Skip to main content

Views

SA_SQLServer_FullEventsView

Description: Denormalizes the SA_SQLServer_Events fact table by LEFT JOINing all dimension tables. Provides a single, flat view of audit events with human-readable names instead of FK IDs. Resolves action names via a distinct subquery on AuditActions.

Source Tables: SA_SQLServer_Events, SA_SQLServer_AuditFiles, SA_SQLServer_AuditInformation, SA_SQLServer_Instances, SA_SQL_Instances, SA_SQLServer_EventDatabases, SA_SQLServer_Databases, SA_SQLServer_EventServerPrincipals, SA_SQLServer_EventDatabasePrincipals, SA_SQLServer_Statements, SA_SQLServer_AdditionalInformation, SA_SQLServer_UserEvents, SA_SQLServer_AuditClassType, SA_SQLServer_AuditActions

Column NameData TypeSizeNullableSourceDescription
InstanceintYesSA_SQLServer_Events.instance_idFK to the SQL Server instance
DatabaseintYesSA_SQLServer_Events.database_idFK to the database where the event occurred
event_timedatetime2NoSA_SQLServer_Events.event_timeTimestamp of the audit event
sequence_numberintNoSA_SQLServer_Events.sequence_numberSequence number within the audit record
action_idvarchar4YesSA_SQLServer_Events.action_idShort code identifying the audit action (e.g., LGIS, SL)
action_namenvarchar128YesSA_SQLServer_AuditActions.nameHuman-readable name of the audit action
succeededbitNoSA_SQLServer_Events.succeededWhether the audited action succeeded
session_idsmallintNoSA_SQLServer_Events.session_idSQL Server session ID
object_idintYesSA_SQLServer_Events.object_idID of the object targeted by the action
object_namenvarchar128YesSA_SQLServer_Events.object_nameName of the object targeted by the action
class_typevarchar2YesSA_SQLServer_AuditClassType.class_typeTwo-character audit class type code
class_type_descnvarchar120YesSA_SQLServer_AuditClassType.class_type_descDescription of the audit class type
schema_namenvarchar128YesSA_SQLServer_Events.schema_nameSchema containing the target object
audit_file_offsetbigintNoSA_SQLServer_Events.audit_file_offsetByte offset within the audit file
audit_schema_versionintYesSA_SQLServer_AuditInformation.audit_schema_versionVersion of the audit schema
sequence_group_idvarbinary85YesSA_SQLServer_AuditInformation.sequence_group_idIdentifier for the sequence group
file_idintYesSA_SQLServer_AuditFiles.file_idFK to the audit file
client_ipnvarchar128YesSA_SQLServer_Events.client_ipIP address of the connecting client
application_namenvarchar128YesSA_SQLServer_Events.application_nameName of the client application
audit_file_pathnvarchar1024YesSA_SQLServer_AuditFiles.audit_file_pathFile system path of the audit file
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
database_namenvarchar128YesSA_SQLServer_Databases.database_nameName of the database
database_idintYesSA_SQLServer_EventDatabases.database_idDatabase ID from the event
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database (on-prem vs. Azure)
server_principal_idintYesSA_SQLServer_EventServerPrincipals.server_principal_idID of the server principal who performed the action
server_principal_namenvarchar128YesSA_SQLServer_EventServerPrincipals.server_principal_nameName of the server principal
server_principal_sidvarbinary85YesSA_SQLServer_EventServerPrincipals.server_principal_sidSID of the server principal
session_principal_idintYesSA_SQLServer_EventServerPrincipals.session_principal_idID of the session-level principal
session_principal_namenvarchar128YesSA_SQLServer_EventServerPrincipals.session_principal_nameName of the session-level principal
session_principal_sidvarbinary85YesSA_SQLServer_EventServerPrincipals.session_principal_sidSID of the session-level principal
database_principal_idintYesSA_SQLServer_EventDatabasePrincipals.database_principal_idID of the database principal involved
database_principal_namenvarchar128YesSA_SQLServer_EventDatabasePrincipals.database_principal_nameName of the database principal
target_server_principal_idintYesSA_SQLServer_EventServerPrincipals.target_server_principal_idID of the target server principal
target_server_principal_namenvarchar128YesSA_SQLServer_EventServerPrincipals.target_server_principal_nameName of the target server principal
target_server_principal_sidvarbinary85YesSA_SQLServer_EventServerPrincipals.target_server_principal_sidSID of the target server principal
target_database_principal_idintYesSA_SQLServer_EventDatabasePrincipals.target_database_principal_idID of the target database principal
target_database_principal_namenvarchar128YesSA_SQLServer_EventDatabasePrincipals.target_database_principal_nameName of the target database principal
permission_bitmaskvarbinary16YesSA_SQLServer_Events.permission_bitmaskBitmask of permissions relevant to the action
is_column_permissionbitYesSA_SQLServer_Events.is_column_permissionWhether the permission applies at the column level
statementnvarchar4000YesSA_SQLServer_Statements.statementThe SQL statement that triggered the event
additional_informationnvarchar4000YesSA_SQLServer_AdditionalInformation.additional_informationAdditional XML information about the event
user_defined_event_idsmallintYesSA_SQLServer_UserEvents.user_defined_event_idID for user-defined audit events
user_defined_informationnvarchar4000YesSA_SQLServer_UserEvents.user_defined_informationCustom information for user-defined events

Logic: LEFT JOINs Events to all dimension tables (AuditFiles, AuditInformation, Instances, EventDatabases, Databases, EventServerPrincipals, EventDatabasePrincipals, Statements, AdditionalInformation, UserEvents, AuditClassType) using FK columns. Resolves action names via a SELECT DISTINCT subquery on AuditActions. Joins to SA_SQL_Instances to obtain database_usage_mode.

