Sql Pool Blob Auditing Policies - Create Or Update

Service:

Synapse

API Version:

2021-06-01

SQL havuzunun blob denetim ilkesini oluşturur veya güncelleştirir.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Synapse/workspaces/{workspaceName}/sqlPools/{sqlPoolName}/auditingSettings/default?api-version=2021-06-01

URI Parametreleri

Name	İçinde	Gerekli	Tür	Description
blobAuditingPolicyName	path	True	BlobAuditingPolicyName	Blob denetim ilkesinin adı.
resourceGroupName	path	True	string	Kaynak grubunun adı. Ad büyük/küçük harfe duyarlı değildir.
sqlPoolName	path	True	string	SQL havuzu adı
subscriptionId	path	True	string	Hedef aboneliğin kimliği.
workspaceName	path	True	string	Çalışma alanının adı.
api-version	query	True	string	Bu işlem için kullanılacak API sürümü.

İstek Gövdesi

Name	Gerekli	Tür	Description
properties.state	True	BlobAuditingPolicyState	İlkenin durumunu belirtir. Durum Etkinse storageEndpoint veya IsAzureMonitorTargetEnabled gereklidir.
properties.auditActionsAndGroups		string[]	Denetlenecek Actions-Groups ve Eylemleri belirtir. Kullanılması önerilen eylem grubu kümesi aşağıdaki bileşimdir: Bu, veritabanında yürütülen tüm sorguları ve saklı yordamları ve başarılı ve başarısız oturum açma işlemlerini denetler: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. Bu yukarıdaki birleşim, Azure portal denetimi etkinleştirilirken varsayılan olarak yapılandırılan kümedir. Denetlenecek desteklenen eylem grupları şunlardır (not: Yalnızca denetim gereksinimlerinizi karşılayan belirli grupları seçin. Gereksiz grupların kullanılması çok büyük miktarlarda denetim kaydına yol açabilir: APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_ OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP Bunlar, veritabanında yürütülen tüm SQL deyimlerini ve saklı yordamları kapsayan gruplardır ve yinelenen denetim günlüklerine neden olacağı için diğer gruplarla birlikte kullanılmamalıdır. Daha fazla bilgi için bkz. Veritabanı Düzeyinde Denetim Eylem Grupları. Veritabanı denetim ilkesi için belirli Eylemler de belirtilebilir (Sunucu denetim ilkesi için Eylemler belirtilemez). Denetlenecek desteklenen eylemler şunlardır: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES Denetlenecek eylemi tanımlamaya yönelik genel form: {action} ON {object} BY {principal} Yukarıdaki biçimde tablo, görünüm veya saklı yordam gibi bir nesneye ya da veritabanı veya şemanın tamamına başvurabileceğini unutmayın. İkinci durumlarda sırasıyla DATABASE::{db_name} ve SCHEMA::{schema_name} formları kullanılır. Örneğin: SELECT on dbo.myTable by public SELECT on DATABASE::myDatabase by public SELECT on SCHEMA::mySchema by public Daha fazla bilgi için bkz . Veritabanı Düzeyinde Denetim Eylemleri
properties.isAzureMonitorTargetEnabled		boolean	Denetim olaylarının Azure İzleyici'ye gönderilip gönderilmediğini belirtir. Olayları Azure İzleyici'ye göndermek için 'state' değerini 'Enabled' ve 'isAzureMonitorTargetEnabled' değerini true olarak belirtin. Denetimi yapılandırmak için REST API kullanılırken veritabanında 'SQLSecurityAuditEvents' tanılama günlükleri kategorisine sahip Tanılama Ayarları da oluşturulmalıdır. Sunucu düzeyinde denetim için 'ana' veritabanını {databaseName} olarak kullanmanız gerektiğini unutmayın. Tanılama Ayarları URI biçimi: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview Daha fazla bilgi için bkz . Tanılama Ayarları REST API'si veya Tanılama Ayarları PowerShell
properties.isStorageSecondaryKeyInUse		boolean	storageAccountAccessKey değerinin depolamanın ikincil anahtarı olup olmadığını belirtir.
properties.retentionDays		integer	Depolama hesabındaki denetim günlüklerinde tutulacak gün sayısını belirtir.
properties.storageAccountAccessKey		string	Denetim depolama hesabının tanımlayıcı anahtarını belirtir. Durum Etkinse ve storageEndpoint belirtilirse storageAccountAccessKey gereklidir.
properties.storageAccountSubscriptionId		string	Blob depolama abonelik kimliğini belirtir.
properties.storageEndpoint		string	Blob depolama uç noktasını belirtir (örneğin https://MyAccount.blob.core.windows.net). Durum Etkinse storageEndpoint gereklidir.

