英文:
Request granted select permissions on column level for MSSQL
问题
I can translate the code part for you:
-- 特定对象的权限
SELECT T.TABLE_TYPE AS OBJECT_TYPE, T.TABLE_SCHEMA AS [SCHEMA_NAME], T.TABLE_NAME AS [OBJECT_NAME], NULLIF(P.subentity_name, '') as COLUMN_NAME, P.PERMISSION_NAME
FROM INFORMATION_SCHEMA.TABLES T
CROSS APPLY fn_my_permissions(T.TABLE_SCHEMA + '.' + T.TABLE_NAME, 'OBJECT') P
WHERE T.TABLE_NAME = 'tablename'
If you have any further requests or questions, please let me know.
英文:
In the past I've granted a login SELECT permission for specific columns in a specific table.
I would now want to retrieve the granted permissions. This is my first attempt:
-- Specific per object rigths
SELECT T.TABLE_TYPE AS OBJECT_TYPE, T.TABLE_SCHEMA AS [SCHEMA_NAME], T.TABLE_NAME AS [OBJECT_NAME], NULLIF(P.subentity_name, '') as COLUMN_NAME, P.PERMISSION_NAME
FROM INFORMATION_SCHEMA.TABLES T
CROSS APPLY fn_my_permissions(T.TABLE_SCHEMA + '.' + T.TABLE_NAME, 'OBJECT') P
WHERE T.TABLE_NAME = 'tablename'
But this doesn't show who was granted access to which columns. SSMS itself doesn't grant any insight on this AFAIK.
How can this properly be requested?
答案1
得分: 1
Here is the translation of your script:
declare @loginname nvarchar(100)='intern';
declare
@str nvarchar(max),@dbname nvarchar(max),@dbname1 nvarchar(max),@script nvarchar(max),@login nvarchar(50)
IF OBJECT_ID('tempdb..#Results') IS NOT NULL
DROP TABLE #Results
CREATE TABLE #Results
( loginname NVARCHAR(100),
script NVARCHAR(max),
per_type NVARCHAR(100)
)
IF OBJECT_ID('tempdb..#Results1') IS NOT NULL
DROP TABLE #Results1
CREATE TABLE #Results1
(
dbname NVARCHAR(100),
loginname NVARCHAR(100),
script NVARCHAR(max),
per_type NVARCHAR(100)
)
DECLARE MyCursor CURSOR FOR
select name from master.sys.databases where
name not in ('aspnetdb')
and
is_read_only = 0 and state = 0
OPEN MyCursor
FETCH NEXT FROM MyCursor
into @dbname
WHILE @@FETCH_STATUS = 0
BEGIN
----Object_levels_permission----
set @str =
'use ['+@dbname+'];'+
'
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name, CASE WHEN perm.state <> ''W'' THEN perm.state_desc ELSE ''GRANT'' END
+ SPACE(1) + perm.permission_name + SPACE(1) + ''ON '' + QUOTENAME(USER_NAME(obj.schema_id)) + ''.'' + QUOTENAME(obj.name)
+ CASE WHEN cl.column_id IS NULL THEN SPACE(0) ELSE ''('' + QUOTENAME(cl.name) + '')'' END
+ SPACE(1) + ''TO'' + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
+ CASE WHEN perm.state <> ''W'' THEN SPACE(0) ELSE SPACE(1) + ''WITH GRANT OPTION'' END AS ''--Object Level Permissions''
, ''Object_levels_permission'' as Per_Type
FROM sys.database_permissions AS perm
INNER JOIN
sys.objects AS obj
ON perm.major_id = obj.[object_id]
INNER JOIN
sys.database_principals AS usr
ON perm.grantee_principal_id = usr.principal_id
LEFT JOIN
sys.columns AS cl
ON cl.column_id = perm.minor_id AND cl.[object_id] = perm.major_id
ORDER BY perm.permission_name ASC, perm.state_desc ASC';
insert into #Results
exec sp_executesql @str
----Databases_levels_permission----
set @str =
'use ['+@dbname+'];'+
'
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name, CASE WHEN perm.state <> ''W'' THEN perm.state_desc ELSE ''GRANT'' END
+ SPACE(1) + perm.permission_name + SPACE(1)
+ SPACE(1) + ''TO'' + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
+ CASE WHEN perm.state <> ''W'' THEN SPACE(0) ELSE SPACE(1) + ''WITH GRANT OPTION'' END AS ''--Database Level Permissions''
, ''Databases_levels_permission'' as Per_Type
FROM sys.database_permissions AS perm
INNER JOIN
sys.database_principals AS usr
ON perm.grantee_principal_id = usr.principal_id
WHERE perm.major_id = 0
ORDER BY perm.permission_name ASC, perm.state_desc ASC';
insert into #Results
exec sp_executesql @str
----db_roles----
set @str =
'use ['+@dbname+'];'+
'SELECT DP2.name as login_name, ''EXEC sp_addrolemember [''+DP1.name+''],[''+DP2.name+'']''
, ''Database_roles'' as Per_Type
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
inner JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = ''R''
ORDER BY DP1.name';
insert into #Results
exec sp_executesql @str
if @dbname='master'
begin
----server_level_permissions----
set @str =
'use ['+@dbname+'];'+