SA_SQLServer_ServerPrincipalsView

Description: Enriches SA_SQLServer_ServerPrincipals with type descriptions, instance names, default database names, and SID-to-string conversion via SA_SQLServer_BinarySIDToString(). Filters to active databases where sa_delete_date IS NULL.

Source Tables: SA_SQLServer_ServerPrincipals, SA_SQLServer_ServerPrincipalTypes, SA_SQLServer_Instances, SA_SQL_Instances, SA_SQLServer_Databases

Column NameData TypeSizeNullableSourceDescription
server_principal_idintNoSA_SQLServer_ServerPrincipals.idSurrogate PK for the server principal record
instance_idintNoSA_SQLServer_ServerPrincipals.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
principal_idintYesSA_SQLServer_ServerPrincipals.principal_idSQL Server principal_id from sys.server_principals
principal_namenvarchar128YesSA_SQLServer_ServerPrincipals.principal_nameLogin or principal name
principal_sidvarbinary85YesSA_SQLServer_ServerPrincipals.principal_sidBinary SID of the principal
principal_sid_stringvarchar100YesUDF: SA_SQLServer_BinarySIDToStringHuman-readable SID string (S-1-...)
typenchar1YesSA_SQLServer_ServerPrincipals.typeSingle-character type code (S, U, G, R, C, K, E, X)
type_descnvarchar120YesSA_SQLServer_ServerPrincipalTypes.type_descFriendly type description (e.g., SQL_LOGIN, WINDOWS_LOGIN)
is_disabledbitYesSA_SQLServer_ServerPrincipals.is_disabledWhether the login is disabled
create_datedatetimeYesSA_SQLServer_ServerPrincipals.create_dateDate the principal was created
modify_datedatetimeYesSA_SQLServer_ServerPrincipals.modify_dateDate the principal was last modified
default_database_idintYesSA_SQLServer_ServerPrincipals.default_database_idFK to the default database
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database (on-prem vs. Azure)
default_databasenvarchar128YesSA_SQLServer_Databases.database_nameName of the default database
default_language_namenvarchar128YesSA_SQLServer_ServerPrincipals.default_language_nameDefault language for the login
credential_idintYesSA_SQLServer_ServerPrincipals.credential_idAssociated credential ID
is_deletedbitNoSA_SQLServer_ServerPrincipals.is_deletedSoft-delete flag for the principal

Logic: JOINs ServerPrincipals to ServerPrincipalTypes for type descriptions and to Instances/SA_SQL_Instances for instance names and usage mode. LEFT JOINs to Databases to resolve default database name. Uses SA_SQLServer_BinarySIDToString() UDF to convert binary SID to human-readable S-1-... format. Filters where sa_delete_date IS NULL on the Databases table.

SA_SQLServer_SqlLoginsView

Description: Combines SQL Login-specific properties (password policy, expiration, lock status) with the full server principal view via INNER JOIN.

Source Tables: SA_SQLServer_SqlLogins, SA_SQLServer_ServerPrincipalsView

Column NameData TypeSizeNullableSourceDescription
server_principal_idintNoSA_SQLServer_ServerPrincipalsView.server_principal_idSurrogate PK from the server principals view
instance_idintNoSA_SQLServer_ServerPrincipalsView.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_ServerPrincipalsView.instance_nameName of the SQL Server instance
principal_idintYesSA_SQLServer_ServerPrincipalsView.principal_idSQL Server principal_id
principal_namenvarchar128YesSA_SQLServer_ServerPrincipalsView.principal_nameLogin name
principal_sidvarbinary85YesSA_SQLServer_ServerPrincipalsView.principal_sidBinary SID of the principal
principal_sid_stringvarchar100YesSA_SQLServer_ServerPrincipalsView.principal_sid_stringHuman-readable SID string
typenchar1YesSA_SQLServer_ServerPrincipalsView.typeSingle-character type code
type_descnvarchar120YesSA_SQLServer_ServerPrincipalsView.type_descFriendly type description
is_disabledbitYesSA_SQLServer_ServerPrincipalsView.is_disabledWhether the login is disabled
create_datedatetimeYesSA_SQLServer_ServerPrincipalsView.create_dateDate the principal was created
modify_datedatetimeYesSA_SQLServer_ServerPrincipalsView.modify_dateDate the principal was last modified
default_database_idintYesSA_SQLServer_ServerPrincipalsView.default_database_idFK to the default database
database_usage_modeintYesSA_SQLServer_ServerPrincipalsView.database_usage_modeUsage mode of the database
default_databasenvarchar128YesSA_SQLServer_ServerPrincipalsView.default_databaseName of the default database
default_language_namenvarchar128YesSA_SQLServer_ServerPrincipalsView.default_language_nameDefault language for the login
credential_idintYesSA_SQLServer_ServerPrincipalsView.credential_idAssociated credential ID
is_deletedbitNoSA_SQLServer_ServerPrincipalsView.is_deletedSoft-delete flag
sqllogin_idintNoSA_SQLServer_SqlLogins.idSurrogate PK for the SQL login record
is_policy_checkedbitNoSA_SQLServer_SqlLogins.is_policy_checkedWhether password policy is enforced
is_expiration_checkedbitNoSA_SQLServer_SqlLogins.is_expiration_checkedWhether password expiration is enforced
password_hashvarbinary256YesSA_SQLServer_SqlLogins.password_hashHashed password value
is_lockedbitYesSA_SQLServer_SqlLogins.is_lockedWhether the account is currently locked out
is_expiredbitYesSA_SQLServer_SqlLogins.is_expiredWhether the password has expired
is_must_changebitYesSA_SQLServer_SqlLogins.is_must_changeWhether the password must be changed at next login
password_hash_algorithmintYesSA_SQLServer_SqlLogins.password_hash_algorithmAlgorithm used to hash the password

Logic: INNER JOINs SqlLogins to ServerPrincipalsView on the server_principal FK, combining login-specific properties with all inherited principal metadata.