Yanıtlar

Name	Tür	Description
200 OK	SqlPoolBlobAuditingPolicy	Sql havuzu blobu denetim ilkesini başarıyla ayarlama
201 Created	SqlPoolBlobAuditingPolicy	Sql havuzu blobu denetim ilkesi başarıyla oluşturuldu.
Other Status Codes		Hata Yanıtları: *** 400 BlobAuditingIsNotSupportedOnResourceType - Blob Denetimi şu anda bu kaynak türü için desteklenmiyor. 400 InvalidDatabaseBlobAuditingPolicyCreateRequest - Veritabanı blobu oluşturma denetim ilkesi isteği yok veya özellik nesnesi yok. 400 InvalidBlobAuditActionsAndGroups - Geçersiz denetim eylemleri veya eylem grupları. 400 DataSecurityInvalidUserSuppliedParameter - İstemci tarafından geçersiz bir parametre değeri sağlandı. 400 BlobAuditingInvalidStorageAccountName - Sağlanan depolama hesabı geçerli değil veya yok. 400 UpdateNotAllowedOnPausedDatabase - Kullanıcı duraklatılmış bir veritabanında güncelleştirme gerçekleştirmeye çalıştı. 400 BlobAuditingInvalidStorageAccountCredentials - Sağlanan depolama hesabı veya erişim anahtarı geçerli değil. 400 BlobAuditingIsNotSupportedOnGeoDr - Blob denetimi yalnızca birincil veritabanlarında yapılandırılabilir. 400 InvalidBlobAuditActionsAndGroupsForDW - DW için desteklenmeyen denetim eylemleri veya eylem grupları. 400 BlobAuditingInsufficientStorageAccountPermissions - Sağlanan depolama hesabında yeterli okuma veya yazma izni yok. 400 BlobAuditingStorageAccountIsDisabled - Sağlanan depolama hesabı devre dışı bırakıldı. 400 InvalidBlobAuditActions - Geçersiz denetim eylemi 404 SourceDatabaseNotFound - Kaynak veritabanı yok. 404 DatabaseDoesNotExist - Kullanıcı bu sunucu örneğinde var olmayan bir veritabanı adı belirtti. 500 DatabaseIsUnavailable - Yükleme başarısız oldu. Lütfen daha sonra yeniden deneyin.

Örnekler

Create or update a database's blob auditing policy with all parameters

Create or update a database's blob auditing policy with minimal parameters

Create or update a database's blob auditing policy with all parameters

Sample Request

HTTP

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb/auditingSettings/default?api-version=2021-06-01

{
  "properties": {
    "state": "Enabled",
    "storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "retentionDays": 6,
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isStorageSecondaryKeyInUse": false,
    "auditActionsAndGroups": [
      "DATABASE_LOGOUT_GROUP",
      "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
      "UPDATE on database::TestDatabaseName by public"
    ],
    "isAzureMonitorTargetEnabled": true
  }
}

Java

import com.azure.resourcemanager.synapse.models.BlobAuditingPolicyState;
import java.util.Arrays;
import java.util.UUID;

