

Enumeration & Lookup Values Reference

This section documents the possible values stored in lookup/enumeration tables and coded columns used throughout the schema. These serve as the domain constraints for foreign key and type columns in the core data collection tables.

Server Principal Types (SA_SQLServer_ServerPrincipalTypes)

Referenced by SA_SQLServer_ServerPrincipals.type. Values are populated at runtime from sys.server_principals on each target instance.

CodeDescription
CCERTIFICATE_MAPPED_LOGIN
EEXTERNAL_LOGIN
GWINDOWS_GROUP
KASYMMETRIC_KEY_MAPPED_LOGIN
RSERVER_ROLE
SSQL_LOGIN
UWINDOWS_LOGIN
note

Actual values present in the database depend on the SQL Server version and instance configuration. Types E (EXTERNAL_LOGIN) and K (ASYMMETRIC_KEY_MAPPED_LOGIN) may not be present on all instances.

Database Principal Types (SA_SQLServer_DatabasePrincipalTypes)

Referenced by SA_SQLServer_DatabasePrincipals.type. Values are populated at runtime from sys.database_principals on each target instance.

CodeDescription
CCERTIFICATE_MAPPED_USER
EEXTERNAL_USER
GWINDOWS_GROUP
KASYMMETRIC_KEY_MAPPED_USER
RDATABASE_ROLE
SSQL_USER
UWINDOWS_USER
XEXTERNAL_GROUP
note

Actual values present in the database depend on the SQL Server version and instance configuration. Types E (EXTERNAL_USER), K (ASYMMETRIC_KEY_MAPPED_USER), and X (EXTERNAL_GROUP) may not be present on all instances.

Permission States (SA_SQLServer_PermissionStates)

Referenced by SA_SQLServer_ServerPermissions.state and SA_SQLServer_DatabasePermissions.state. Values are populated at runtime from sys.server_permissions and sys.database_permissions.

CodeDescription
DDENY
GGRANT
RREVOKE
WGRANT_WITH_GRANT_OPTION
note

These are the four standard SQL Server permission states. The most commonly encountered are D (DENY) and G (GRANT).

Permission Classes (SA_SQLServer_PermissionClasses)

Referenced by SA_SQLServer_ServerPermissions.class and SA_SQLServer_DatabasePermissions.class. Values are populated at runtime from sys.server_permissions and sys.database_permissions.

CodeDescription
0DATABASE
1OBJECT_OR_COLUMN
3SCHEMA
4DATABASE_PRINCIPAL
5ASSEMBLY
6TYPE
10XML_SCHEMA_COLLECTION
11MESSAGE_TYPE
12SERVICE_CONTRACT
13SERVICE
14REMOTE_SERVICE_BINDING
15ROUTE
16FULLTEXT_CATALOG
17SYMMETRIC_KEY
18CERTIFICATE
19ASYMMETRIC_KEY
100SERVER
105ENDPOINT
note

Actual values present in the database depend on the SQL Server version and which features are in use. Not all classes will be present on every instance.

Permission Names (SA_SQLServer_PermissionNames)

Referenced by SA_SQLServer_ServerPermissions.type and SA_SQLServer_DatabasePermissions.type. Values are populated at runtime from sys.server_permissions and sys.database_permissions. The table below lists commonly encountered permission names; additional permissions may be present depending on SQL Server version and features in use.

CodePermission Name
AAESALTER ANY EVENT SESSION
ALAGALTER ANY AVAILABILITY GROUP
AUTHAUTHENTICATE SERVER
CADBCONNECT ANY DATABASE
CLCONTROL SERVER
COCONNECT
COSQCONNECT SQL
CRTBCREATE TABLE
DLDELETE
EXEXECUTE
IMIMPERSONATE
ININSERT
RFREFERENCES
SLSELECT
UPUPDATE
VWVIEW DEFINITION
VWADVIEW ANY DEFINITION
VWCKVIEW ANY COLUMN ENCRYPTION KEY DEFINITION
VWCMVIEW ANY COLUMN MASTER KEY DEFINITION
VWDBVIEW ANY DATABASE
VWSSVIEW SERVER STATE

Audit Class Types (SA_SQLServer_AuditClassType)

Referenced by SA_SQLServer_AuditActions.class_type and SA_SQLServer_Events.class_type. The full list contains 107 entries; the most commonly encountered types are shown below.

CodeDescriptionCodeDescription
ASERVER AUDITOBOBJECT
AKASYMMETRIC KEYPSTORED PROCEDURE
ARAPPLICATION ROLEPKPRIMARY KEY
ASASSEMBLYRLROLE
CRCERTIFICATESTABLE SYSTEM
DADATABASE AUDIT SPECIFICATIONSASERVER AUDIT SPECIFICATION
DBDATABASESCSCHEMA
EPENDPOINTSEEVENT SESSION
FNFUNCTION SCALAR SQLSGSERVER ROLE
IFFUNCTION TABLE-VALUED INLINE SQLSKSYMMETRIC KEY
ITINTERNAL TABLESLSQL LOGIN
IXINDEXSNSYNONYM
LXLOGINSOSEQUENCE OBJECT
MKMASTER KEYSRSERVER
UTABLEVVIEW
USUSERXSTORED PROCEDURE EXTENDED