SA_SQLServer_DatabasePrincipalsView

Description: Enriches SA_SQLServer_DatabasePrincipals with instance, database, type, schema, and owning principal information. Uses SA_SQLServer_BinarySIDToString() UDF. Filters to active databases where sa_delete_date IS NULL.

Source Tables: SA_SQLServer_DatabasePrincipals, SA_SQLServer_Databases, SA_SQLServer_Instances, SA_SQL_Instances, SA_SQLServer_DatabasePrincipalTypes, SA_SQLServer_Schemas, SA_SQLServer_ServerPrincipals

Column NameData TypeSizeNullableSourceDescription
idintNoSA_SQLServer_DatabasePrincipals.idSurrogate PK for the database principal record
instance_idintYesSA_SQLServer_Databases.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
database_idintNoSA_SQLServer_DatabasePrincipals.database_idFK to the database
database_namenvarchar128YesSA_SQLServer_Databases.database_nameName of the database
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database (on-prem vs. Azure)
principal_idintYesSA_SQLServer_DatabasePrincipals.principal_idSQL Server principal_id from sys.database_principals
principal_namenvarchar128YesSA_SQLServer_DatabasePrincipals.principal_nameDatabase principal name
principal_sidvarbinary85YesSA_SQLServer_DatabasePrincipals.principal_sidBinary SID of the database principal
principal_sid_stringvarchar100YesUDF: SA_SQLServer_BinarySIDToStringHuman-readable SID string (S-1-...)
typenchar1YesSA_SQLServer_DatabasePrincipals.typeSingle-character type code
type_descnvarchar120YesSA_SQLServer_DatabasePrincipalTypes.type_descFriendly type description (e.g., SQL_USER, DATABASE_ROLE)
default_schema_idintYesSA_SQLServer_DatabasePrincipals.default_schema_idFK to the default schema
default_schemanvarchar128YesSA_SQLServer_Schemas.schema_nameName of the default schema
create_datedatetimeYesSA_SQLServer_DatabasePrincipals.create_dateDate the principal was created
modify_datedatetimeYesSA_SQLServer_DatabasePrincipals.modify_dateDate the principal was last modified
owning_principal_idintYesSA_SQLServer_DatabasePrincipals.owning_principal_idFK to the owning server principal
owning_principal_namenvarchar128YesSA_SQLServer_ServerPrincipals.principal_nameName of the owning server principal
is_fixed_rolebitYesSA_SQLServer_DatabasePrincipals.is_fixed_roleWhether this is a fixed database role
authentication_typeintYesSA_SQLServer_DatabasePrincipals.authentication_typeAuthentication type code
authentication_type_descnvarchar60YesSA_SQLServer_DatabasePrincipals.authentication_type_descAuthentication type description
is_deletedbitNoSA_SQLServer_DatabasePrincipals.is_deletedSoft-delete flag for the principal

Logic: LEFT JOINs to Databases, Instances, SA_SQL_Instances, DatabasePrincipalTypes, Schemas, and ServerPrincipals to resolve all lookup values. Converts SID to string using SA_SQLServer_BinarySIDToString(). Resolves owning principal name from ServerPrincipals. Filters sa_delete_date IS NULL on the Databases table.

SA_SQLServer_PermissionsView

Description: Unified view combining both server-level and database-level permissions into a single result set via UNION. Resolves grantee/grantor names, permission names, and target objects. CASE expressions map type codes to friendly names. Filters soft-deleted principals and objects.

Source Tables: SA_SQLServer_DatabasePermissions, SA_SQLServer_ServerPermissions, SA_SQLServer_Databases, SA_SQLServer_Instances, SA_SQL_Instances, SA_SQLServer_DatabasePrincipals, SA_SQLServer_ServerPrincipals, SA_SQLServer_PermissionClasses, SA_SQLServer_PermissionNames, SA_SQLServer_PermissionStates, SA_SQLServer_Objects

