So, I have this question:
Use the following query to determine the principle_id values for suzie and jimmy.
select *
from sys.database_principals
where name in ('suzie','jimmy')
Using the principle_id values obtained from the query above; write a SELECT query using the
sys.database_permissions table that lists ALL permissions that have been granted to suzie and jimmy.
Principal id's I got were "5 & 6"
Then I used:
SELECT*
FROM sys.database_permissions
WHERE grantee_principal_id in ('5','6')
Now the question is we're asked now to use the OBJECT_NAME function in your query to show the view names instead of just their
major_id values. I don't quite understand how to use the OBJECT_NAME function, I have been playing around and can't get it. Any hints or help would be greatly appreciated. Thanks!
Are you looking for something like this?
grator_principal_id will return all objects where these principal gave the grant and grantee_Prinicipal_id return all objects where Suzie and Jimmy were granted Details here
SELECT *
,OBJECT_NAME(major_id) AS TheObject
FROM sys.database_permissions
WHERE grantor_principal_id in (select principal_id
from sys.database_principals
where name in ('suzie','jimmy'))
Related
In the Security/Users folder in my database, I have a bunch of security groups, include "MyApplication Users". I need to check if I am (or another user is) in this group, but I have no idea how to query for it or where I could see this information. I tried looking in the properties, but couldn't find anything. Any ideas?
Checking yourself or the current user:
SELECT IS_MEMBER('[group or role]')
A result of 1 = yes,0 = no, and null = the group or role queried is not valid.
To get a list of the users, try xp_logininfo if extended procs are enabled and the group in question is a windows group :
EXEC master..xp_logininfo
#acctname = '[group]',
#option = 'members'
For a quick view of which groups / roles the current user is a member of;
select
[principal_id]
, [name]
, [type_desc]
, is_member(name) as [is_member]
from [sys].[database_principals]
where [type] in ('R','G')
order by [is_member] desc,[type],[name]
To find the AD Group members in the Instance, we can use below query:
xp_logininfo 'DomainName\AD_GroupName', 'members'
By using this query, we can find the below states.
account name, type, privilege, mapped login name, permission path
Accepted answer from DeanG is the preferred solution for getting this info within SQL Server
You can use Active Directory tools for this. I like Active Directory Users and Computers that is part of the Remote Server Administration Tools. Follow the link to download and install the tools on Windows 7.
Once installed, you can search for a specific group name:
Then you can see group membership using the Members tab:
If you don't want to use the AD browser packaged with RSA tools, there are several others available.
You don't.
Instead you use the users and groups to grant/deny privileges, and let the engine enforce them appropiately. Attempting to roll your own security will get you nowhere fast. A banal example is when you will fail to honor the 'one deny trumps all grants' rule. And you will fail to navigate the intricacies of EXECUTE AS. Not to mention security based on module signatures.
For the record: users, roles and groups are exposed in the sys.database_principals catalog view. sys.fn_my_permissions will return the current context permissions on a specific securable.
The code that is provided on the Microsoft page here works for me, every time.
SELECT DP1.name AS DatabaseRoleName,
isnull (DP2.name, 'No members') AS DatabaseUserName
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
LEFT OUTER JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = 'R'
ORDER BY DP1.name;
Please let me know if this works for you!
I'm trying to get function comment where I saved basic info that I need in my program. There are many functions that I have created name of all starts with 'stat_' and i'm retrieving their names using code below.
SELECT routines.routine_name
FROM information_schema.routines
LEFT JOIN information_schema.parameters ON
routines.specific_name=parameters.specific_name
WHERE routines.specific_schema='public' AND routines.routine_name LIKE
'stat_%' ORDER BY routines.routine_name, parameters.ordinal_position;
Now I have all function names, and I need to get their comments.
I could not find solution, if you know please share.
Comments can be retrieved via pg_description by the object id.
SELECT p.proname,
p.proargtypes,
d.description
FROM pg_proc p
LEFT JOIN pg_description d
ON d.objoid = p.oid
WHERE p.proname LIKE 'stat$_%' ESCAPE '$';
SELECT SPECIFIC_NAME AS SpName
FROM information_schema.routines
WHERE routines.specific_schema='public' AND routines.routine_name LIKE 'stat_%'
ORDER BY routines.routine_name
then u can get source of your object by this command:
EXEC sp_helptext 'ObjectName';
Hopefully a simple question here:
How do I get the permissions for an SQL Server table_type?
I know how to grant them, ie like:
GRANT [permission] ON TYPE::[schema_name].[type_name] TO [user]
As per http://technet.microsoft.com/en-us/library/ms174346.aspx.
What I want to know however, is how to find out what permissions users already have on a particular table_type. I've tried looking through tables like INFORMATION_SCHEMA.TABLE_PRIVILEGES, sys.database_permissions and sys.syspermissions, but I haven't had any luck.
My guess is I'm either missing something obvious or that the privileges for table_types are stored elsewhere.