/** Samples for SqlPoolBlobAuditingPolicies CreateOrUpdate. */
public final class Main {
    /*
     * x-ms-original-file: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithAllParameters.json
     */
    /**
     * Sample code: Create or update a database's blob auditing policy with all parameters.
     *
     * @param manager Entry point to SynapseManager.
     */
    public static void createOrUpdateADatabaseSBlobAuditingPolicyWithAllParameters(
        com.azure.resourcemanager.synapse.SynapseManager manager) {
        manager
            .sqlPoolBlobAuditingPolicies()
            .define()
            .withExistingSqlPool("blobauditingtest-4799", "blobauditingtest-6440", "testdb")
            .withState(BlobAuditingPolicyState.ENABLED)
            .withStorageEndpoint("https://mystorage.blob.core.windows.net")
            .withStorageAccountAccessKey(
                "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==")
            .withRetentionDays(6)
            .withAuditActionsAndGroups(
                Arrays
                    .asList(
                        "DATABASE_LOGOUT_GROUP",
                        "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
                        "UPDATE on database::TestDatabaseName by public"))
            .withStorageAccountSubscriptionId(UUID.fromString("00000000-1234-0000-5678-000000000000"))
            .withIsStorageSecondaryKeyInUse(false)
            .withIsAzureMonitorTargetEnabled(true)
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Python

from azure.identity import DefaultAzureCredential
from azure.mgmt.synapse import SynapseManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-synapse
# USAGE
    python create_or_update_sql_pool_blob_auditing_with_all_parameters.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = SynapseManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="00000000-1111-2222-3333-444444444444",
    )

    response = client.sql_pool_blob_auditing_policies.create_or_update(
        resource_group_name="blobauditingtest-4799",
        workspace_name="blobauditingtest-6440",
        sql_pool_name="testdb",
        parameters={
            "properties": {
                "auditActionsAndGroups": [
                    "DATABASE_LOGOUT_GROUP",
                    "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
                    "UPDATE on database::TestDatabaseName by public",
                ],
                "isAzureMonitorTargetEnabled": True,
                "isStorageSecondaryKeyInUse": False,
                "retentionDays": 6,
                "state": "Enabled",
                "storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
                "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
                "storageEndpoint": "https://mystorage.blob.core.windows.net",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithAllParameters.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armsynapse_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/synapse/armsynapse"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/630ec444f8dd7c09b9cdd5fa99951f8a0d1ad41f/specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithAllParameters.json
func ExampleSQLPoolBlobAuditingPoliciesClient_CreateOrUpdate_createOrUpdateADatabasesBlobAuditingPolicyWithAllParameters() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsynapse.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewSQLPoolBlobAuditingPoliciesClient().CreateOrUpdate(ctx, "blobauditingtest-4799", "blobauditingtest-6440", "testdb", armsynapse.SQLPoolBlobAuditingPolicy{
		Properties: &armsynapse.SQLPoolBlobAuditingPolicyProperties{
			AuditActionsAndGroups: []*string{
				to.Ptr("DATABASE_LOGOUT_GROUP"),
				to.Ptr("DATABASE_ROLE_MEMBER_CHANGE_GROUP"),
				to.Ptr("UPDATE on database::TestDatabaseName by public")},
			IsAzureMonitorTargetEnabled:  to.Ptr(true),
			IsStorageSecondaryKeyInUse:   to.Ptr(false),
			RetentionDays:                to.Ptr[int32](6),
			State:                        to.Ptr(armsynapse.BlobAuditingPolicyStateEnabled),
			StorageAccountAccessKey:      to.Ptr("sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD=="),
			StorageAccountSubscriptionID: to.Ptr("00000000-1234-0000-5678-000000000000"),
			StorageEndpoint:              to.Ptr("https://mystorage.blob.core.windows.net"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.SQLPoolBlobAuditingPolicy = armsynapse.SQLPoolBlobAuditingPolicy{
	// 	Name: to.Ptr("default"),
	// 	Type: to.Ptr("Microsoft.Synapse/workspaces/sqlPools/auditingSettings"),
	// 	ID: to.Ptr("/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb"),
	// 	Kind: to.Ptr("V12"),
	// 	Properties: &armsynapse.SQLPoolBlobAuditingPolicyProperties{
	// 		AuditActionsAndGroups: []*string{
	// 			to.Ptr("DATABASE_LOGOUT_GROUP"),
	// 			to.Ptr("DATABASE_ROLE_MEMBER_CHANGE_GROUP"),
	// 			to.Ptr("UPDATE on database::TestDatabaseName by public")},
	// 			IsAzureMonitorTargetEnabled: to.Ptr(true),
	// 			IsStorageSecondaryKeyInUse: to.Ptr(false),
	// 			RetentionDays: to.Ptr[int32](0),
	// 			State: to.Ptr(armsynapse.BlobAuditingPolicyStateEnabled),
	// 			StorageAccountSubscriptionID: to.Ptr("00000000-1234-0000-5678-000000000000"),
	// 			StorageEndpoint: to.Ptr("https://mystorage.blob.core.windows.net"),
	// 		},
	// 	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { SynapseManagementClient } = require("@azure/arm-synapse");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Creates or updates a SQL pool's blob auditing policy.
 *
 * @summary Creates or updates a SQL pool's blob auditing policy.
 * x-ms-original-file: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithAllParameters.json
 */
async function createOrUpdateADatabaseBlobAuditingPolicyWithAllParameters() {
  const subscriptionId =
    process.env["SYNAPSE_SUBSCRIPTION_ID"] || "00000000-1111-2222-3333-444444444444";
  const resourceGroupName = process.env["SYNAPSE_RESOURCE_GROUP"] || "blobauditingtest-4799";
  const workspaceName = "blobauditingtest-6440";
  const sqlPoolName = "testdb";
  const parameters = {
    auditActionsAndGroups: [
      "DATABASE_LOGOUT_GROUP",
      "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
      "UPDATE on database::TestDatabaseName by public",
    ],
    isAzureMonitorTargetEnabled: true,
    isStorageSecondaryKeyInUse: false,
    retentionDays: 6,
    state: "Enabled",
    storageAccountAccessKey:
      "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    storageAccountSubscriptionId: "00000000-1234-0000-5678-000000000000",
    storageEndpoint: "https://mystorage.blob.core.windows.net",
  };
  const credential = new DefaultAzureCredential();
  const client = new SynapseManagementClient(credential, subscriptionId);
  const result = await client.sqlPoolBlobAuditingPolicies.createOrUpdate(
    resourceGroupName,
    workspaceName,
    sqlPoolName,
    parameters
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Synapse;
using Azure.ResourceManager.Synapse.Models;