'SELECT
granteeserverprincipal.name AS grantee_principal_name
, CASE
WHEN sys.server_permissions.state = N''W''
THEN N''GRANT''
ELSE sys.server_permissions.state_desc
END + N'' '' + sys.server_permissions.permission_name COLLATE SQL_Latin1_General_CP1_CI_AS + N'' TO '' + QUOTENAME(granteeserverprincipal.name) AS permissionstatement
, sys.server_permissions.class_desc as per_type
FROM sys.server_principals AS granteeserverprincipal
INNER JOIN sys.server_permissions
ON sys.server_permissions.grantee_principal_id = granteeserverprincipal.principal_id
INNER JOIN sys.server_principals AS grantorserverprinicipal
ON grantorserverprinicipal.principal_id = sys.server_permissions.grantor_principal_id
where sys.server_permissions.permission_name not like ''%connect%'' AND granteeserverprincipal.name not like ''##MS%##''
ORDER BY granteeserverprincipal.name
, sys.server_permissions.permission_name';
insert into #Results
exec sp_executesql @str
----server_roles----
set @str =
'use ['+@dbname+'];'+
'SELECT
memberserverprincipal.name AS member_principal_name
, N''ALTER SERVER ROLE '' + QUOTENAME(roles.name) + N'' ADD MEMBER '' + QUOTENAME(memberserverprincipal.name) AS AddRoleMembersStatement
, roles.type_desc AS role_type_desc
FROM sys.server_principals AS roles
INNER JOIN sys.server_role_members
ON sys.server_role_members.role_principal_id = roles.principal_id
INNER JOIN sys.server_principals AS memberserverprincipal
ON memberserverprincipal.principal_id = sys.server_role_members.member_principal_id
WHERE roles.type = N''R''
ORDER BY
member_principal_name';
insert into #Results
exec sp_executesql @str
end
insert into #Results1
select @dbname,loginname,'use '+@dbname+'; '+script as script,per_type from #Results
delete from #Results
FETCH NEXT FROM MyCursor
into @dbname
END
CLOSE MyCursor
DEALLOCATE MyCursor
select * from #Results1 where loginname=@loginname order by dbname,case when PATINDEX('%Connect%',script)>0 then 1 else 2 end
Please note that the code you provided is in SQL, and it appears to be a script for managing permissions and roles in a database. Make sure to run it in an appropriate SQL environment with necessary permissions.
英文:
This my script about get all permission for specific user. I have checked. In my case all are okay. Past as parameter your login name to my script.
declare @loginname nvarchar(100)='intern'
declare
@str nvarchar(max),@dbname nvarchar(max),@dbname1 nvarchar(max),@script nvarchar(max),@login nvarchar(50)
IF OBJECT_ID('tempdb..#Results') IS NOT NULL
DROP TABLE #Results
CREATE TABLE #Results
( loginname NVARCHAR(100),
script NVARCHAR(max),
per_type NVARCHAR(100)
)
IF OBJECT_ID('tempdb..#Results1') IS NOT NULL
DROP TABLE #Results1
CREATE TABLE #Results1
(
dbname NVARCHAR(100),
loginname NVARCHAR(100),
script NVARCHAR(max),
per_type NVARCHAR(100)
)
DECLARE MyCursor CURSOR FOR
select name from master.sys.databases where
name not in ('aspnetdb')
and
is_read_only = 0 and state = 0
OPEN MyCursor
FETCH NEXT FROM MyCursor
into @dbname
WHILE @@FETCH_STATUS = 0
BEGIN
----Object_levels_permission----
set @str =
'use ['+@dbname+'];'+
'
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name, CASE WHEN perm.state <> ''W'' THEN perm.state_desc ELSE ''GRANT'' END
+ SPACE(1) + perm.permission_name + SPACE(1) + ''ON '' + QUOTENAME(USER_NAME(obj.schema_id)) + ''.'' + QUOTENAME(obj.name)
+ CASE WHEN cl.column_id IS NULL THEN SPACE(0) ELSE ''('' + QUOTENAME(cl.name) + '')'' END
+ SPACE(1) + ''TO'' + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
+ CASE WHEN perm.state <> ''W'' THEN SPACE(0) ELSE SPACE(1) + ''WITH GRANT OPTION'' END AS ''--Object Level Permissions''
, ''Object_levels_permission'' as Per_Type
FROM sys.database_permissions AS perm
INNER JOIN
sys.objects AS obj
ON perm.major_id = obj.[object_id]
INNER JOIN
sys.database_principals AS usr
ON perm.grantee_principal_id = usr.principal_id
LEFT JOIN
sys.columns AS cl
ON cl.column_id = perm.minor_id AND cl.[object_id] = perm.major_id
ORDER BY perm.permission_name ASC, perm.state_desc ASC'
insert into #Results
exec sp_executesql @str
----Databases_levels_permission----
set @str =
'use ['+@dbname+'];'+
'
