请求已授予MSSQL列级别的选择权限。

huangapple go评论68阅读模式
英文:

Request granted select permissions on column level for MSSQL

问题

I can translate the code part for you:

-- 特定对象的权限
SELECT T.TABLE_TYPE AS OBJECT_TYPE, T.TABLE_SCHEMA AS [SCHEMA_NAME], T.TABLE_NAME AS [OBJECT_NAME], NULLIF(P.subentity_name, '') as COLUMN_NAME, P.PERMISSION_NAME
FROM INFORMATION_SCHEMA.TABLES T
CROSS APPLY fn_my_permissions(T.TABLE_SCHEMA + '.' + T.TABLE_NAME, 'OBJECT') P
WHERE T.TABLE_NAME = 'tablename'

If you have any further requests or questions, please let me know.

英文:

In the past I've granted a login SELECT permission for specific columns in a specific table.
I would now want to retrieve the granted permissions. This is my first attempt:

-- Specific per object rigths
SELECT T.TABLE_TYPE AS OBJECT_TYPE, T.TABLE_SCHEMA AS [SCHEMA_NAME], T.TABLE_NAME AS [OBJECT_NAME], NULLIF(P.subentity_name, '') as COLUMN_NAME, P.PERMISSION_NAME
FROM INFORMATION_SCHEMA.TABLES T
CROSS APPLY fn_my_permissions(T.TABLE_SCHEMA + '.' + T.TABLE_NAME, 'OBJECT') P
WHERE T.TABLE_NAME = 'tablename'

But this doesn't show who was granted access to which columns. SSMS itself doesn't grant any insight on this AFAIK.

How can this properly be requested?

答案1

得分: 1

Here is the translation of your script:

declare @loginname nvarchar(100)='intern';
declare
 @str nvarchar(max),@dbname nvarchar(max),@dbname1 nvarchar(max),@script nvarchar(max),@login nvarchar(50)

    IF OBJECT_ID('tempdb..#Results') IS NOT NULL
    DROP TABLE #Results

CREATE TABLE #Results
(   loginname         NVARCHAR(100),
    script            NVARCHAR(max),
    per_type          NVARCHAR(100)
)

    IF OBJECT_ID('tempdb..#Results1') IS NOT NULL
    DROP TABLE #Results1

CREATE TABLE #Results1
(
dbname NVARCHAR(100),
loginname         NVARCHAR(100),
    script            NVARCHAR(max),
    per_type          NVARCHAR(100)
)


DECLARE MyCursor CURSOR FOR

select name from master.sys.databases where
name not in ('aspnetdb')
and
is_read_only = 0 and state = 0


OPEN MyCursor
FETCH NEXT FROM MyCursor
into @dbname
WHILE @@FETCH_STATUS = 0
BEGIN

----Object_levels_permission----
set @str =
'use ['+@dbname+'];'+
'

SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name, CASE WHEN perm.state <> ''W'' THEN perm.state_desc ELSE ''GRANT'' END
    + SPACE(1) + perm.permission_name + SPACE(1) + ''ON '' + QUOTENAME(USER_NAME(obj.schema_id)) + ''.'' + QUOTENAME(obj.name)
    + CASE WHEN cl.column_id IS NULL THEN SPACE(0) ELSE ''('' + QUOTENAME(cl.name) + '')'' END
    + SPACE(1) + ''TO'' + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
    + CASE WHEN perm.state <> ''W'' THEN SPACE(0) ELSE SPACE(1) + ''WITH GRANT OPTION'' END AS ''--Object Level Permissions''
    , ''Object_levels_permission'' as Per_Type
FROM  sys.database_permissions AS perm
    INNER JOIN
    sys.objects AS obj
    ON perm.major_id = obj.[object_id]
    INNER JOIN
    sys.database_principals AS usr
    ON perm.grantee_principal_id = usr.principal_id
    LEFT JOIN
    sys.columns AS cl
    ON cl.column_id = perm.minor_id AND cl.[object_id] = perm.major_id
ORDER BY perm.permission_name ASC, perm.state_desc ASC';