Column NameData TypeSizeNullableSourceDescription
idintNoSA_SQLServer_DatabasePermissions.id / SA_SQLServer_ServerPermissions.idSurrogate PK for the permission record
instance_idintYesSA_SQLServer_Databases.instance_id / SA_SQLServer_ServerPermissions.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
database_idintYesSA_SQLServer_DatabasePermissions.database_idFK to the database (NULL for server-level)
database_namenvarchar128YesSA_SQLServer_Databases.database_nameName of the database (NULL for server-level)
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database
classtinyintNoSA_SQLServer_DatabasePermissions.class / SA_SQLServer_ServerPermissions.classPermission class code
class_descnvarchar120YesSA_SQLServer_PermissionClasses.class_descDescription of the permission class
major_idintNoSA_SQLServer_DatabasePermissions.major_id / SA_SQLServer_ServerPermissions.major_idID of the securable (object, schema, etc.)
object_idbigintYesSA_SQLServer_Objects.idSurrogate PK of the target object
object_namenvarchar128YesSA_SQLServer_Objects.object_nameName of the target object
minor_idintNoSA_SQLServer_DatabasePermissions.minor_id / SA_SQLServer_ServerPermissions.minor_idSub-object ID (e.g., column ordinal)
grantee_principal_idintYesSA_SQLServer_DatabasePrincipals.principal_id / SA_SQLServer_ServerPrincipals.principal_idSQL Server principal_id of the grantee
grantee_idintYesSA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.idSurrogate PK of the grantee principal
grantee_principal_sidvarbinary85YesSA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sidBinary SID of the grantee
grantee_principal_namenvarchar128YesSA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_nameName of the grantee principal
grantee_typenvarchar24YesComputed (CASE)Friendly type name of the grantee (e.g., DATABASE_ROLE, SQL_USER)
grantor_principal_idintYesSA_SQLServer_DatabasePrincipals.principal_id / SA_SQLServer_ServerPrincipals.principal_idSQL Server principal_id of the grantor
grantor_idintYesSA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.idSurrogate PK of the grantor principal
grantor_principal_sidvarbinary85YesSA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sidBinary SID of the grantor
grantor_principal_namenvarchar128YesSA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_nameName of the grantor principal
typenchar4NoSA_SQLServer_PermissionNames.typeFour-character permission type code
permission_namenvarchar128YesSA_SQLServer_PermissionNames.permission_nameHuman-readable permission name (e.g., SELECT, EXECUTE)
statenchar1NoSA_SQLServer_PermissionStates.stateSingle-character state code (G, D, R, W)
state_descnvarchar120YesSA_SQLServer_PermissionStates.state_descPermission state description (GRANT, DENY, REVOKE, GRANT_WITH_GRANT_OPTION)

Logic: UNION of database-level permissions (resolved via DatabasePrincipals, Objects) and server-level permissions (resolved via ServerPrincipals). Both halves use CASE expressions to map single-character type codes to friendly type names (e.g., 'R' to 'DATABASE_ROLE', 'S' to 'SQL_USER'). Filters where is_deleted = 0 on principals and sa_delete_date IS NULL on objects/databases.

SA_SQLServer_RoleMembersView

Description: Unified view of server and database role memberships via UNION. Resolves role and member names with friendly type labels. Filters to non-deleted records.

Source Tables: SA_SQLServer_DatabaseRoleMembers, SA_SQLServer_ServerRoleMembers, SA_SQLServer_DatabasePrincipals, SA_SQLServer_ServerPrincipals, SA_SQLServer_Databases, SA_SQLServer_Instances, SA_SQL_Instances

Column NameData TypeSizeNullableSourceDescription
instance_idintYesSA_SQLServer_Databases.instance_id / SA_SQLServer_ServerRoleMembers.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
database_idintYesSA_SQLServer_DatabaseRoleMembers.database_idFK to the database (NULL for server-level)
database_namenvarchar128YesSA_SQLServer_Databases.database_nameName of the database (NULL for server-level)
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database
roleintNoSA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.idSurrogate PK of the role principal
role_sidvarbinary85YesSA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sidBinary SID of the role
role_namenvarchar128YesSA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_nameName of the role
role_typenvarchar27YesComputed (CASE)Friendly type name of the role (e.g., DATABASE_ROLE, SERVER_ROLE)
memberintNoSA_SQLServer_DatabasePrincipals.id / SA_SQLServer_ServerPrincipals.idSurrogate PK of the member principal
member_sidvarbinary85YesSA_SQLServer_DatabasePrincipals.principal_sid / SA_SQLServer_ServerPrincipals.principal_sidBinary SID of the member
member_namenvarchar128YesSA_SQLServer_DatabasePrincipals.principal_name / SA_SQLServer_ServerPrincipals.principal_nameName of the member
member_typenvarchar27YesComputed (CASE)Friendly type name of the member (e.g., SQL_USER, WINDOWS_LOGIN)

Logic: UNION of database role members (resolved via DatabasePrincipals, Databases) and server role members (resolved via ServerPrincipals). CASE expressions map single-character type codes to friendly names. Filters is_deleted = 0 on principals and sa_delete_date IS NULL on databases.

SA_SQLServer_SqlDatabaseView

Description: Simple convenience view joining databases to instances with database usage mode. Provides a quick lookup for instance-database relationships.

Source Tables: SA_SQLServer_Databases, SA_SQLServer_Instances, SA_SQL_Instances

Column NameData TypeSizeNullableSourceDescription
idintNoSA_SQLServer_Databases.idSurrogate PK for the database record
instance_idintNoSA_SQLServer_Databases.instance_idFK to the SQL Server instance
instance_namenvarchar128NoSA_SQLServer_Instances.instance_nameName of the SQL Server instance
database_idintYesSA_SQLServer_Databases.database_idSQL Server database_id
database_namenvarchar128NoSA_SQLServer_Databases.database_nameName of the database
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database (on-prem vs. Azure)

Logic: JOINs Databases to Instances and SA_SQL_Instances to produce a flat listing of all databases with their instance names and usage modes.

SA_SQLServer_DailyLogonsView

Description: Aggregates login events (successful and failed) by day, instance, and server principal. Filters to login action codes only.

