Technical Article

List User Permissions

,

Do you ever need to look for a given user's permissions for security reasons or move the permissions for that user from test environment to production? This is a script, which will generate print statements, which can be use to view/grant, the permissions of all dbo objects, which the given user has, which is not in the dbo role. Create this script in the master database so you can run in any database. Please send your comments/uggestions at shah_mm@hotmail.com

USE master
GO
CREATE PROC sp_GetUserPermissions
@UserName VARCHAR(50)
AS

/*
Author: Minesh Shah (shah_mm@hotmail.com)
Purpose: Prints Permissions of User in the database who has no dbo rights,
  and print only permissions for user defined stored procedures, 
  functions, tables and views belongs to dbo owner. 
  Do not print column level permissions.
  
  You can use the print statements in new environment to grant permissions
  or use to see what permission a user has in current environment.

Usage: USE "DatabaseName"
  Exec sp_GetUserPermissions "UserName"

*/
BEGIN
SET NOCOUNT ON
SET TRANSACTION ISOLATION LEVEL READ UNCOMMITTED

DECLARE@UserIDINT,
@ObjectNameVARCHAR(50),
@ObjectTypeVARCHAR(2),
@SqlVARCHAR(4000),
@DBNameVARCHAR(50)

CREATE TABLE #tmpPermissions
       (ObjectIDINT,
ObjectNameVARCHAR(50),
ObjectTypeVARCHAR(2),
HasSelectTINYINT DEFAULT 0,
HasUpdateTINYINT DEFAULT 0,
HasReferenceTINYINT DEFAULT 0,
HasInsertTINYINTDEFAULT 0,
HasDeleteTINYINT DEFAULT 0,
HasExecuteTINYINT DEFAULT 0,
HasAllTINYINT DEFAULT 0,
UserIDINT)

SET @DBName = db_name()

SET @Sql = 
'SELECTO.ID, O.name, O.xtype, U.uid
FROM' + @DBName + '.dbo.sysobjects AS O,' + CHAR(13) +
  + @DBName + '.dbo.syspermissions AS P,' + CHAR(13) +
  + @DBName + '.dbo.sysusers AS U' + CHAR(13) +
'WHEREO.id = P.id' + CHAR(13) +
'ANDP.grantee = U.uid' + CHAR(13) +
'ANDU.name = ''' + @UserName + '''' + CHAR(13) 


INSERTINTO #tmpPermissions (ObjectID, ObjectName, ObjectType, UserID)
EXEC (@Sql)

SET @UserID = (SELECT DISTINCT UserID FROM #tmpPermissions)

IF @UserID IS NULL
BEGIN
RAISERROR('Either the given user does not exists or does not have any permissions in this database', 11, 127)
RETURN
END

/*Check Select Permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasSelect = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''U'', ''V'', ''IF'', ''TF'')' + CHAR(13) +
'ANDP.actadd & 0x1 = 1' + CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

/*Check Update permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasUpdate = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''U'', ''V'', ''IF'', ''TF'')' + CHAR(13) +
'ANDP.actadd & 0x2 = 2' + CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

/*Check Reference permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasReference = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''U'', ''V'', ''IF'', ''TF'')' + CHAR(13) +
'ANDP.actadd & 0x4 = 4'+ CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

/*Check Insert permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasInsert = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''U'', ''V'', ''IF'', ''TF'')' + CHAR(13) +
'ANDP.actadd & 0x8 = 8'+ CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

/*Check Delete permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasDelete = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''U'', ''V'', ''IF'', ''TF'')' + CHAR(13) +
'ANDP.actadd & 0x10 = 16'+ CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

/*Check Exec permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasExecute = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''P'', ''FN'')' + CHAR(13) +
'ANDP.actadd & 0x10 = 16'+ CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

/*Check all permission*/SET @Sql ='UPDATE#tmpPermissions
SETHasALL = 1
FROM#tmpPermissions AS T,' + CHAR(13) +
+ @DBName + '.dbo.syspermissions AS P' + CHAR(13) +
'WHERET.ObjectID = P.id
ANDT.ObjectType IN (''U'')' + CHAR(13) +
'ANDP.actadd & 0x1F = 31'+ CHAR(13) +
'ANDP.grantee = ' + CAST(@UserID AS VARCHAR)

EXEC (@Sql)

DECLARE Permission_Cur CURSOR FOR
SELECT ObjectName, ObjectType
FROM #tmpPermissions
ORDER BY ObjectType

OPEN Permission_Cur

FETCH NEXT FROM Permission_Cur INTO @ObjectName, @ObjectType

WHILE @@fetch_status = 0
BEGIN
IF @ObjectType IN ('P', 'FN')
SET @Sql = 'GRANT EXEC ON [' + @ObjectName + '] TO ' + @UserName

IF @ObjectType IN ('U', 'V', 'IF', 'TF')
BEGIN
SET @Sql = 'GRANT '

IF EXISTS (SELECT1 
FROM #tmpPermissions 
WHERE ObjectName = @ObjectName
ANDHasAll = 1)
BEGIN
SET @Sql = 'GRANT ' + 'ALL ON [' + @ObjectName + '] TO ' + @UserName
GOTO PrintStat
END

IF EXISTS (SELECT1 
FROM #tmpPermissions 
WHERE ObjectName = @ObjectName
ANDHasSelect = 1)
SET @Sql = 'GRANT ' + 'SELECT ,'

IF EXISTS (SELECT1 
FROM #tmpPermissions 
WHERE ObjectName = @ObjectName
ANDHasUpdate = 1)
SET @Sql = @Sql + 'UPDATE ,'

IF EXISTS (SELECT1 
FROM #tmpPermissions 
WHERE ObjectName = @ObjectName
ANDHasReference = 1)
SET @Sql = @Sql + 'REFERENCE ,'

IF EXISTS (SELECT1 
FROM #tmpPermissions 
WHERE ObjectName = @ObjectName
ANDHasInsert = 1)
SET @Sql = @Sql + 'INSERT ,'

IF EXISTS (SELECT1 
FROM #tmpPermissions 
WHERE ObjectName = @ObjectName
ANDHasDelete = 1)
SET @Sql = @Sql + 'DELETE '

SET @Sql = LEFT(@Sql, LEN(@Sql)-1) + ' ON [' + @ObjectName + '] TO ' + @UserName

END

PrintStat:
PRINT @Sql

FETCH NEXT FROM Permission_Cur INTO @ObjectName, @ObjectType
END

CLOSE Permission_Cur
DEALLOCATE Permission_Cur

DROP TABLE #tmpPermissions

END



GO
SET QUOTED_IDENTIFIER OFF 
GO
SET ANSI_NULLS ON 
GO

Rate

2 (1)

You rated this post out of 5. Change rating

Share

Share

Rate

2 (1)

You rated this post out of 5. Change rating