Thursday, 14 July 2011

Effective Permissions on a Database

written by David Postlethwaite

Ever wondered who has what access to your database or a particular object within? With the ever increasing need to keep permissions to a minimum this is becoming more important.

If you are using Active Directory groups to assign permissions to your servers and your databases it’s not always obvious what the combined permissions might be for a particular user who may be a member of several groups.You can check the effective permissions to a database using the following command.  Thus far I’ve been unable to find out where this can be found in SQL Server Management Studio (SSMS)

use databaseName
EXECUTE AS USER = 'domain\fred';
SELECT * FROM fn_my_permissions(NULL, 'DATABASE');

This will only work for accounts that have a specific database permission. If you try it with a sysadmin  account which has permission through the server role but has no specific database permissions you will get an error like this:

Msg 916, Level 14, State 1, Line 1
The server principal "domain\serviceAccount" is not able to access the database "databaseName" under the current security context.

It has been useful in finding accounts that have managed to get full permissions by virtue of being linked to the dbo account, something which isn’t immediately obvious in SSMS

Moving down to a more granular level it’s also possible to check the explicit permissions to a specific object such as a stored procedure in a database:

use databaseName
EXECUTE AS USER = 'domain\fred';
SELECT * FROM fn_my_permissions('storedproc1, 'OBJECT')
ORDER BY subentity_name, permission_name ;

This command will not show the effective permissions, this can be seen in the permission tab of the properties of an object in SSMS.

And if you need to grant permissions to an object here is the syntax

grant execute on dbo.storedProc1 to [domain\fred]

In my next article I will show an easy way to grant explicit permissions to every stored procedure and function in a database.

No comments:

Post a Comment