// Generated from example definition: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithAllParameters.json
// this example is just showing the usage of "SqlPoolBlobAuditingPolicies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this SynapseSqlPoolBlobAuditingPolicyResource created on azure
// for more information of creating SynapseSqlPoolBlobAuditingPolicyResource, please refer to the document of SynapseSqlPoolBlobAuditingPolicyResource
string subscriptionId = "00000000-1111-2222-3333-444444444444";
string resourceGroupName = "blobauditingtest-4799";
string workspaceName = "blobauditingtest-6440";
string sqlPoolName = "testdb";
ResourceIdentifier synapseSqlPoolBlobAuditingPolicyResourceId = SynapseSqlPoolBlobAuditingPolicyResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, workspaceName, sqlPoolName);
SynapseSqlPoolBlobAuditingPolicyResource synapseSqlPoolBlobAuditingPolicy = client.GetSynapseSqlPoolBlobAuditingPolicyResource(synapseSqlPoolBlobAuditingPolicyResourceId);

// invoke the operation
SynapseSqlPoolBlobAuditingPolicyData data = new SynapseSqlPoolBlobAuditingPolicyData()
{
    State = SynapseBlobAuditingPolicyState.Enabled,
    StorageEndpoint = "https://mystorage.blob.core.windows.net",
    StorageAccountAccessKey = "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    RetentionDays = 6,
    AuditActionsAndGroups =
    {
    "DATABASE_LOGOUT_GROUP","DATABASE_ROLE_MEMBER_CHANGE_GROUP","UPDATE on database::TestDatabaseName by public"
    },
    StorageAccountSubscriptionId = Guid.Parse("00000000-1234-0000-5678-000000000000"),
    IsStorageSecondaryKeyInUse = false,
    IsAzureMonitorTargetEnabled = true,
};
ArmOperation<SynapseSqlPoolBlobAuditingPolicyResource> lro = await synapseSqlPoolBlobAuditingPolicy.CreateOrUpdateAsync(WaitUntil.Completed, data);
SynapseSqlPoolBlobAuditingPolicyResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SynapseSqlPoolBlobAuditingPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb",
  "name": "default",
  "type": "Microsoft.Synapse/workspaces/sqlPools/auditingSettings",
  "kind": "V12",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "retentionDays": 0,
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isStorageSecondaryKeyInUse": false,
    "auditActionsAndGroups": [
      "DATABASE_LOGOUT_GROUP",
      "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
      "UPDATE on database::TestDatabaseName by public"
    ],
    "isAzureMonitorTargetEnabled": true
  }
}

