snippetsqlModerate
How do I find out *why* a user has certain effective permissions?
Viewed 0 times
whypermissionshoweffectiveuserhasfindcertainout
Problem
I know that I can query effective permissions by using
This tells me whether the current user has SELECT, INSERT, UPDATE, etc. permissions on
Is it possible to easily find out why the user has these permissions? For example, I'd love to have a function
Unfortunately, I could not find such a function in the SQL Server documentation. Is there a tool or script that provides this functionality?
sys.fn_my_permissions:USE myDatabase;
SELECT * FROM fn_my_permissions('dbo.myTable', 'OBJECT')
entity_name | subentity_name | permission_name
------------------------------------------------
dbo.myTable | | SELECT
dbo.myTable | | UPDATE
...This tells me whether the current user has SELECT, INSERT, UPDATE, etc. permissions on
myTable in database myDatabase.Is it possible to easily find out why the user has these permissions? For example, I'd love to have a function
fn_my_permissions_ex which outputs an additional reason column:USE myDatabase;
SELECT * FROM fn_my_permissions_ex('dbo.myTable', 'OBJECT')
entity_name | subentity_name | permission_name | reason
------------------------------------------------------------------------------------------------------------------------------------
dbo.myTable | | SELECT | granted to database role public
dbo.myTable | | UPDATE | member of group MYDOMAIN\Superusers, which belongs to database role db_datawriter
...Unfortunately, I could not find such a function in the SQL Server documentation. Is there a tool or script that provides this functionality?
Solution
You can find some good information regarding security from the article below.
Reviewing SQL Server Permissions | TechRepublic http://tek.io/KfzEyp
Except:
The following query uses the sys.database_permissions system view to
indicate which users had specific permissions inside the current
database.
Reviewing SQL Server Permissions | TechRepublic http://tek.io/KfzEyp
Except:
The following query uses the sys.database_permissions system view to
indicate which users had specific permissions inside the current
database.
SELECT
dp.class_desc
,dp.permission_name
,dp.state_desc
,ObjectName = OBJECT_NAME(major_id)
,GranteeName = grantee.name
,GrantorName = grantor.name
FROM
sys.database_permissions dp
JOIN sys.database_principals grantee
ON dp.grantee_principal_id = grantee.principal_id
JOIN sys.database_principals grantor
ON dp.grantor_principal_id = grantor.principal_idCode Snippets
SELECT
dp.class_desc
,dp.permission_name
,dp.state_desc
,ObjectName = OBJECT_NAME(major_id)
,GranteeName = grantee.name
,GrantorName = grantor.name
FROM
sys.database_permissions dp
JOIN sys.database_principals grantee
ON dp.grantee_principal_id = grantee.principal_id
JOIN sys.database_principals grantor
ON dp.grantor_principal_id = grantor.principal_idContext
StackExchange Database Administrators Q#17961, answer score: 10
Revisions (0)
No revisions yet.