How do you extract user roles with type = database role from a table`s permission so I can put this permission in another Create Table script, so the new table has the same user role?
You could try something like this - inspect the system catalog views sys.database_permissions and sys.database_principals:
SELECT
dp.class,
dp.class_desc,
dp.permission_name,
object_name(dp.major_id) 'Database object',
p.name 'Granted to',
dp.major_id,
object_name(dp.major_id),
dp.minor_id,
dp.grantee_principal_id,
dp.type,
dp.state,
dp.state_desc
FROM
sys.database_permissions AS dp
INNER JOIN
sys.database_principals AS p ON dp.grantee_principal_id = p.principal_id
WHERE
class = 1 -- object-level permissions
Read more about sys.database_permissions and sys.database_principals in the MSDN SQL Server Books Online.
Update: if you want to limit it to a single table, use this WHERE clause:
WHERE
class = 1 -- object-level permissions
AND dp.major_id = OBJECT_ID('your-table-name-here')
Related
How to check whether a login has truncate permission for a particular table?
We have a login called Test for which we have given ALTER permission to particular tables alone. Now I want get the list of tables for which Test login has Alter permission.
Checked in google and forum couldn't find any answer.
Assuming that you have the ability to impersonate the user, you can do the following:
execute as user = 'Test';
select p.*
from sys.tables as t
cross apply sys.fn_my_permissions(t.name, 'OBJECT') as p
where permission_name = 'ALTER';
revert;
If you wanted to list out the permissions against a particular user ,Try out with the below query.
SELECT OBJECT_NAME(major_id) TableName,PERMISSION_NAME, STATE_DESC, U.name UserName
FROM sys.database_permissions P
JOIN sys.tables T ON P.major_id = T.object_id
JOIN sysusers U ON U.uid = P.grantee_principal_id
WHERE U.name='Test'
You could use the following function as well to quickly check the permissions that are available for a specific user.
MS SQL Documentation that will give you some useful information on its usage is provided in the link.
Syntax:
SELECT * FROM sys.fn_my_permissions('TEST', 'USER');
I have several DBs with UserA and UserB.
In some of those DBs, impersonation has been granted (GRANT IMPERSONATE ON LOGIN::UserA TO UserB), in other DBs users have no impersonation.
How can I check with a query if a user has got the impersonation or not?
Does a flag exist in any system table for this?
I found this query...
SELECT DB_NAME() AS 'database'
,pe.permission_name
,pe.state_desc
,pr.name AS 'grantee'
,pr2.name AS 'grantor'
FROM sys.database_permissions pe
JOIN sys.database_principals pr
ON pe.grantee_principal_id = pr.principal_Id
JOIN sys.database_principals pr2
ON pe.grantor_principal_id = pr2.principal_Id
WHERE pe.type = 'IM'
Here...
http://tenbulls.co.uk/2012/01/30/what-are-the-impersonation-rights-for-my-database-users/
I'm not clear about the security-related catalog views in SQL Server 2005 or 2008. I want to list all logins, their server roles, their correspond users in all database, all database roles in one query. How can I write the query?
I know there are some catalog views to use, but I'm not familiar with their relation. These catalog views include: sys.database_role_member, sys.database_principals, sys.server_role_member, sys.server_principals.
Thanks.
You cannot have one query list all databases because the list is dynamic. Your best bet is to use sp_msforeachdb and have a batch construct the result and return it:
set nocount on;
create table #result (sid varbinary(85),
server_principal_id int,
database_id int,
database_principal_id int);
exec ms_foreachdb 'insert into #result
(server_principal_id, database_id, database_principal_id)
select s.principal_id,
db_id(''?''),
d.principal_id
from sys.server_principals s
join [?].sys.database_principals d
on s.sid = d.sid;';
select * from #result;
You can extend this to include the server roles and database roles memberships once you figure out a proper result set shape to aggregate all that information in a single table.
Here is a query that will list all logins with their assigned server-level roles.
select
login_name = pa.name,
--pa.principal_id, m.member_principal_id, m.role_principal_id,pb.principal_id,
role_name = pb.name
from
sys.server_principals pa
inner join
sys.server_role_members m on pa.principal_id = m.member_principal_id
inner join
sys.server_principals pb on m.role_principal_id = pb.principal_id
order by
pa.name,
pa.principal_id
There is a stored procedure in SQL Server 2005 in which users claim execute permission was removed as they can no longer execute the stored procedure.