Status code:

201

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb",
  "name": "default",
  "type": "Microsoft.Synapse/workspaces/sqlPools/auditingSettings",
  "kind": "V12",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "retentionDays": 0,
    "storageAccountSubscriptionId": "00000000-1234-0000-5678-000000000000",
    "isStorageSecondaryKeyInUse": false,
    "auditActionsAndGroups": [
      "DATABASE_LOGOUT_GROUP",
      "DATABASE_ROLE_MEMBER_CHANGE_GROUP",
      "UPDATE on database::TestDatabaseName by public"
    ],
    "isAzureMonitorTargetEnabled": true
  }
}

Create or update a database's blob auditing policy with minimal parameters

Sample Request

HTTP

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb/auditingSettings/default?api-version=2021-06-01

{
  "properties": {
    "state": "Enabled",
    "storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    "storageEndpoint": "https://mystorage.blob.core.windows.net"
  }
}

Java

import com.azure.resourcemanager.synapse.models.BlobAuditingPolicyState;

/** Samples for SqlPoolBlobAuditingPolicies CreateOrUpdate. */
public final class Main {
    /*
     * x-ms-original-file: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithMinParameters.json
     */
    /**
     * Sample code: Create or update a database's blob auditing policy with minimal parameters.
     *
     * @param manager Entry point to SynapseManager.
     */
    public static void createOrUpdateADatabaseSBlobAuditingPolicyWithMinimalParameters(
        com.azure.resourcemanager.synapse.SynapseManager manager) {
        manager
            .sqlPoolBlobAuditingPolicies()
            .define()
            .withExistingSqlPool("blobauditingtest-4799", "blobauditingtest-6440", "testdb")
            .withState(BlobAuditingPolicyState.ENABLED)
            .withStorageEndpoint("https://mystorage.blob.core.windows.net")
            .withStorageAccountAccessKey(
                "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==")
            .create();
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Python

from azure.identity import DefaultAzureCredential
from azure.mgmt.synapse import SynapseManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-synapse
# USAGE
    python create_or_update_sql_pool_blob_auditing_with_min_parameters.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = SynapseManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="00000000-1111-2222-3333-444444444444",
    )

    response = client.sql_pool_blob_auditing_policies.create_or_update(
        resource_group_name="blobauditingtest-4799",
        workspace_name="blobauditingtest-6440",
        sql_pool_name="testdb",
        parameters={
            "properties": {
                "state": "Enabled",
                "storageAccountAccessKey": "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
                "storageEndpoint": "https://mystorage.blob.core.windows.net",
            }
        },
    )
    print(response)


# x-ms-original-file: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithMinParameters.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Go

package armsynapse_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/synapse/armsynapse"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/630ec444f8dd7c09b9cdd5fa99951f8a0d1ad41f/specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithMinParameters.json
func ExampleSQLPoolBlobAuditingPoliciesClient_CreateOrUpdate_createOrUpdateADatabasesBlobAuditingPolicyWithMinimalParameters() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armsynapse.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	res, err := clientFactory.NewSQLPoolBlobAuditingPoliciesClient().CreateOrUpdate(ctx, "blobauditingtest-4799", "blobauditingtest-6440", "testdb", armsynapse.SQLPoolBlobAuditingPolicy{
		Properties: &armsynapse.SQLPoolBlobAuditingPolicyProperties{
			State:                   to.Ptr(armsynapse.BlobAuditingPolicyStateEnabled),
			StorageAccountAccessKey: to.Ptr("sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD=="),
			StorageEndpoint:         to.Ptr("https://mystorage.blob.core.windows.net"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.SQLPoolBlobAuditingPolicy = armsynapse.SQLPoolBlobAuditingPolicy{
	// 	Name: to.Ptr("default"),
	// 	Type: to.Ptr("Microsoft.Synapse/workspaces/sqlPools/auditingSettings"),
	// 	ID: to.Ptr("/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb"),
	// 	Kind: to.Ptr("V12"),
	// 	Properties: &armsynapse.SQLPoolBlobAuditingPolicyProperties{
	// 		AuditActionsAndGroups: []*string{
	// 			to.Ptr("SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP"),
	// 			to.Ptr("FAILED_DATABASE_AUTHENTICATION_GROUP"),
	// 			to.Ptr("BATCH_COMPLETED_GROUP")},
	// 			IsAzureMonitorTargetEnabled: to.Ptr(false),
	// 			IsStorageSecondaryKeyInUse: to.Ptr(false),
	// 			RetentionDays: to.Ptr[int32](0),
	// 			State: to.Ptr(armsynapse.BlobAuditingPolicyStateEnabled),
	// 			StorageAccountSubscriptionID: to.Ptr("00000000-0000-0000-0000-000000000000"),
	// 			StorageEndpoint: to.Ptr("https://mystorage.blob.core.windows.net"),
	// 		},
	// 	}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