insert into #Results
exec sp_executesql @str
----Databases_levels_permission----
set @str =
'use ['+@dbname+'];'+
'
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name,  CASE WHEN perm.state <> ''W'' THEN perm.state_desc ELSE ''GRANT'' END
    + SPACE(1) + perm.permission_name + SPACE(1)
    + SPACE(1) + ''TO'' + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
    + CASE WHEN perm.state <> ''W'' THEN SPACE(0) ELSE SPACE(1) + ''WITH GRANT OPTION'' END AS ''--Database Level Permissions''
    , ''Databases_levels_permission'' as Per_Type
FROM  sys.database_permissions AS perm
    INNER JOIN
    sys.database_principals AS usr
    ON perm.grantee_principal_id = usr.principal_id
WHERE  perm.major_id = 0
ORDER BY perm.permission_name ASC, perm.state_desc ASC';

insert into #Results
exec sp_executesql @str

----db_roles----
set @str =
'use ['+@dbname+'];'+
'SELECT DP2.name as login_name, ''EXEC sp_addrolemember [''+DP1.name+''],[''+DP2.name+'']''
, ''Database_roles'' as Per_Type
 FROM sys.database_role_members AS DRM
 RIGHT OUTER JOIN sys.database_principals AS DP1
   ON DRM.role_principal_id = DP1.principal_id
inner JOIN sys.database_principals AS DP2
   ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = ''R''
ORDER BY DP1.name';

insert into #Results
exec sp_executesql @str

if @dbname='master'
begin

----server_level_permissions----
set @str =
'use ['+@dbname+'];'+
'SELECT


        granteeserverprincipal.name AS grantee_principal_name
        , CASE
            WHEN sys.server_permissions.state = N''W''
                THEN N''GRANT''
            ELSE sys.server_permissions.state_desc
            END + N'' '' + sys.server_permissions.permission_name COLLATE SQL_Latin1_General_CP1_CI_AS + N'' TO '' + QUOTENAME(granteeserverprincipal.name) AS permissionstatement
    ,  sys.server_permissions.class_desc as per_type
FROM sys.server_principals AS granteeserverprincipal
INNER JOIN sys.server_permissions
    ON sys.server_permissions.grantee_principal_id = granteeserverprincipal.principal_id
INNER JOIN sys.server_principals AS grantorserverprinicipal
    ON grantorserverprinicipal.principal_id = sys.server_permissions.grantor_principal_id
    where sys.server_permissions.permission_name not like ''%connect%''  AND granteeserverprincipal.name not like  ''##MS%##''

ORDER BY granteeserverprincipal.name
    , sys.server_permissions.permission_name';

insert into #Results
exec sp_executesql @str

----server_roles----
set @str =
'use ['+@dbname+'];'+
'SELECT


      memberserverprincipal.name AS member_principal_name
    , N''ALTER SERVER ROLE '' + QUOTENAME(roles.name) + N'' ADD MEMBER '' + QUOTENAME(memberserverprincipal.name) AS AddRoleMembersStatement
    ,  roles.type_desc AS role_type_desc
FROM sys.server_principals AS roles
INNER JOIN sys.server_role_members
    ON sys.server_role_members.role_principal_id = roles.principal_id
INNER JOIN sys.server_principals AS memberserverprincipal
    ON memberserverprincipal.principal_id = sys.server_role_members.member_principal_id
WHERE roles.type = N''R''
ORDER BY
     member_principal_name';

insert into #Results
exec sp_executesql @str

end


insert into #Results1
select @dbname,loginname,'use '+@dbname+'; '+script as script,per_type from #Results

delete from #Results

FETCH NEXT FROM MyCursor
into @dbname
END
CLOSE MyCursor
DEALLOCATE MyCursor


select * from #Results1 where loginname=@loginname order by dbname,case when PATINDEX('%Connect%',script)>0 then 1 else 2 end

Please note that the code you provided is in SQL, and it appears to be a script for managing permissions and roles in a database. Make sure to run it in an appropriate SQL environment with necessary permissions.

