如何解决SQL Server查询-数据库中所有用户/角色/等的所有安全性/权限/访问权限
基于“ sql Server查询以查找数据库中所有用户的所有权限/访问权限” SQL Server query to find all permissions/access for all users in a database
下面编辑的安全审核脚本版本似乎没有显示所有安全/权限。
如果我在数据库中运行fn_my_permissions:
SELECT DB_NAME() AS dbname,* FROM fn_my_permissions('MY_DOMAIN\MY_USER_NAME','USER')
我看到以下权限:
- IMPERSONATE
- 查看定义
- ALTER
- 控制
如果我以我自己(非sysadmin用户)身份在同一数据库服务器上的3个数据库中运行fn_my_permissions,则显示4个权限仅是3个数据库中的1个,但是如果sysadmin用户运行它,则他们将看到所有4个权限在所有3个数据库中。
如果我在下面运行安全审核脚本,则即使在fn_my_permissions所使用的1个数据库中,这4个权限也完全没有显示。还知道如何实现此功能吗?
安全审核脚本
-- NOTE: not all data will be listed if you are not a database administrator (eg: impersonate missing)
DECLARE @l_user_name VARCHAR(250) = '%' -- '%' for all,'DOMAIN\DB_USER','{All Users}'
DECLARE @l_excl_public CHAR(1) = 'N' -- Y = exclude 'public',N = include.
-- Details of current connection
SELECT @@SERVERNAME AS ServerName,DB_NAME() AS DatabaseName,CURRENT_USER AS CurrentUser,USER_NAME() AS UserName,SYstem_USER AS SystemUser,SUSER_SNAME() AS SUserSname,@@SPID AS SpId,HOST_NAME() AS HostName,@l_user_name AS l_user_name,@l_excl_public AS l_excl_public
/*---------------------------------------------------------------------------------------
Security Audit Report
Source: https://stackoverflow.com/questions/7048839/sql-server-query-to-find-all-permissions-access-for-all-users-in-a-database
Edited Version
1) List all access provisioned to an sql user or windows user/group directly
2) List all access provisioned to an sql user or windows user/group through a database or application role
3) List all access provisioned to the public role
4) List permissions for non database_principals (eg GRANT SELECT on database objects)
5) List SysAdmin Users
Columns Returned:
UserName : sql or Windows/Active Directory user account. This Could also be an Active Directory group.
UserType : Value will be either 'sql User' or 'Windows User'. This reflects the type of user defined for the
sql Server user account.
DatabaseUserName: Name of the associated user as defined IN the database user account. The database user may not be the
same as the server user.
Role : The role name. This will be NULL if the associated permissions to the object are defined at directly
on the user account,otherwise this will be the name of the role that the user is a member of.
PermissionType : Type of permissions the user/role has on an object. Examples Could include CONNECT,EXECUTE,SELECT
DELETE,INSERT,ALTER,CONTROL,TAKE OWNERSHIP,VIEW DEFinitioN,etc.
This value may not be populated for all roles. Some built IN roles have implicit permission
deFinitions.
PermissionState : Reflects the state of the permission type,examples Could include GRANT,DENY,etc.
This value may not be populated for all roles. Some built IN roles have implicit permission
deFinitions.
ObjectType : Type of object the user/role is assigned permissions on. Examples Could include USER_TABLE,sql_SCALAR_FUNCTION,sql_INLINE_TABLE_VALUED_FUNCTION,sql_STORED_PROCEDURE,VIEW,etc.
This value may not be populated for all roles. Some built IN roles have implicit permission
deFinitions.
ObjectName : Name of the object that the user/role is assigned permissions on.
This value may not be populated for all roles. Some built IN roles have implicit permission
deFinitions.
ColumnName : Name of the column of the object that the user/role is assigned permissions on. This value
is only populated if the object is a table,view or a table value function.