JavaScript

const { SynapseManagementClient } = require("@azure/arm-synapse");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Creates or updates a SQL pool's blob auditing policy.
 *
 * @summary Creates or updates a SQL pool's blob auditing policy.
 * x-ms-original-file: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithMinParameters.json
 */
async function createOrUpdateADatabaseBlobAuditingPolicyWithMinimalParameters() {
  const subscriptionId =
    process.env["SYNAPSE_SUBSCRIPTION_ID"] || "00000000-1111-2222-3333-444444444444";
  const resourceGroupName = process.env["SYNAPSE_RESOURCE_GROUP"] || "blobauditingtest-4799";
  const workspaceName = "blobauditingtest-6440";
  const sqlPoolName = "testdb";
  const parameters = {
    state: "Enabled",
    storageAccountAccessKey:
      "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
    storageEndpoint: "https://mystorage.blob.core.windows.net",
  };
  const credential = new DefaultAzureCredential();
  const client = new SynapseManagementClient(credential, subscriptionId);
  const result = await client.sqlPoolBlobAuditingPolicies.createOrUpdate(
    resourceGroupName,
    workspaceName,
    sqlPoolName,
    parameters
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

dotnet

using System;
using System.Threading.Tasks;
using Azure;
using Azure.Core;
using Azure.Identity;
using Azure.ResourceManager;
using Azure.ResourceManager.Synapse;
using Azure.ResourceManager.Synapse.Models;

// Generated from example definition: specification/synapse/resource-manager/Microsoft.Synapse/stable/2021-06-01/examples/CreateOrUpdateSqlPoolBlobAuditingWithMinParameters.json
// this example is just showing the usage of "SqlPoolBlobAuditingPolicies_CreateOrUpdate" operation, for the dependent resources, they will have to be created separately.

// get your azure access token, for more details of how Azure SDK get your access token, please refer to https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication?tabs=command-line
TokenCredential cred = new DefaultAzureCredential();
// authenticate your client
ArmClient client = new ArmClient(cred);

// this example assumes you already have this SynapseSqlPoolBlobAuditingPolicyResource created on azure
// for more information of creating SynapseSqlPoolBlobAuditingPolicyResource, please refer to the document of SynapseSqlPoolBlobAuditingPolicyResource
string subscriptionId = "00000000-1111-2222-3333-444444444444";
string resourceGroupName = "blobauditingtest-4799";
string workspaceName = "blobauditingtest-6440";
string sqlPoolName = "testdb";
ResourceIdentifier synapseSqlPoolBlobAuditingPolicyResourceId = SynapseSqlPoolBlobAuditingPolicyResource.CreateResourceIdentifier(subscriptionId, resourceGroupName, workspaceName, sqlPoolName);
SynapseSqlPoolBlobAuditingPolicyResource synapseSqlPoolBlobAuditingPolicy = client.GetSynapseSqlPoolBlobAuditingPolicyResource(synapseSqlPoolBlobAuditingPolicyResourceId);

