I'm responsible for some test database servers. Historically, too many other poeple have access to them. They run on SQL Server 2005.
I've been writing queries and wrapping them in scripts so I can run a regular audit of rights. Finding out which users had Administrator rights on the server itself was fine, as was finding out who had the sysadmin role on their login - it was a single line query for the latter.
But how to find out which logins have a User Mapping to a particular (or any) database?
I can find the sys.database_principals and sys.server_principals tables. I have located the sys.databases table. I haven't worked out how to find out which users have rights on a database, and if so, what.
Every Google search brings up people manually using the User Mapping pane of the Login dialog, rather than using a query to do so. Any ideas?
Check out this msdn reference article on Has_Perms_By_Name. I think you're really interested in examples D, F and G
Another idea... I fired up SQL profiler and clicked on the ObjectExplorer->Security->Users. This resulted in (approx) the following query being issued.
SELECT *
FROM
sys.database_principals AS u
LEFT OUTER JOIN sys.database_permissions AS dp
ON dp.grantee_principal_id = u.principal_id and dp.type = N'CO'
WHERE (u.type in ('U', 'S', 'G', 'C', 'K'))
ORDER BY [Name] ASC
select * from Master.dbo.syslogins l inner join sys.sysusers u on l.sid = u.sid
This will get you what users are mapped to which logins within a single database.
Here's how to do this. I ended up finding reference to a sproc in the MSDN docs. I pulled this from the sproc and wrapped it in a loop of all the databases known to the instance.
select DbRole = g.name, MemberName = u.name
from #NAME.sys.database_principals u, #NAME.sys.database_principals g, #NAME.sys.database_role_members m
where g.principal_id = m.role_principal_id
and u.principal_id = m.member_principal_id
and g.name in (''db_ddladmin'', ''db_owner'', ''db_securityadmin'')
and u.name not in (''dbo'')
order by 1, 2
This then reports the users that have DBO who perhaps shouldn't. I've already revoked some admin access from some users that they didn't need. Thanks everyone!
Related
I created a SQL Login "TestUser" and granted that user DBO privileges on "TESTDB" database. I logged in as Testuser and dropped TESTDB.
I was able to find out who dropped the database by looking at the schema changes history report.
I would like to know how can I find out the ipaddress or computer name where I ran this command from. (If multiple people are using the same sql login this will help me identify who ran the drop command)
you can try like below
SELECT c.session_id, s.host_name, s.login_name, s.status, st.text, s.login_time, s.program_name, *
FROM sys.dm_exec_connections c
INNER JOIN sys.dm_exec_sessions s ON c.session_id = s.session_id
CROSS APPLY sys.dm_exec_sql_text(most_recent_sql_handle) AS st
ORDER BY c.session_id
How to check whether a login has truncate permission for a particular table?
We have a login called Test for which we have given ALTER permission to particular tables alone. Now I want get the list of tables for which Test login has Alter permission.
Checked in google and forum couldn't find any answer.
Assuming that you have the ability to impersonate the user, you can do the following:
execute as user = 'Test';
select p.*
from sys.tables as t
cross apply sys.fn_my_permissions(t.name, 'OBJECT') as p
where permission_name = 'ALTER';
revert;
If you wanted to list out the permissions against a particular user ,Try out with the below query.
SELECT OBJECT_NAME(major_id) TableName,PERMISSION_NAME, STATE_DESC, U.name UserName
FROM sys.database_permissions P
JOIN sys.tables T ON P.major_id = T.object_id
JOIN sysusers U ON U.uid = P.grantee_principal_id
WHERE U.name='Test'
You could use the following function as well to quickly check the permissions that are available for a specific user.
MS SQL Documentation that will give you some useful information on its usage is provided in the link.
Syntax:
SELECT * FROM sys.fn_my_permissions('TEST', 'USER');
ok.. i am using sql server 2008... i want a sql query for finding different databases created by a particular login user??? for eg. lets say user1 has created databases db1 and db2. and user2 is created databases db3 and db4.. than the query should give result db1,db2 for user1 and db3,db4 for user2...
also i want query for getting the privileges of a particular user???