---------------------------------------------------------------------------------------*/
-- List all access provisioned to a user (eg: sql user,windows user/group,etc) directly
SELECT
1 AS src,COALESCE( princ.[name],ulogin.[name] ) COLLATE latin1_General_CI_AI AS [UserName],CASE princ.[type]
WHEN 'A' THEN 'Appl Role'
WHEN 'C' THEN 'User mapped to cert'
WHEN 'E' THEN 'Ext User from AD'
WHEN 'G' THEN 'Windows Grp'
WHEN 'K' THEN 'User mapped to asym key'
WHEN 'R' THEN 'Database Role'
WHEN 'S' THEN 'sql User'
WHEN 'U' THEN 'Windows User'
WHEN 'X' THEN 'Ext Grp from AD'
END AS [UserType]
--,princ.[name] AS [DatabaseUserName],NULL AS [Role],perm.[permission_name] AS [PermissionType],perm.[state_desc] AS [PermissionState]
--,obj.type_desc AS [ObjectType],CASE perm.[class]
WHEN 1
THEN obj.type_desc -- Schema-contained objects
ELSE perm.[class_desc] -- Higher-level objects
END AS [ObjectType]
--,perm.[class_desc] AS [ClassDesc],SCHEMA_NAME(obj.schema_id) AS [Schema]
--,OBJECT_NAME(perm.major_id) AS [ObjectName],CASE perm.[class]
WHEN 1 THEN OBJECT_NAME(perm.major_id) -- General objects
WHEN 3 THEN SCHEMA_NAME(perm.major_id) -- Schemas
WHEN 4 THEN imp.[name] -- Impersonations
END AS [ObjectName],col.[name] AS [ColumnName]
-- Database user
FROM sys.database_principals princ
-- Login accounts
LEFT OUTER JOIN sys.login_token ulogin
ON princ.[sid] = ulogin.[sid]
-- Permissions
LEFT OUTER JOIN sys.database_permissions perm
ON perm.[grantee_principal_id] = princ.[principal_id]
-- Table columns
LEFT OUTER JOIN sys.columns col
ON col.[object_id] = perm.major_id
AND col.[column_id] = perm.[minor_id]
-- Objects
LEFT OUTER JOIN sys.objects obj
ON perm.[major_id] = obj.[object_id]
-- Impersonations
LEFT OUTER JOIN sys.database_principals imp
ON imp.[principal_id] = perm.[major_id]
--WHERE dbprinc.[type] IN ('S','U','G')
--AND princ.[name] NOT IN ('sys','informatION_SCHEMA') -- No need for these system accounts
WHERE (princ.[name] LIKE @l_user_name OR ulogin.[name] LIKE @l_user_name)
AND (@l_excl_public = 'N' OR COALESCE( princ.[name],ulogin.[name] ) <> 'public' COLLATE latin1_General_CI_AI )
UNION
-- List all access provisioned to a user (eg: sql user,etc)
-- through a database or application role
SELECT
2 AS src,COALESCE( memberprinc.[name],CASE memberprinc.[type]
WHEN 'A' THEN 'Appl Role'
WHEN 'C' THEN 'User mapped to cert'
WHEN 'E' THEN 'Ext User from AD'
WHEN 'G' THEN 'Windows Grp'
WHEN 'K' THEN 'User mapped to asym key'
WHEN 'R' THEN 'Database Role'
WHEN 'S' THEN 'sql User'
WHEN 'U' THEN 'Windows User'
WHEN 'X' THEN 'Ext Grp from AD'
END AS [UserType]
--,memberprinc.[name] AS [DatabaseUserName],roleprinc.[name] AS [Role],perm.[state_desc] AS [PermissionState],obj.type_desc AS [ObjectType]
--,SCHEMA_NAME(obj.schema_id) AS [Schema],col.[name] AS [ColumnName]
-- Role/member associations
FROM sys.database_role_members members
-- Roles
LEFT OUTER JOIN sys.database_principals roleprinc
ON roleprinc.[principal_id] = members.[role_principal_id]
-- Role members (database users)
LEFT OUTER JOIN sys.database_principals memberprinc
ON memberprinc.[principal_id] = members.[member_principal_id]
-- Login accounts
LEFT OUTER JOIN sys.login_token ulogin
ON memberprinc.[sid] = ulogin.[sid]
-- Permissions
LEFT OUTER JOIN sys.database_permissions perm
ON perm.[grantee_principal_id] = roleprinc.[principal_id]
-- Table columns
LEFT OUTER JOIN sys.columns col
ON col.[object_id] = perm.major_id
AND col.[column_id] = perm.[minor_id]
