Technical Article

SQL 2005 Get Roles, Schemas & Object Permissions

,

You can throw this into a looping stored procedure and either stick it in a table or export it to a spreadsheet. This code is good for SOX compliance (making sure who has what permissions) and if run on a weekly or daily basis, helps you track down security abusers who have added permissions to people that shouldn't have them.

Any information stored should be kept in a DBA team administrative database or a restricted file share, though, so no developers or users can access the info and use it to cause trouble.

My apologies for not being able to post the whole SP, but I don't own the whole code (just the bits I fixed up) and I don't have permission to post everything publically. If you have any questions, just let me know.

Brandie Tarvin

Declare @sqlstmt varchar(5000);

set @sqlstmt = 'use ['+@DBName+']' + char(10) 

--db & server role menbership
set @sqlstmt = @sqlstmt + char(10) + '
SELECT @@servername as ServerName, DB_NAME() AS database_name, 
SPR.name AS server_role, RP.name AS database_role, 
MP.name AS database_user, mp.default_schema_name as DefaultSchema, 
getdate() as TodaysDate
FROM sys.database_principals MP 
JOIN sys.database_role_members R 
ON MP.principal_id = R.member_principal_id 
LEFT JOIN sys.database_principals RP 
ON R.role_principal_id = RP.principal_id 
LEFT JOIN sys.server_principals SP 
ON MP.sid = SP.sid 
LEFT JOIN sys.server_role_members SRM 
ON SP.principal_id = SRM.member_principal_id 
LEFT JOIN sys.server_principals SPR 
ON SRM.role_principal_id = SPR.principal_id'

-- tables and views (Does not include column level only permissions!!)
--If you figure out column level let me know please

set @sqlstmt = @sqlstmt + char(10) + '
Select @@servername as Servername, db_name() as [Database], 
ObjName = convert(char(30), o.name), ObjType = convert(char(40), 
o.type_desc), UserName = convert(char(20),
case when p.grantee_principal_id is null then '' (no users)''
 when u.type = ''G'' then lower(u.name)else upper(u.name) end),
Permission = (convert(char(20), p.permission_name + ''/'' + p.state_desc)),
 getdate() as TodaysDate
from sys.objects o
 left join sys.database_permissions p on o.object_id = p.major_id
 left join sys.database_principals u on p.grantee_principal_id = u.principal_id 
UNION
Select @@servername as Servername, db_name() as [Database], ObjName = convert(char(30), u.name),
 ObjType = convert(char(40), p.class_desc),
 UserName = convert(char(20),
 case 
 when p.grantee_principal_id is null then '' (no users)''
 when u.type = ''G'' then lower(u.name)
 else upper(u.name)
 end),
 Permission = (convert(char(20), p.permission_name + ''/'' + p.state_desc)),
 getdate()
from sys.database_permissions p 
left join sys.database_principals u 
on p.grantee_principal_id = u.principal_id 
order by 5;' + char(10)

exec(@sqlstmt);

Rate

3.5 (2)

You rated this post out of 5. Change rating

Share

Share

Rate

3.5 (2)

You rated this post out of 5. Change rating