// invoke the operation
SynapseSqlPoolBlobAuditingPolicyData data = new SynapseSqlPoolBlobAuditingPolicyData()
{
    State = SynapseBlobAuditingPolicyState.Enabled,
    StorageEndpoint = "https://mystorage.blob.core.windows.net",
    StorageAccountAccessKey = "sdlfkjabc+sdlfkjsdlkfsjdfLDKFTERLKFDFKLjsdfksjdflsdkfD2342309432849328476458/3RSD==",
};
ArmOperation<SynapseSqlPoolBlobAuditingPolicyResource> lro = await synapseSqlPoolBlobAuditingPolicy.CreateOrUpdateAsync(WaitUntil.Completed, data);
SynapseSqlPoolBlobAuditingPolicyResource result = lro.Value;

// the variable result is a resource, you could call other operations on this instance as well
// but just for demo, we get its data from this resource instance
SynapseSqlPoolBlobAuditingPolicyData resourceData = result.Data;
// for demo we just print out the id
Console.WriteLine($"Succeeded on id: {resourceData.Id}");

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:

200

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb",
  "name": "default",
  "type": "Microsoft.Synapse/workspaces/sqlPools/auditingSettings",
  "kind": "V12",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "retentionDays": 0,
    "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
    "isStorageSecondaryKeyInUse": false,
    "auditActionsAndGroups": [
      "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
      "FAILED_DATABASE_AUTHENTICATION_GROUP",
      "BATCH_COMPLETED_GROUP"
    ],
    "isAzureMonitorTargetEnabled": false
  }
}

Status code:

201

{
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/blobauditingtest-4799/providers/Microsoft.Synapse/workspaces/blobauditingtest-6440/sqlPools/testdb",
  "name": "default",
  "type": "Microsoft.Synapse/workspaces/sqlPools/auditingSettings",
  "kind": "V12",
  "properties": {
    "state": "Enabled",
    "storageEndpoint": "https://mystorage.blob.core.windows.net",
    "retentionDays": 0,
    "storageAccountSubscriptionId": "00000000-0000-0000-0000-000000000000",
    "isStorageSecondaryKeyInUse": false,
    "auditActionsAndGroups": [
      "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
      "FAILED_DATABASE_AUTHENTICATION_GROUP",
      "BATCH_COMPLETED_GROUP"
    ],
    "isAzureMonitorTargetEnabled": false
  }
}

Tanımlar

Name	Description
BlobAuditingPolicyName	Blob denetim ilkesinin adı.
BlobAuditingPolicyState	İlkenin durumunu belirtir. Durum Etkinse storageEndpoint veya IsAzureMonitorTargetEnabled gereklidir.
SqlPoolBlobAuditingPolicy	Sql havuzu blobu denetim ilkesi.

BlobAuditingPolicyName

Blob denetim ilkesinin adı.

Name	Tür	Description
default	string

BlobAuditingPolicyState

İlkenin durumunu belirtir. Durum Etkinse storageEndpoint veya IsAzureMonitorTargetEnabled gereklidir.

Name	Tür	Description
Disabled	string
Enabled	string

SqlPoolBlobAuditingPolicy

Sql havuzu blobu denetim ilkesi.