SELECT USER_NAME(usr.principal_id) COLLATE database_default as login_name, CASE WHEN perm.state <> ''W'' THEN perm.state_desc ELSE ''GRANT'' END
+ SPACE(1) + perm.permission_name + SPACE(1)
+ SPACE(1) + ''TO'' + SPACE(1) + QUOTENAME(USER_NAME(usr.principal_id)) COLLATE database_default
+ CASE WHEN perm.state <> ''W'' THEN SPACE(0) ELSE SPACE(1) + ''WITH GRANT OPTION'' END AS ''--Database Level Permissions''
, ''Databases_levels_permission'' as Per_Type
FROM sys.database_permissions AS perm
INNER JOIN
sys.database_principals AS usr
ON perm.grantee_principal_id = usr.principal_id
WHERE perm.major_id = 0
ORDER BY perm.permission_name ASC, perm.state_desc ASC'
insert into #Results
exec sp_executesql @str
----db_roles----
set @str =
'use ['+@dbname+'];'+
'SELECT DP2.name as login_name, ''EXEC sp_addrolemember [''+DP1.name+''],[''+DP2.name+'']''
, ''Database_roles'' as Per_Type
FROM sys.database_role_members AS DRM
RIGHT OUTER JOIN sys.database_principals AS DP1
ON DRM.role_principal_id = DP1.principal_id
inner JOIN sys.database_principals AS DP2
ON DRM.member_principal_id = DP2.principal_id
WHERE DP1.type = ''R''
ORDER BY DP1.name'
insert into #Results
exec sp_executesql @str
if @dbname='master'
begin
----server_level_permissions----
set @str =
'use ['+@dbname+'];'+
'SELECT
granteeserverprincipal.name AS grantee_principal_name
, CASE
WHEN sys.server_permissions.state = N''W''
THEN N''GRANT''
ELSE sys.server_permissions.state_desc
END + N'' '' + sys.server_permissions.permission_name COLLATE SQL_Latin1_General_CP1_CI_AS + N'' TO '' + QUOTENAME(granteeserverprincipal.name) AS permissionstatement
, sys.server_permissions.class_desc as per_type
FROM sys.server_principals AS granteeserverprincipal
INNER JOIN sys.server_permissions
ON sys.server_permissions.grantee_principal_id = granteeserverprincipal.principal_id
INNER JOIN sys.server_principals AS grantorserverprinicipal
ON grantorserverprinicipal.principal_id = sys.server_permissions.grantor_principal_id
where sys.server_permissions.permission_name not like ''%connect%'' AND granteeserverprincipal.name not like ''##MS%##''
ORDER BY granteeserverprincipal.name
, sys.server_permissions.permission_name'
insert into #Results
exec sp_executesql @str
----server_roles----
set @str =
'use ['+@dbname+'];'+
'SELECT
memberserverprincipal.name AS member_principal_name
, N''ALTER SERVER ROLE '' + QUOTENAME(roles.name) + N'' ADD MEMBER '' + QUOTENAME(memberserverprincipal.name) AS AddRoleMembersStatement
, roles.type_desc AS role_type_desc
FROM sys.server_principals AS roles
INNER JOIN sys.server_role_members
ON sys.server_role_members.role_principal_id = roles.principal_id
INNER JOIN sys.server_principals AS memberserverprincipal
ON memberserverprincipal.principal_id = sys.server_role_members.member_principal_id
WHERE roles.type = N''R''
ORDER BY
member_principal_name'
insert into #Results
exec sp_executesql @str
end
insert into #Results1
select @dbname,loginname,'use '+@dbname+'; '+script as script,per_type from #Results
delete from #Results
FETCH NEXT FROM MyCursor
into @dbname
END
CLOSE MyCursor
DEALLOCATE MyCursor
select * from #Results1 where loginname=@loginname order by dbname,case when PATINDEX('%Connect%',script)>0 then 1 else 2 end'
I hope that all will be okay after running.
答案2
得分: 0
It seems I was wrong about this part:
> But this doesn't show who was granted access to which columns. SSMS
> itself doesn't grant any insight on this AFAIK.
When you open the table properties, first select one of the permission types which do support column level permissions, like 'Select'.
If you do, the Column Permissions button becomes available:
With which you can change and review the column level permissions.
英文:
It seems I was wrong about this part:
> But this doesn't show who was granted access to which columns. SSMS
> itself doesn't grant any insight on this AFAIK.
When you open the table properties, first select one of the permission types which do support column level permissions, like 'Select'.
If you do, the Column Permissions button becomes available:
With which you can change and review the column level permissions.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论