英文:

This my script about get all permission for specific user. I have checked. In my case all are okay. Past as parameter your login name to my script.

declare @loginname nvarchar(100)=&#39;intern&#39;
declare
@str nvarchar(max),@dbname nvarchar(max),@dbname1 nvarchar(max),@script nvarchar(max),@login nvarchar(50)
IF OBJECT_ID(&#39;tempdb..#Results&#39;) IS NOT NULL
DROP TABLE #Results
CREATE TABLE #Results
(   loginname         NVARCHAR(100),
script            NVARCHAR(max),
per_type          NVARCHAR(100)
)
IF OBJECT_ID(&#39;tempdb..#Results1&#39;) IS NOT NULL
DROP TABLE #Results1
CREATE TABLE #Results1
(
dbname NVARCHAR(100),
loginname         NVARCHAR(100),
script            NVARCHAR(max),
per_type          NVARCHAR(100)
)
DECLARE MyCursor CURSOR FOR
select name from master.sys.databases where
name not in (&#39;aspnetdb&#39;)
and
is_read_only = 0 and state = 0
OPEN MyCursor
FETCH NEXT FROM MyCursor
into @dbname
WHILE @@FETCH_STATUS = 0
BEGIN
----Object_levels_permission----
set @str =
&#39;use [&#39;+@dbname+&#39;];&#39;+
&#39;
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name, CASE WHEN perm.state &lt;&gt; &#39;&#39;W&#39;&#39; THEN perm.state_desc ELSE &#39;&#39;GRANT&#39;&#39; END
+ SPACE(1) + perm.permission_name + SPACE(1) + &#39;&#39;ON &#39;&#39; + QUOTENAME(USER_NAME(obj.schema_id)) + &#39;&#39;.&#39;&#39; + QUOTENAME(obj.name)
+ CASE WHEN cl.column_id IS NULL THEN SPACE(0) ELSE &#39;&#39;(&#39;&#39; + QUOTENAME(cl.name) + &#39;&#39;)&#39;&#39; END
+ SPACE(1) + &#39;&#39;TO&#39;&#39; + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
+ CASE WHEN perm.state &lt;&gt; &#39;&#39;W&#39;&#39; THEN SPACE(0) ELSE SPACE(1) + &#39;&#39;WITH GRANT OPTION&#39;&#39; END AS &#39;&#39;--Object Level Permissions&#39;&#39;
, &#39;&#39;Object_levels_permission&#39;&#39; as Per_Type
FROM  sys.database_permissions AS perm
INNER JOIN
sys.objects AS obj
ON perm.major_id = obj.[object_id]
INNER JOIN
sys.database_principals AS usr
ON perm.grantee_principal_id = usr.principal_id
LEFT JOIN
sys.columns AS cl
ON cl.column_id = perm.minor_id AND cl.[object_id] = perm.major_id
ORDER BY perm.permission_name ASC, perm.state_desc ASC&#39;
insert into #Results
exec sp_executesql @str
----Databases_levels_permission----
set @str =
&#39;use [&#39;+@dbname+&#39;];&#39;+
&#39;
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name,  CASE WHEN perm.state &lt;&gt; &#39;&#39;W&#39;&#39; THEN perm.state_desc ELSE &#39;&#39;GRANT&#39;&#39; END
+ SPACE(1) + perm.permission_name + SPACE(1)
+ SPACE(1) + &#39;&#39;TO&#39;&#39; + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
+ CASE WHEN perm.state &lt;&gt; &#39;&#39;W&#39;&#39; THEN SPACE(0) ELSE SPACE(1) + &#39;&#39;WITH GRANT OPTION&#39;&#39; END AS &#39;&#39;--Database Level Permissions&#39;&#39;
, &#39;&#39;Databases_levels_permission&#39;&#39; as Per_Type
FROM  sys.database_permissions AS perm
INNER JOIN
sys.database_principals AS usr
ON perm.grantee_principal_id = usr.principal_id
WHERE  perm.major_id = 0
ORDER BY perm.permission_name ASC, perm.state_desc ASC&#39;
insert into #Results
exec sp_executesql @str
----db_roles----
set @str =
&#39;use [&#39;+@dbname+&#39;];&#39;+
&#39;SELECT DP2.name as login_name, &#39;&#39;EXEC sp_addrolemember [&#39;&#39;+DP1.name+&#39;&#39;],[&#39;&#39;+DP2.name+&#39;&#39;]&#39;&#39;
, &#39;&#39;Database_roles&#39;&#39; as Per_Type
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
inner JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = &#39;&#39;R&#39;&#39;