Name	Tür	Varsayılan değer	Description
id	string		Kaynağın tam kaynak kimliği. Ex - /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}
kind	string		Kaynak türü.
name	string		Kaynağın adı
properties.auditActionsAndGroups	string[]		Denetlenecek Actions-Groups ve Eylemleri belirtir. Kullanılması önerilen eylem grubu kümesi aşağıdaki bileşimdir: Bu, veritabanında yürütülen tüm sorguları ve saklı yordamları ve başarılı ve başarısız oturum açma işlemlerini denetler: BATCH_COMPLETED_GROUP, SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP. Bu yukarıdaki birleşim, Azure portal denetimi etkinleştirilirken varsayılan olarak yapılandırılan kümedir. Denetlenecek desteklenen eylem grupları şunlardır (not: Yalnızca denetim gereksinimlerinizi karşılayan belirli grupları seçin. Gereksiz grupların kullanılması çok büyük miktarlarda denetim kaydına yol açabilir: APPLICATION_ROLE_CHANGE_PASSWORD_GROUP BACKUP_RESTORE_GROUP DATABASE_LOGOUT_GROUP DATABASE_OBJECT_CHANGE_GROUP DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP DATABASE_OBJECT_PERMISSION_CHANGE_GROUP DATABASE_OPERATION_GROUP DATABASE_PERMISSION_CHANGE_GROUP DATABASE_PRINCIPAL_CHANGE_GROUP DATABASE_PRINCIPAL_IMPERSONATION_GROUP DATABASE_ROLE_MEMBER_CHANGE_GROUP FAILED_DATABASE_AUTHENTICATION_GROUP SCHEMA_OBJECT_ACCESS_GROUP SCHEMA_OBJECT_CHANGE_GROUP SCHEMA_OBJECT_ OWNERSHIP_CHANGE_GROUP SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP USER_CHANGE_PASSWORD_GROUP BATCH_STARTED_GROUP BATCH_COMPLETED_GROUP Bunlar, veritabanında yürütülen tüm SQL deyimlerini ve saklı yordamları kapsayan gruplardır ve yinelenen denetim günlüklerine neden olacağı için diğer gruplarla birlikte kullanılmamalıdır. Daha fazla bilgi için bkz. Veritabanı Düzeyinde Denetim Eylem Grupları. Veritabanı denetim ilkesi için belirli Eylemler de belirtilebilir (Sunucu denetim ilkesi için Eylemler belirtilemez). Denetlenecek desteklenen eylemler şunlardır: SELECT UPDATE INSERT DELETE EXECUTE RECEIVE REFERENCES Denetlenecek eylemi tanımlamaya yönelik genel form: {action} ON {object} BY {principal} Yukarıdaki biçimde tablo, görünüm veya saklı yordam gibi bir nesneye ya da veritabanı veya şemanın tamamına başvurabileceğini unutmayın. İkinci durumlarda sırasıyla DATABASE::{db_name} ve SCHEMA::{schema_name} formları kullanılır. Örneğin: SELECT on dbo.myTable by public SELECT on DATABASE::myDatabase by public SELECT on SCHEMA::mySchema by public Daha fazla bilgi için bkz . Veritabanı Düzeyinde Denetim Eylemleri
properties.isAzureMonitorTargetEnabled	boolean	False	Denetim olaylarının Azure İzleyici'ye gönderilip gönderilmediğini belirtir. Olayları Azure İzleyici'ye göndermek için 'state' değerini 'Enabled' ve 'isAzureMonitorTargetEnabled' değerini true olarak belirtin. Denetimi yapılandırmak için REST API kullanılırken veritabanında 'SQLSecurityAuditEvents' tanılama günlükleri kategorisine sahip Tanılama Ayarları da oluşturulmalıdır. Sunucu düzeyinde denetim için 'ana' veritabanını {databaseName} olarak kullanmanız gerektiğini unutmayın. Tanılama Ayarları URI biçimi: PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{serverName}/databases/{databaseName}/providers/microsoft.insights/diagnosticSettings/{settingsName}?api-version=2017-05-01-preview Daha fazla bilgi için bkz . Tanılama Ayarları REST API'si veya Tanılama Ayarları PowerShell
properties.isStorageSecondaryKeyInUse	boolean		storageAccountAccessKey değerinin depolamanın ikincil anahtarı olup olmadığını belirtir.
properties.retentionDays	integer		Depolama hesabındaki denetim günlüklerinde tutulacak gün sayısını belirtir.
properties.state	BlobAuditingPolicyState		İlkenin durumunu belirtir. Durum Etkinse storageEndpoint veya IsAzureMonitorTargetEnabled gereklidir.
properties.storageAccountAccessKey	string		Denetim depolama hesabının tanımlayıcı anahtarını belirtir. Durum Etkinse ve storageEndpoint belirtilirse storageAccountAccessKey gereklidir.
properties.storageAccountSubscriptionId	string		Blob depolama abonelik kimliğini belirtir.
properties.storageEndpoint	string		Blob depolama uç noktasını belirtir (örneğin https://MyAccount.blob.core.windows.net). Durum Etkinse storageEndpoint gereklidir.
type	string		Kaynağın türü. Örneğin, "Microsoft.Compute/virtualMachines" veya "Microsoft.Storage/storageAccounts"