Blog Post

SQL – List Server and DB Permsission

,

Database Level Permission

DECLARE @DBuser_sql VARCHAR(4000)
DECLARE @DBuser_table TABLE
(
DBName VARCHAR(200),
UserName VARCHAR(250),
LoginType VARCHAR(500),
AssociatedDatabaseRole VARCHAR(200)
)
SET @DBuser_sql='
SELECT "[?]" AS DBName,a.name AS Name,
a.type_desc AS LoginType,
USER_NAME(b.role_principal_id) AS AssociatedDatabaseRole
FROM [?].sys.database_principals a
LEFT OUTER JOIN [?].sys.database_role_members b ON a.principal_id=b.member_principal_id
LEFT OUTER JOIN [?].sys.server_role_members c ON a.principal_id=c.member_principal_id and a.principal_id=c.member_principal_id
WHERE a.sid NOT IN (0x01,0x00) AND a.sid IS NOT NULL AND a.type NOT IN ("C")
AND a.is_fixed_role <> 1 AND a.name NOT LIKE "##%" AND "?" NOT IN ("master","msdb","model","tempdb")
ORDER BY Name'
INSERT @DBuser_table
EXEC sp_MSforeachdb @command1=@dbuser_sql
SELECT DBName,UserName,LoginType,
max(case when AssociatedDatabaseRole ='db_owner' then '1' else '0' end )'db_owner',
max(case when AssociatedDatabaseRole ='db_securityadmin' then '1' else '0' end )'db_securityadmin',
max(case when AssociatedDatabaseRole ='db_accessadmin' then '1' else '0' end )'db_accessadmin',
max(case when AssociatedDatabaseRole ='db_backupoperator' then '1' else '0' end )'db_backupoperator',
max(case when AssociatedDatabaseRole ='db_ddladmin' then '1' else '0' end )'db_ddladmin',
max(case when AssociatedDatabaseRole ='db_datareader' then '1' else '0' end)'db_datareader',
max(case when AssociatedDatabaseRole ='db_datawriter' then '1' else '0' end) 'db_datawriter',
max(case when AssociatedDatabaseRole ='db_denydatawriter' then '1' else '0' end )'db_denydatawriter',
max(case when AssociatedDatabaseRole ='db_denydatareader' then '1' else '0' end )'db_denydatareader',
max(case when AssociatedDatabaseRole is NULL then '1' else '0' end )'No Roles'
FROM @DBuser_table
group by DBName,UserName,LoginType

Server Level Permission

SELECT sp.name AS LoginName,sp.type_desc AS LoginType, sp.default_database_name AS DefaultDBName,slog.sysadmin AS SysAdmin,slog.securityadmin AS SecurityAdmin,slog.serveradmin AS ServerAdmin, slog.setupadmin AS SetupAdmin, slog.processadmin AS ProcessAdmin, slog.diskadmin AS DiskAdmin, slog.dbcreator AS DBCreator,slog.bulkadmin AS BulkAdmin
FROM sys.server_principals sp JOIN master..syslogins slog
ON sp.sid=slog.sid
WHERE sp.type <> 'R' AND sp.name NOT LIKE '##%'

Find Logins With VIEW SERVER STATE Permissions

SELECT @@SERVERNAME,SPRIN.[name],SPER.[permission_name] FROM sys.[server_permissions] SPER 
 INNER JOIN sys.[server_principals] SPRIN
 ON SPER.[grantee_principal_id] = SPRIN.[principal_id] WHERE SPER.[permission_name] = 'VIEW SERVER STATE'
 AND (SPER.[state] = 'G' OR SPER.[state] = 'W')AND SPRIN.[name] NOT LIKE '##%'
ORDER BY SPRIN.[name]
Permission

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating