to isolate internal tables from third party database access, we've created schemas specifically for that use case. Third party Logins/DB Users only have access to those "public" Schemas.
The problem is that the user had more permissions than it should have and many third party queries access the internal tables.
Since I can't just remove the permissions abruptly, I'd like to do it bit by bit. Identifying problematic queries and change them accordingly.
For this purpose I tried to use the Sql Server Database Auditing features, but it looks like I'm missing information todo what I need:
Lets say I have the table [Internal].[Machine] and the View [Public].[Machine] which for simplicity is just select * from [Internal].[Machine]. The user viewer only has permission to select from [Public].[Machine].
Adding a "Database Audit Specification" for (Type=SELECT, ObjectClass=SCHEMA, ObjectName=Internal, PrincipalName=viewer), produces an entry for select * from [Internal].[Machine] and select * from [Public].[Machine].
My goal is to only have an entry for select * from [Internal].[Machine], i.e. when the object is directly accessed by the query statement. And as far as I've seen the produced rows do not contain the information necessary to differentiate between the two.
Is this somehow possible with the Sql Server Audit/Extended Events feature (or something else altogether)?