You'll want to use the user_type_id from sys.table_types to join to sys.database_permissions:
SELECT prmssn.*
FROM sys.table_types AS tt INNER JOIN sys.database_permissions AS prmssn ON prmssn.major_id=tt.user_type_id
WHERE tt.name='<Table-Type Name>'
AND SCHEMA_NAME(tt.schema_id)='<SchemaName>')
Try this:
SELECT *
FROM sys.database_permissions a
JOIN sys.database_principals b on a.grantee_principal_id = b.principal_id
where major_id=object_id('dbo.TableNameHere')
I have an old database that I am inheriting. The access rights are not clearly defined anywhere and I'm looking for a quick way to get them for everyone. Let's say I have a user in my database that does not belong to any membership roles. However, they have been given access to do specific things to specific tables. For example, they can run select queries on table X and run update queries on table Y. I know I can find out what they have by going to the properties for each user. I would imagine, however, that there has to be a system table somewhere that has all of this defined in it and makes it easily queryable. What would this query look like.
FYI: I am working with SQL Server 2005
Update: Is there also a way to do this for all databases on the server?
Take a look at the Security Catalog Views, then check out MrDenny's answer here which gives a query to list a user's rights. I reproduce it here (tidied up to my liking)..
SELECT [Schema] = sys.schemas.name
, [Object] = sys.objects.name
, username = sys.database_principals.name
, permissions_type = sys.database_permissions.type
, permission_name = sys.database_permissions.permission_name
, permission_state = sys.database_permissions.state
, state_desc = sys.database_permissions.state_desc
, permissionsql = state_desc + ' ' + permission_name
+ ' on ['+ sys.schemas.name + '].[' + sys.objects.name
+ '] to [' + sys.database_principals.name + ']'
COLLATE LATIN1_General_CI_AS
FROM sys.database_permissions
INNER JOIN sys.objects ON sys.database_permissions.major_id = sys.objects.object_id
INNER JOIN sys.schemas ON sys.objects.schema_id = sys.schemas.schema_id
INNER JOIN sys.database_principals ON sys.database_permissions.grantee_principal_id = sys.database_principals.principal_id
ORDER BY 1, 2, 3, 5
Things are a bit trickier actually. The effective permissions are a combination of internal database permissions (queryable as Denny's query showed above by doza) and windows group membership. Th later unfortunately is stored outside SQL, in the AD schema so you can't realy query it.
So if your goal is to display 'Access to the table X is given to domain\someuser and domain\somegroup and denied to domain\someothergroup' then you can use the catalog metadata and query it, as showed in doza's post.
However if your goal is to answer 'Does user domain\someuser have access to table X?' you can't get the answer from the query above. That's right, despite the fact that you see a record saying the domain\someuser is granted access, you cannot answer if it has effective access. Remember that a single deny trumps all grants, and if domain\user is member of domain\someothergroup group then domain\someuser is effectively denied access.
To answer the later question you must use a different mechanism, namely you have to impersonate the user at SQL level and check the permission via HAS_PERM_BY_NAME:
EXECUTE AS USER = 'domain\someuser';
SELECT HAS_PERMS_BY_NAME('X','TABLE','SELECT');
REVERT;
Is worth noting that the first question can be answered by anyone with view privileges on the security catalogs, while the later requires impersonate permission, a much more powerful privilege.
I have the following T-SQL to display all the permissions granted to principals on my SQL server 2005:
select dp.NAME AS principal_name, --1
dp.type_desc AS principal_type_desc, --2
o.NAME AS object_name, --3
p.permission_name, --4
p.state_desc AS permission_state_desc --5
from sys.database_permissions p
left OUTER JOIN sys.all_objects o
on p.major_id = o.OBJECT_ID
inner JOIN sys.database_principals dp
on p.grantee_principal_id = dp.principal_id
order by principal_name, object_name
The result displays public with SELECT granted:
1 2 3 4 5
...
public DATABASE_ROLE system_views SELECT GRANT
....
I think object_name system_views is for all the views in my database Views|system_views folder. I tried the following T-SQL (just to see if it works by GRANT again):
GRANT SELECT ON system_views TO public
I got error "Cannot find the object 'system_views', because it does not exist or you don't have permission". I do connect the SQL server as sa.
My question is how to revoke SELECT permission on system_views for public (user or principal?) and roll permission back if I have to. The second question is if the revoke on system_views for public have any side-effect for other users?
There's no reason to revoke rights to view the system views. Users can only see the objects that they already have access to, so they already know those objects exist.
If you want to grant a user the right to see all objects in the database then grant them view definition on the schema or the database.
select * from sys.system_views
Does public have VIEW DEFINITION on any of these?
I would highly recommend against mucking about with any of this.
You could just
DENY VIEW DEFINITION ON SCHEMA::DBO TO PUBLIC
public is a "special" role. Don't mess with it.
Every user is a member of public by default, for example.
Metadata visibility actually determines what a user sees. So even if someone does SELECT * FROM sys.columns, they will see only the columns for objects they have rights on. No other rights = only info on the columns for system views.
You're likely to break stuff if you do this, especially in SSMS or direct access clients (Access, Excel etc)