ORDER BY DP1.name&#39;
insert into #Results
exec sp_executesql @str
if @dbname=&#39;master&#39;
begin
----server_level_permissions----
set @str =
&#39;use [&#39;+@dbname+&#39;];&#39;+
&#39;SELECT
granteeserverprincipal.name AS grantee_principal_name
, CASE
WHEN sys.server_permissions.state = N&#39;&#39;W&#39;&#39;
THEN N&#39;&#39;GRANT&#39;&#39;
ELSE sys.server_permissions.state_desc
END + N&#39;&#39; &#39;&#39; + sys.server_permissions.permission_name COLLATE SQL_Latin1_General_CP1_CI_AS + N&#39;&#39; TO &#39;&#39; + QUOTENAME(granteeserverprincipal.name) AS permissionstatement
,  sys.server_permissions.class_desc as per_type
FROM sys.server_principals AS granteeserverprincipal
INNER JOIN sys.server_permissions
ON sys.server_permissions.grantee_principal_id = granteeserverprincipal.principal_id
INNER JOIN sys.server_principals AS grantorserverprinicipal
ON grantorserverprinicipal.principal_id = sys.server_permissions.grantor_principal_id
where sys.server_permissions.permission_name not like &#39;&#39;%connect%&#39;&#39;  AND granteeserverprincipal.name not like  &#39;&#39;##MS%##&#39;&#39;
ORDER BY granteeserverprincipal.name
, sys.server_permissions.permission_name&#39;
insert into #Results
exec sp_executesql @str
----server_roles----
set @str =
&#39;use [&#39;+@dbname+&#39;];&#39;+
&#39;SELECT
memberserverprincipal.name AS member_principal_name
, N&#39;&#39;ALTER SERVER ROLE &#39;&#39; + QUOTENAME(roles.name) + N&#39;&#39; ADD MEMBER &#39;&#39; + QUOTENAME(memberserverprincipal.name) AS AddRoleMembersStatement
,  roles.type_desc AS role_type_desc
FROM sys.server_principals AS roles
INNER JOIN sys.server_role_members
ON sys.server_role_members.role_principal_id = roles.principal_id
INNER JOIN sys.server_principals AS memberserverprincipal
ON memberserverprincipal.principal_id = sys.server_role_members.member_principal_id
WHERE roles.type = N&#39;&#39;R&#39;&#39;
ORDER BY
member_principal_name&#39;
insert into #Results
exec sp_executesql @str
end
insert into #Results1
select @dbname,loginname,&#39;use &#39;+@dbname+&#39;; &#39;+script as script,per_type from #Results
delete from #Results
FETCH NEXT FROM MyCursor
into @dbname
END
CLOSE MyCursor
DEALLOCATE MyCursor
select * from #Results1 where loginname=@loginname order by dbname,case when PATINDEX(&#39;%Connect%&#39;,script)&gt;0 then 1 else 2 end&#39;

I hope that all will be okay after running.

答案2

得分: 0

It seems I was wrong about this part:

> But this doesn't show who was granted access to which columns. SSMS
> itself doesn't grant any insight on this AFAIK.

When you open the table properties, first select one of the permission types which do support column level permissions, like 'Select'.

If you do, the Column Permissions button becomes available:
请求已授予MSSQL列级别的选择权限。

With which you can change and review the column level permissions.

英文:

It seems I was wrong about this part:

> But this doesn't show who was granted access to which columns. SSMS
> itself doesn't grant any insight on this AFAIK.

When you open the table properties, first select one of the permission types which do support column level permissions, like 'Select'.

If you do, the Column Permissions button becomes available:
请求已授予MSSQL列级别的选择权限。

With which you can change and review the column level permissions.

huangapple
  • 本文由 发表于 2023年4月6日 21:23:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/75950041.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定