Source Tables: SA_SQLServer_Events, SA_SQLServer_ServerPrincipals, SA_SQLServer_Instances, SA_SQLServer_AuditActions

Column NameData TypeSizeNullableSourceDescription
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
event_datedateYesComputed: CAST(event_time AS DATE)Date of the login events (day granularity)
action_idvarchar4YesSA_SQLServer_Events.action_idLogin action code (LGIS or LGIF)
namenvarchar128YesSA_SQLServer_AuditActions.nameHuman-readable action name (Login Succeeded / Login Failed)
principal_idintYesSA_SQLServer_ServerPrincipals.principal_idSQL Server principal_id of the login
principal_namenvarchar128YesSA_SQLServer_ServerPrincipals.principal_nameName of the server principal
principal_sidvarbinary85YesSA_SQLServer_ServerPrincipals.principal_sidBinary SID of the server principal
countintYesComputed: COUNT(*)Number of login events for this day/instance/principal/action combination

Logic: Groups events by CAST(event_time AS DATE), instance, principal, and action_id. Filters to action_id IN ('LGIS', 'LGIF') (Login Succeeded / Login Failed). Resolves principal and action names via JOINs. Excludes rows where principal_name IS NULL.

SA_SQLServer_SDD_ResourcesView

Description: Enriches SDD resources with human-readable instance, database, object, and column names. LEFT JOINs to all dimension tables. Filters to active databases.

Source Tables: SA_SQLServer_SDD_Resources, SA_SQLServer_SDD_ResourceTypes, SA_SQLServer_Instances, SA_SQL_Instances, SA_SQLServer_Databases, SA_SQLServer_Objects, SA_SQLServer_Columns

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_Resources.idSurrogate PK for the SDD resource
resource_type_idtinyintNoSA_SQLServer_SDD_Resources.resource_type_idFK to the resource type
resource_typenvarchar100YesSA_SQLServer_SDD_ResourceTypes.resource_typeHuman-readable resource type name
instance_idintNoSA_SQLServer_SDD_Resources.instance_idFK to the SQL Server instance
database_idintYesSA_SQLServer_SDD_Resources.database_idFK to the database
object_idbigintYesSA_SQLServer_SDD_Resources.object_idFK to the database object
column_idintYesSA_SQLServer_SDD_Resources.column_idFK to the column (NULL for non-column resources)
instance_namenvarchar128YesSA_SQLServer_Instances.instance_nameName of the SQL Server instance
database_namenvarchar128YesSA_SQLServer_Databases.database_nameName of the database
object_namenvarchar128YesSA_SQLServer_Objects.object_nameName of the database object
column_namenvarchar128YesSA_SQLServer_Columns.column_nameName of the column
sql_instance_idintYesSA_SQL_Instances.sql_instance_idStealthAUDIT internal instance ID
database_usage_modeintYesSA_SQL_Instances.database_usage_modeUsage mode of the database (on-prem vs. Azure)

Logic: LEFT JOINs SDD_Resources to ResourceTypes, Instances, SA_SQL_Instances, Databases, Objects, and Columns to resolve all human-readable names. Filters where sa_delete_date IS NULL on the Databases table.

SA_SQLServer_SDD_MatchesView

Description: Enriches SDD match aggregates with resource details and criteria names. Decodes the match_location bitmask to human-readable strings via a CASE expression.

Source Tables: SA_SQLServer_SDD_Matches, SA_SQLServer_SDD_ResourcesView, SA_SQLServer_SDD_Criteria

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_Matches.resource_idFK to the SDD resource
resource_type_idtinyintNoSA_SQLServer_SDD_ResourcesView.resource_type_idResource type ID from the resources view
resource_typenvarchar100YesSA_SQLServer_SDD_ResourcesView.resource_typeHuman-readable resource type name
instance_idintNoSA_SQLServer_SDD_ResourcesView.instance_idFK to the SQL Server instance
database_idintYesSA_SQLServer_SDD_ResourcesView.database_idFK to the database
object_idbigintYesSA_SQLServer_SDD_ResourcesView.object_idFK to the database object
instance_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.instance_nameName of the SQL Server instance
database_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.database_nameName of the database
object_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.object_nameName of the database object
sql_instance_idintYesSA_SQLServer_SDD_ResourcesView.sql_instance_idStealthAUDIT internal instance ID
database_usage_modeintYesSA_SQLServer_SDD_ResourcesView.database_usage_modeUsage mode of the database
criteria_idintNoSA_SQLServer_SDD_Matches.criteria_idFK to the SDD criteria
criteria_namenvarcharMAXNoSA_SQLServer_SDD_Criteria.criteria_nameName of the SDD matching criteria
match_countintNoSA_SQLServer_SDD_Matches.match_countNumber of matches found for this resource/criteria combination
match_locationvarchar25NoComputed (CASE on bitmask)Human-readable match location (Content, Metadata, Content/Metadata, Filename, etc.)

Logic: JOINs SDD_Matches to SDD_ResourcesView for resource details and to SDD_Criteria for criteria names. CASE expression decodes the match_location bitmask: 1=Content, 2=Metadata, 3=Content,Metadata, 4=Filename, 5=Filename,Content, 6=Filename,Metadata, 7=Filename,Content,Metadata.

SA_SQLServer_SDD_MatchHitsView

Description: Enriches individual SDD match hits with resource and criteria details. Resolves column_id to column_name via Columns join. Decodes match_location bitmask via CASE expression.