Full list: 107 class types are defined. Additional types include AF (AGGREGATE), AG (AVAILABILITY GROUP), AL (ASYMMETRIC KEY LOGIN), AQ (ADHOC QUERY), BN (REMOTE SERVICE BINDING), C (CHECK CONSTRAINT), CD (CREDENTIAL), CK (COLUMN ENCRYPTION KEY), CM (COLUMN MASTER KEY), CO (SERVER CONFIG), CP (CRYPTOGRAPHIC PROVIDER), CT (CONTRACT), DT (TRIGGER DATABASE), ED (EXTERNAL DATA SOURCE), EN (EVENT NOTIFICATION), FC (FULLTEXT CATALOG), FL (FULLTEXT STOPLIST), FP (SEARCH PROPERTY LIST), FS (FUNCTION SCALAR ASSEMBLY), FT (FUNCTION TABLE-VALUED ASSEMBLY), MT (MESSAGE TYPE), PC (STORED PROCEDURE ASSEMBLY), PF (PARTITION FUNCTION), PS (PARTITION SCHEME), RT (ROUTE), SQ (QUEUE), ST (STATISTICS), SV (SERVICE), SX (XML SCHEMA COLLECTION), TF (FUNCTION TABLE-VALUED SQL), TR (TRIGGER), TY (TYPE), WG (WINDOWS GROUP), WL (WINDOWS LOGIN), WU (WINDOWS USER), and others.

Audit Actions (Common) (SA_SQLServer_AuditActions)

Referenced by SA_SQLServer_Events.action_id. The full list contains 173 action definitions; frequently referenced actions are shown below.

Login / Logout Actions:

Action IDAction Name
LGISLOGIN SUCCEEDED
LGIFLOGIN FAILED
LGOLOGOUT
LGDADISABLE
LGEAENABLE
LGDBCHANGE DEFAULT DATABASE
LGLGCHANGE DEFAULT LANGUAGE
LGNMNAME CHANGE

DML / DDL Actions:

Action IDAction Name
SLSELECT
ININSERT
UPUPDATE
DLDELETE
EXEXECUTE
CRCREATE
ALALTER
DRDROP

Permission Actions:

Action IDAction Name
GGRANT
DDENY
RREVOKE
GWGGRANT WITH GRANT
DWCDENY WITH CASCADE
RWCREVOKE WITH CASCADE
RWGREVOKE WITH GRANT

Audit Group Actions:

Action IDAction Name
ADSPSERVER_ROLE_MEMBER_CHANGE_GROUP
ADDPDATABASE_ROLE_MEMBER_CHANGE_GROUP
GRDBDATABASE_PERMISSION_CHANGE_GROUP
GRSVSERVER_PERMISSION_CHANGE_GROUP
MNDBDATABASE_CHANGE_GROUP
MNSPSERVER_PRINCIPAL_CHANGE_GROUP
MNDPDATABASE_PRINCIPAL_CHANGE_GROUP
BRDBBACKUP_RESTORE_GROUP
LGFLFAILED_LOGIN_GROUP
LGSDSUCCESSFUL_LOGIN_GROUP
CNAUAUDIT_CHANGE_GROUP

SDD Resource Types (SA_SQLServer_SDD_ResourceTypes)

Referenced by SA_SQLServer_SDD_Resources.type.

IDDescription
1DatabaseName
2TableName
3ColumnName
4ColumnData
5Object
6TableRow

SDD Match Location Bitmask

Used in SA_SQLServer_SDD_Matches.match_location and SA_SQLServer_SDD_MatchHits.match_location. The underlying column stores an integer bitmask; views decode it to a human-readable string.

ValueDecoded String
0None
1Content
2Metadata
3Content,Metadata
4Filename
5Content,Filename
6Metadata,Filename
7Content,Metadata,Filename

Membership Source (SA_SQLServer_EffectiveRoleMembership.membership_source)

ValueDescription
0Unset
1SqlServer
2ADI (Active Directory Inventory)
3AzureADI (Azure Active Directory Inventory)
4Azure SQL
5Azure SQL Managed Instance

Database Type (SA_SQLServer_EffectiveRoleMembership.database_type)

Used to compute the Database Type column in SA_SQLServer_EffectiveRoleMembershipView. Values correspond to the DatabaseSystemType enum defined in Stealthbits.StealthAUDIT.DataCollectors.Databases.Shared.

ValueEnum NameDescription
0UnsetDefault / not yet determined
1SqlServerOn-premise SQL Server
2AzureSqlServerAzure SQL Database (Standalone)
3OracleOracle Database
4PostgreSqlPostgreSQL
5MySqlMySQL
6AzureSqlServerManagedInstanceAzure SQL Managed Instance
7SaDataSourceStealthAUDIT Data Source
8AWSPostgresAWS PostgreSQL (not currently supported)
9AWSMySqlAWS MySQL (not currently supported)
10EDBPostgreSqlEDB PostgreSQL (not currently supported)
11SqlServerClusterSQL Server Cluster (not currently supported)
12Db2LUWIBM Db2 LUW
20MongoDbMongoDB
note

Within the SQL Server Data Collector context, only values 0 (Unset), 1 (SqlServer), 2 (AzureSqlServer), and 6 (AzureSqlServerManagedInstance) are applicable. The remaining values are used by other database collector modules that share the SA_SQL_Instances table.