I tried to find it in trace files, but i can't find an entry for this stored procedure
My question is is there other way to find out who and when permission/grants of this stored procedure was changed?
select P.permission_name,
P.state_desc,
U.name GranteeName,
U2.name GrantorName,
T.*
from sys.database_permissions P
JOIN sys.objects T ON P.major_id = T.object_id
JOIN sysusers U ON U.uid = P.grantee_principal_id
JOIN sysusers U2 ON U2.uid = P.grantor_principal_id
ORDER by T.modify_date desc
Unfortunately, the 'who' is typically 'dbo'...
Restore a backup?
Unfortunately no. You have to audit (via DDL triggers for example) the actual REVOKE or DENY statement.
However, if the proc was dropped and recreated that there is no permission change to audit. You can query sys.objects to get create_date and modify_date to find out if this happened.
There are other options, such as the login removal so even though permissions have not changed, the users are no longer eligible to execute the code. Or the NT group changed if using Windows authentication. An explicit REVOKE/DENY or DROP/CREATE may not be the obvious answer.
Edit, based on comment:
Your question said "..users claim execute permission was removed...". As well as explicit stored proc permisson changes, the environment may have changed. That is, what if:
users were dropped from the group
the login was dropped and recreated without user mapping in the database
the group policy changed so the NT group can no longer access the SQL Server (they need "Allow login from network"-ish)
Have stored proc rights changed, or have how user get to the stored proc changed?
Select memb.Name As UserName,
prin.Name As RoleName,
perm.permission_name As PermissionType,
schm.name As SchemaName,
objt.Name As ObjectName,
perm.state_desc As PermissionState,
memb.Create_Date ,
memb.Modify_Date
from sys.database_principals memb
Left Join sys.database_role_members rolm
on rolm.Member_principal_id = memb.Principal_id
Left Join sys.database_principals prin
on rolm.Role_principal_id = prin.Principal_id
Left Join sys.database_permissions perm
on memb.Principal_id = perm.grantee_principal_id
Left Join sys.all_objects objt
on perm.Major_Id = objt.Object_Id
Left Join sys.Schemas schm
on objt.schema_id = schm.schema_id
Order By memb.Name,
prin.Name, perm.permission_name,
objt.Name, perm.state_desc;
I'm responsible for some test database servers. Historically, too many other poeple have access to them. They run on SQL Server 2005.
I've been writing queries and wrapping them in scripts so I can run a regular audit of rights. Finding out which users had Administrator rights on the server itself was fine, as was finding out who had the sysadmin role on their login - it was a single line query for the latter.
But how to find out which logins have a User Mapping to a particular (or any) database?
I can find the sys.database_principals and sys.server_principals tables. I have located the sys.databases table. I haven't worked out how to find out which users have rights on a database, and if so, what.
Every Google search brings up people manually using the User Mapping pane of the Login dialog, rather than using a query to do so. Any ideas?
Check out this msdn reference article on Has_Perms_By_Name. I think you're really interested in examples D, F and G
Another idea... I fired up SQL profiler and clicked on the ObjectExplorer->Security->Users. This resulted in (approx) the following query being issued.
SELECT *
FROM
sys.database_principals AS u
LEFT OUTER JOIN sys.database_permissions AS dp
ON dp.grantee_principal_id = u.principal_id and dp.type = N'CO'
WHERE (u.type in ('U', 'S', 'G', 'C', 'K'))
ORDER BY [Name] ASC
select * from Master.dbo.syslogins l inner join sys.sysusers u on l.sid = u.sid
This will get you what users are mapped to which logins within a single database.
Here's how to do this. I ended up finding reference to a sproc in the MSDN docs. I pulled this from the sproc and wrapped it in a loop of all the databases known to the instance.
select DbRole = g.name, MemberName = u.name
from #NAME.sys.database_principals u, #NAME.sys.database_principals g, #NAME.sys.database_role_members m
where g.principal_id = m.role_principal_id
and u.principal_id = m.member_principal_id
and g.name in (''db_ddladmin'', ''db_owner'', ''db_securityadmin'')
and u.name not in (''dbo'')
order by 1, 2
This then reports the users that have DBO who perhaps shouldn't. I've already revoked some admin access from some users that they didn't need. Thanks everyone!