Source Tables: SA_SQLServer_SDD_MatchHits, SA_SQLServer_SDD_ResourcesView, SA_SQLServer_SDD_Criteria, SA_SQLServer_Columns

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_MatchHits.resource_idFK to the SDD resource
resource_type_idtinyintNoSA_SQLServer_SDD_ResourcesView.resource_type_idResource type ID from the resources view
resource_typenvarchar100YesSA_SQLServer_SDD_ResourcesView.resource_typeHuman-readable resource type name
instance_idintNoSA_SQLServer_SDD_ResourcesView.instance_idFK to the SQL Server instance
database_idintYesSA_SQLServer_SDD_ResourcesView.database_idFK to the database
object_idbigintYesSA_SQLServer_SDD_ResourcesView.object_idFK to the database object
instance_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.instance_nameName of the SQL Server instance
database_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.database_nameName of the database
object_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.object_nameName of the database object
sql_instance_idintYesSA_SQLServer_SDD_ResourcesView.sql_instance_idStealthAUDIT internal instance ID
database_usage_modeintYesSA_SQLServer_SDD_ResourcesView.database_usage_modeUsage mode of the database
criteria_idintNoSA_SQLServer_SDD_MatchHits.criteria_idFK to the SDD criteria
criteria_namenvarcharMAXNoSA_SQLServer_SDD_Criteria.criteria_nameName of the SDD matching criteria
match_datanvarchar1024NoSA_SQLServer_SDD_MatchHits.match_dataThe actual matched data content
column_namenvarcharMAXYesSA_SQLServer_Columns.column_nameName of the column where the match was found
column_idintNoSA_SQLServer_SDD_MatchHits.column_idFK to the column
match_locationvarchar25NoComputed (CASE on bitmask)Human-readable match location (Content, Metadata, etc.)

Logic: JOINs SDD_MatchHits to SDD_ResourcesView for resource details and to SDD_Criteria for criteria names. LEFT JOINs to Columns to resolve column_name from column_id. CASE expression decodes the match_location bitmask to human-readable strings.

SA_SQLServer_SensitiveDataPermissionsView

Description: Cross-references SDD matches with database permissions to show which principals have access to sensitive data. Uses SELECT DISTINCT to eliminate duplicates.

Source Tables: SA_SQLServer_SDD_MatchesView, SA_SQLServer_PermissionsView

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_MatchesView.resource_idFK to the SDD resource
resource_type_idtinyintNoSA_SQLServer_SDD_MatchesView.resource_type_idResource type ID
resource_typenvarchar100YesSA_SQLServer_SDD_MatchesView.resource_typeHuman-readable resource type name
instance_idintNoSA_SQLServer_SDD_MatchesView.instance_idFK to the SQL Server instance
database_idintYesSA_SQLServer_SDD_MatchesView.database_idFK to the database
object_idbigintYesSA_SQLServer_SDD_MatchesView.object_idFK to the database object
instance_namenvarchar128YesSA_SQLServer_SDD_MatchesView.instance_nameName of the SQL Server instance
database_namenvarchar128YesSA_SQLServer_SDD_MatchesView.database_nameName of the database
object_namenvarchar128YesSA_SQLServer_SDD_MatchesView.object_nameName of the database object
sql_instance_idintYesSA_SQLServer_SDD_MatchesView.sql_instance_idStealthAUDIT internal instance ID
database_usage_modeintYesSA_SQLServer_SDD_MatchesView.database_usage_modeUsage mode of the database
criteria_idintNoSA_SQLServer_SDD_MatchesView.criteria_idFK to the SDD criteria
criteria_namenvarcharMAXNoSA_SQLServer_SDD_MatchesView.criteria_nameName of the SDD matching criteria
match_countintNoSA_SQLServer_SDD_MatchesView.match_countNumber of matches
match_locationvarchar25NoSA_SQLServer_SDD_MatchesView.match_locationHuman-readable match location
grantee_principal_namenvarchar128YesSA_SQLServer_PermissionsView.grantee_principal_nameName of the principal granted access
grantor_principal_namenvarchar128YesSA_SQLServer_PermissionsView.grantor_principal_nameName of the principal who granted the permission
state_descnvarchar120YesSA_SQLServer_PermissionsView.state_descPermission state (GRANT, DENY, etc.)
permission_namenvarchar128YesSA_SQLServer_PermissionsView.permission_nameName of the permission (e.g., SELECT, EXECUTE)

Logic: JOINs SDD_MatchesView to PermissionsView on (database_id, object_id) to correlate sensitive data locations with the principals who have permissions on those objects. Uses SELECT DISTINCT to eliminate duplicate rows.

SA_SQLServer_SDD_MatchHits_SubjectProfileView

Description: Links SDD match hits to Subject Profile identity records, enabling correlation of discovered sensitive data with known individuals. JOINs through Sources, Identities, and Attributes tables.

Source Tables: SA_SQLServer_SDD_MatchHits_SubjectProfile, SA_SQLServer_SDD_ResourcesView, SA_SQLServer_SDD_Criteria, SA_SubjectProfile_Sources, SA_SubjectProfile_Identities, SA_SubjectProfile_Attributes