The closest I can think of is the current owner, which is very often the creator of a database. You can query that like:
select db.name
, l.name
from sys.databases db
join sys.syslogins l
on db.owner_sid = l.sid
To query for a comma-separated list per user, try:
select l.name
, stuff(db.list,len(db.list),1,'')
from sys.syslogins l
cross apply
(
select db.name + ','
from sys.databases db
where db.owner_sid = l.sid
for xml path('')
) db(list)
where db.list is not null
well I don't know why do you need to query the user owner for each database
but I hope this help you :
SELECT name, SUSER_SNAME(owner_sid)
FROM sys.databases
SUSER_SNAME() well retireve the user name
How do you extract user roles with type = database role from a table`s permission so I can put this permission in another Create Table script, so the new table has the same user role?
You could try something like this - inspect the system catalog views sys.database_permissions and sys.database_principals:
SELECT
dp.class,
dp.class_desc,
dp.permission_name,
object_name(dp.major_id) 'Database object',
p.name 'Granted to',
dp.major_id,
object_name(dp.major_id),
dp.minor_id,
dp.grantee_principal_id,
dp.type,
dp.state,
dp.state_desc
FROM
sys.database_permissions AS dp
INNER JOIN
sys.database_principals AS p ON dp.grantee_principal_id = p.principal_id
WHERE
class = 1 -- object-level permissions
Read more about sys.database_permissions and sys.database_principals in the MSDN SQL Server Books Online.
Update: if you want to limit it to a single table, use this WHERE clause:
WHERE
class = 1 -- object-level permissions
AND dp.major_id = OBJECT_ID('your-table-name-here')
There is a stored procedure in SQL Server 2005 in which users claim execute permission was removed as they can no longer execute the stored procedure.
I tried to find it in trace files, but i can't find an entry for this stored procedure
My question is is there other way to find out who and when permission/grants of this stored procedure was changed?
select P.permission_name,
P.state_desc,
U.name GranteeName,
U2.name GrantorName,
T.*
from sys.database_permissions P
JOIN sys.objects T ON P.major_id = T.object_id
JOIN sysusers U ON U.uid = P.grantee_principal_id
JOIN sysusers U2 ON U2.uid = P.grantor_principal_id
ORDER by T.modify_date desc
Unfortunately, the 'who' is typically 'dbo'...
Restore a backup?
Unfortunately no. You have to audit (via DDL triggers for example) the actual REVOKE or DENY statement.
However, if the proc was dropped and recreated that there is no permission change to audit. You can query sys.objects to get create_date and modify_date to find out if this happened.
There are other options, such as the login removal so even though permissions have not changed, the users are no longer eligible to execute the code. Or the NT group changed if using Windows authentication. An explicit REVOKE/DENY or DROP/CREATE may not be the obvious answer.
Edit, based on comment:
Your question said "..users claim execute permission was removed...". As well as explicit stored proc permisson changes, the environment may have changed. That is, what if:
users were dropped from the group
the login was dropped and recreated without user mapping in the database
the group policy changed so the NT group can no longer access the SQL Server (they need "Allow login from network"-ish)
Have stored proc rights changed, or have how user get to the stored proc changed?
Select memb.Name As UserName,
prin.Name As RoleName,
perm.permission_name As PermissionType,
schm.name As SchemaName,
objt.Name As ObjectName,
perm.state_desc As PermissionState,
memb.Create_Date ,
memb.Modify_Date
from sys.database_principals memb
Left Join sys.database_role_members rolm
on rolm.Member_principal_id = memb.Principal_id
Left Join sys.database_principals prin
on rolm.Role_principal_id = prin.Principal_id
Left Join sys.database_permissions perm
on memb.Principal_id = perm.grantee_principal_id
Left Join sys.all_objects objt
on perm.Major_Id = objt.Object_Id
Left Join sys.Schemas schm
on objt.schema_id = schm.schema_id
Order By memb.Name,
prin.Name, perm.permission_name,
objt.Name, perm.state_desc;