LEFT OUTER JOIN sys.objects obj
ON perm.[major_id] = obj.[object_id]
WHERE (memberprinc.[name] LIKE @l_user_name OR ulogin.[name] LIKE @l_user_name)
UNION
-- List all access provisioned to the public role,which everyone gets by default
SELECT
3 AS src,'{All Users}' AS [UserName],'{All Users}' AS [UserType]
--,'{All Users}' AS [DatabaseUserName],CASE perm.[class]
WHEN 1
THEN obj.[type_desc] -- Schema-contained objects
ELSE perm.[class_desc] -- Higher-level objects
END AS [ObjectType],CASE perm.[class]
WHEN 3 THEN SCHEMA_NAME(perm.[major_id])-- Schemas
WHEN 4 THEN imp.[name] -- Impersonations
ELSE OBJECT_NAME(perm.[major_id]) -- General objects
END AS [ObjectName],col.[name] AS [ColumnName]
-- Roles
FROM sys.database_principals roleprinc
-- Role permissions
LEFT OUTER JOIN sys.database_permissions perm
ON perm.[grantee_principal_id] = roleprinc.[principal_id]
-- Table columns
LEFT OUTER JOIN sys.columns col
ON col.[object_id] = perm.major_id
AND col.[column_id] = perm.[minor_id]
-- All objects
LEFT OUTER JOIN sys.objects obj
ON obj.[object_id] = perm.[major_id]
--Impersonations
LEFT OUTER JOIN sys.database_principals AS imp
ON imp.[principal_id] = perm.[major_id]
WHERE roleprinc.[type] = 'R' -- Only roles
AND roleprinc.[name] = 'public' -- Only public role
AND ISNULL(obj.[is_ms_shipped],0) = 0 -- Only objects of ours,not the MS objects
AND ISNULL(OBJECT_SCHEMA_NAME(perm.[major_id]),'') <> 'sys'
AND @l_excl_public <> 'Y'
--AND '{All Users}' LIKE @l_user_name
UNION
-- List permissions for non database_principals
SELECT
4 AS src,USER_NAME(perm.GRANTEE_PRINCIPAL_ID) AS [UserName],NULL AS [UserType]
--,NULL AS [DatabaseUserName],CASE WHEN CLASS = 0 THEN DB_NAME()
WHEN CLASS = 1 THEN OBJECT_NAME(perm.major_id)
WHEN CLASS = 3 THEN SCHEMA_NAME(perm.major_id)
END AS [ObjectName],col.[name] AS [ColumnName]
-- Permissions
FROM sys.database_permissions perm
-- Table columns
LEFT OUTER JOIN sys.columns col
ON col.[object_id] = perm.major_id
AND col.[column_id] = perm.[minor_id]
-- All objects
LEFT OUTER JOIN sys.objects obj
ON obj.[object_id] = perm.[major_id]
-- Roles
LEFT OUTER JOIN sys.database_principals roleprinc
ON roleprinc.[principal_id] = perm.[grantee_principal_id]
WHERE roleprinc.principal_id IS NULL
AND USER_NAME(perm.GRANTEE_PRINCIPAL_ID) LIKE @l_user_name
UNION
-- List SysAdmin Users
SELECT --disTINCT
5 AS src,sprinc.[name] AS [UserName],CASE sprinc.[type]
WHEN 'A' THEN 'Appl Role'
WHEN 'C' THEN 'User mapped to cert'
WHEN 'E' THEN 'Ext User from AD'
WHEN 'G' THEN 'Windows Grp'
WHEN 'K' THEN 'User mapped to asym key'
WHEN 'R' THEN 'Database Role'
WHEN 'S' THEN 'sql User'
WHEN 'U' THEN 'Windows User'
WHEN 'X' THEN 'Ext Grp from AD'
END AS [UserType]
--,sprinc2.[permission_name] AS [PermissionType],sprinc2.[state_desc] AS [PermissionState],NULL AS [ObjectType]
--,NULL AS [ClassDesc],NULL AS [Schema],NULL AS [ObjectName],NULL AS [ColumnName]
FROM sys.server_principals sprinc
--LEFT OUTER JOIN sys.syslogins sl
-- ON sprinc.sid = sl.sid
LEFT OUTER JOIN sys.server_permissions sprinc2
ON sprinc.principal_id = sprinc2.grantee_principal_id
WHERE sprinc.[name] LIKE @l_user_name
--AND sprinc.type_desc IN ('sql_LOGIN','WINDOWS_LOGIN','WINDOWS_GROUP')
--AND sprinc.[name] NOT LIKE '##%' -- Logins that are not process logins
ORDER BY
[UserName],[ObjectName],[ColumnName],[PermissionType],[PermissionState],[ObjectType]
--,[ClassDesc]
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。