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_MatchHits_SubjectProfile.resource_idFK to the SDD resource
instance_idintNoSA_SQLServer_SDD_ResourcesView.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.instance_nameName of the SQL Server instance
database_idintYesSA_SQLServer_SDD_ResourcesView.database_idFK to the database
database_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.database_nameName of the database
database_usage_modeintYesSA_SQLServer_SDD_ResourcesView.database_usage_modeUsage mode of the database
object_idbigintYesSA_SQLServer_SDD_ResourcesView.object_idFK to the database object
object_namenvarchar128YesSA_SQLServer_SDD_ResourcesView.object_nameName of the database object
resource_type_idtinyintNoSA_SQLServer_SDD_ResourcesView.resource_type_idResource type ID
resource_typenvarchar100YesSA_SQLServer_SDD_ResourcesView.resource_typeHuman-readable resource type name
criteria_idintNoSA_SQLServer_SDD_MatchHits_SubjectProfile.criteria_idFK to the SDD criteria
criteria_namenvarcharMAXNoSA_SQLServer_SDD_Criteria.criteria_nameName of the SDD matching criteria
pattern_guiduniqueidentifierNoSA_SQLServer_SDD_MatchHits_SubjectProfile.pattern_guidGUID identifying the matching pattern
source_idintNoSA_SubjectProfile_Sources.source_idSubject Profile source identifier
source_namevarchar256NoSA_SubjectProfile_Sources.source_nameName of the Subject Profile data source
source_object_iduniqueidentifierNoSA_SubjectProfile_Sources.source_object_idUnique ID of the source object
source_updateddatetimeNoSA_SubjectProfile_Sources.source_updatedLast update timestamp for the source
source_usnintNoSA_SubjectProfile_Sources.source_usnUpdate sequence number for the source
identity_idbigintNoSA_SubjectProfile_Identities.identity_idSubject Profile identity identifier
identity_typevarchar256NoSA_SubjectProfile_Identities.identity_typeType of the identity (e.g., person, account)
identity_namenvarchar256NoSA_SubjectProfile_Identities.identity_nameDisplay name of the identity
identity_platform_idvarchar256NoSA_SubjectProfile_Identities.identity_platform_idPlatform-specific identifier for the identity
attribute_idintNoSA_SubjectProfile_Attributes.attribute_idSubject Profile attribute identifier
attribute_namenvarchar256NoSA_SubjectProfile_Attributes.attribute_nameName of the attribute matched
attribute_requiredbitNoSA_SubjectProfile_Attributes.attribute_requiredWhether the attribute is required for identification

Logic: JOINs SDD_MatchHits_SubjectProfile to SDD_ResourcesView for resource details and to SDD_Criteria for criteria names. Further JOINs to SubjectProfile_Sources, SubjectProfile_Identities, and SubjectProfile_Attributes to resolve identity information linked to the sensitive data match.

SA_SQLServer_SensitiveDataFullPermissionsView

Description: Comprehensive view showing all permissions relevant to sensitive data -- both direct permissions on sensitive objects AND broad server/database permissions that grant implicit access. Uses UNION to combine both permission types.

Source Tables: SA_SQLServer_PermissionsView, SA_SQLServer_SDD_MatchesView

Column NameData TypeSizeNullableSourceDescription
instance_idintYesSA_SQLServer_PermissionsView.instance_idFK to the SQL Server instance
instance_namenvarchar128YesSA_SQLServer_PermissionsView.instance_nameName of the SQL Server instance
database_idintYesSA_SQLServer_PermissionsView.database_idFK to the database
database_namenvarchar128YesSA_SQLServer_PermissionsView.database_nameName of the database
database_usage_modeintYesSA_SQLServer_PermissionsView.database_usage_modeUsage mode of the database
object_idbigintYesSA_SQLServer_PermissionsView.object_id / SA_SQLServer_SDD_MatchesView.object_idFK to the database object
object_namenvarchar128YesSA_SQLServer_PermissionsView.object_name / SA_SQLServer_SDD_MatchesView.object_nameName of the database object
grantee_principal_namenvarchar128YesSA_SQLServer_PermissionsView.grantee_principal_nameName of the principal granted access
grantor_principal_namenvarchar128YesSA_SQLServer_PermissionsView.grantor_principal_nameName of the principal who granted the permission
state_descnvarchar120YesSA_SQLServer_PermissionsView.state_descPermission state (GRANT, DENY, etc.)
permission_namenvarchar128YesSA_SQLServer_PermissionsView.permission_nameName of the permission
permission_classtinyintNoSA_SQLServer_PermissionsView.classPermission class code
permission_class_descriptionnvarchar120YesSA_SQLServer_PermissionsView.class_descDescription of the permission class

Logic: UNION of (1) broad database-level permissions where class IN (100, 101, 105) with specific high-privilege permission types (e.g., CONTROL, ALTER, SELECT) that implicitly grant access to all objects, and (2) object-level permissions on tables that have SDD matches (joined via database_id and object_id).

SA_SQLServer_EffectiveRoleMembershipView

Description: Presents the SA_SQLServer_EffectiveRoleMembership table with a computed Database Type column derived from the database_type integer field via a CASE expression.

Source Tables: SA_SQLServer_EffectiveRoleMembership

Column NameData TypeSizeNullableSourceDescription
Database Typevarchar26NoComputed (CASE on database_type)Human-readable database type: 'SQL Server' (default), 'Azure SQL Database' (2), 'Azure SQL Managed Instance' (6)
instance_idintYesSA_SQLServer_EffectiveRoleMembership.instance_idFK to the SQL Server instance
instance_namenvarchar256YesSA_SQLServer_EffectiveRoleMembership.instance_nameName of the SQL Server instance
database_idintYesSA_SQLServer_EffectiveRoleMembership.database_idFK to the database
database_namenvarchar256YesSA_SQLServer_EffectiveRoleMembership.database_nameName of the database
role_namenvarchar128YesSA_SQLServer_EffectiveRoleMembership.role_nameName of the role
role_idintYesSA_SQLServer_EffectiveRoleMembership.role_idSQL Server principal_id of the role
role_sidvarchar184YesSA_SQLServer_EffectiveRoleMembership.role_sidString representation of the role SID
role_member_namenvarchar128YesSA_SQLServer_EffectiveRoleMembership.role_member_nameName of the role member
role_member_idintYesSA_SQLServer_EffectiveRoleMembership.role_member_idSQL Server principal_id of the member
role_member_sidvarchar184YesSA_SQLServer_EffectiveRoleMembership.role_member_sidString representation of the member SID
role_member_typenvarchar27YesSA_SQLServer_EffectiveRoleMembership.role_member_typeType description of the member
member_pathnvarcharMAXYesSA_SQLServer_EffectiveRoleMembership.member_pathFull nested membership path (e.g., RoleA > RoleB > User)
nested_levelintYesSA_SQLServer_EffectiveRoleMembership.nested_levelDepth of nesting (0 = direct member)
membership_sourceintYesSA_SQLServer_EffectiveRoleMembership.membership_sourceSource indicator for the membership record
database_typeintYesSA_SQLServer_EffectiveRoleMembership.database_typeInteger database type code from DatabaseSystemType enum (1=SqlServer, 2=AzureSqlServer, 6=AzureSqlServerManagedInstance)

Logic: Selects all columns from SA_SQLServer_EffectiveRoleMembership and adds a computed Database Type column using a CASE expression: database_type = 2 maps to 'Azure SQL Database', database_type = 6 maps to 'Azure SQL Managed Instance', all other values (including 0 and 1) map to 'SQL Server'.

SA_SQL_SDD_MatchesView

Description: Filtered wrapper over SA_SQLServer_SDD_MatchesView that restricts results to on-premises SQL Server instances only (where database_usage_mode = 0 or NULL). Used by cross-module reporting that needs SDD match data for non-cloud instances.

Source Tables: SA_SQLServer_SDD_MatchesView

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_MatchesView.resource_idSDD resource identifier
resource_type_idtinyintNoSA_SQLServer_SDD_MatchesView.resource_type_idResource type code
resource_typenvarchar100YesSA_SQLServer_SDD_MatchesView.resource_typeResource type description
instance_idintNoSA_SQLServer_SDD_MatchesView.instance_idFK to SQL Server instance
database_idintYesSA_SQLServer_SDD_MatchesView.database_idFK to database
object_idbigintYesSA_SQLServer_SDD_MatchesView.object_idFK to database object
instance_namenvarchar128YesSA_SQLServer_SDD_MatchesView.instance_nameInstance name
database_namenvarchar128YesSA_SQLServer_SDD_MatchesView.database_nameDatabase name
object_namenvarchar128YesSA_SQLServer_SDD_MatchesView.object_nameObject name
sql_instance_idintYesSA_SQLServer_SDD_MatchesView.sql_instance_idFK to SA_SQL_Instances
database_usage_modeintYesSA_SQLServer_SDD_MatchesView.database_usage_modeUsage mode (always 0 or NULL in this view)
criteria_idintNoSA_SQLServer_SDD_MatchesView.criteria_idFK to SDD criteria
criteria_namenvarcharMAXNoSA_SQLServer_SDD_MatchesView.criteria_nameCriteria pattern name
match_countintNoSA_SQLServer_SDD_MatchesView.match_countNumber of matches found
match_locationvarchar25NoSA_SQLServer_SDD_MatchesView.match_locationDecoded match location (Content, Metadata, Filename)

Logic: SELECT * FROM SA_SQLServer_SDD_MatchesView WHERE (database_usage_mode = 0 OR database_usage_mode IS NULL).

SA_SQL_SDD_MatchHitsView

Description: Filtered wrapper over SA_SQLServer_SDD_MatchHitsView that restricts results to on-premises SQL Server instances only (where database_usage_mode = 0 or NULL). Used by cross-module reporting that needs individual SDD match hit data for non-cloud instances.

Source Tables: SA_SQLServer_SDD_MatchHitsView

Column NameData TypeSizeNullableSourceDescription
resource_idbigintNoSA_SQLServer_SDD_MatchHitsView.resource_idSDD resource identifier
resource_type_idtinyintNoSA_SQLServer_SDD_MatchHitsView.resource_type_idResource type code
resource_typenvarchar100YesSA_SQLServer_SDD_MatchHitsView.resource_typeResource type description
instance_idintNoSA_SQLServer_SDD_MatchHitsView.instance_idFK to SQL Server instance
database_idintYesSA_SQLServer_SDD_MatchHitsView.database_idFK to database
object_idbigintYesSA_SQLServer_SDD_MatchHitsView.object_idFK to database object
instance_namenvarchar128YesSA_SQLServer_SDD_MatchHitsView.instance_nameInstance name
database_namenvarchar128YesSA_SQLServer_SDD_MatchHitsView.database_nameDatabase name
object_namenvarchar128YesSA_SQLServer_SDD_MatchHitsView.object_nameObject name
sql_instance_idintYesSA_SQLServer_SDD_MatchHitsView.sql_instance_idFK to SA_SQL_Instances
database_usage_modeintYesSA_SQLServer_SDD_MatchHitsView.database_usage_modeUsage mode (always 0 or NULL in this view)
criteria_idintNoSA_SQLServer_SDD_MatchHitsView.criteria_idFK to SDD criteria
criteria_namenvarcharMAXNoSA_SQLServer_SDD_MatchHitsView.criteria_nameCriteria pattern name
match_datanvarchar1024NoSA_SQLServer_SDD_MatchHitsView.match_dataMatched data fragment
column_namenvarcharMAXYesSA_SQLServer_SDD_MatchHitsView.column_nameColumn where the hit was found
column_idintNoSA_SQLServer_SDD_MatchHitsView.column_idColumn ordinal position
match_locationvarchar25NoSA_SQLServer_SDD_MatchHitsView.match_locationDecoded match location (Content, Metadata, Filename)

Logic: SELECT * FROM SA_SQLServer_SDD_MatchHitsView WHERE (database_usage_mode = 0 OR database_usage_mode IS NULL).