SQL Server查询-数据库中所有用户/角色/等的所有安全性/权限/访问权限

编程问答 2022-08-10

问题描述

基于“ sql Server查询以查找数据库中所有用户的所有权限/访问权限” SQL Server query to find all permissions/access for all users in a database

下面编辑的安全审核脚本版本似乎没有显示所有安全/权限。

如果我在数据库中运行fn_my_permissions:

SELECT DB_NAME() AS dbname,* FROM fn_my_permissions('MY_DOMAIN\MY_USER_NAME','USER')

我看到以下权限:

  • IMPERSONATE
  • 查看定义
  • ALTER
  • 控制

如果我以我自己(非sysadmin用户)身份在同一数据库服务器上的3个数据库中运行fn_my_permissions,则显示4个权限仅是3个数据库中的1个,但是如果sysadmin用户运行它,则他们将看到所有4个权限在所有3个数据库中。

如果我在下面运行安全审核脚本,则即使在fn_my_permissions所使用的1个数据库中,这4个权限也完全没有显示。还知道如何实现此功能吗?

安全审核脚本

-- NOTE: not all data will be listed if you are not a database administrator (eg: impersonate missing)
DECLARE @l_user_name         VARCHAR(250) = '%'       -- '%' for all,'DOMAIN\DB_USER','{All Users}'
DECLARE @l_excl_public       CHAR(1)      = 'N'              -- Y = exclude 'public',N = include.

-- Details of current connection
SELECT @@SERVERNAME           AS ServerName,DB_NAME()              AS DatabaseName,CURRENT_USER           AS CurrentUser,USER_NAME()            AS UserName,SYstem_USER            AS SystemUser,SUSER_SNAME()          AS SUserSname,@@SPID                 AS SpId,HOST_NAME()            AS HostName,@l_user_name           AS l_user_name,@l_excl_public         AS l_excl_public

/*---------------------------------------------------------------------------------------
Security Audit Report
Source: https://stackoverflow.com/questions/7048839/sql-server-query-to-find-all-permissions-access-for-all-users-in-a-database
Edited Version
1) List all access provisioned to an sql user or windows user/group directly 
2) List all access provisioned to an sql user or windows user/group through a database or application role
3) List all access provisioned to the public role
4) List permissions for non database_principals (eg GRANT SELECT on database objects)
5) List SysAdmin Users

Columns Returned:
UserName        : sql or Windows/Active Directory user account.  This Could also be an Active Directory group.
UserType        : Value will be either 'sql User' or 'Windows User'.  This reflects the type of user defined for the 
                  sql Server user account.
DatabaseUserName: Name of the associated user as defined IN the database user account.  The database user may not be the
                  same as the server user.
Role            : The role name.  This will be NULL if the associated permissions to the object are defined at directly
                  on the user account,otherwise this will be the name of the role that the user is a member of.
PermissionType  : Type of permissions the user/role has on an object. Examples Could include CONNECT,EXECUTE,SELECT
                  DELETE,INSERT,ALTER,CONTROL,TAKE OWNERSHIP,VIEW DEFinitioN,etc.
                  This value may not be populated for all roles.  Some built IN roles have implicit permission
                  deFinitions.
PermissionState : Reflects the state of the permission type,examples Could include GRANT,DENY,etc.
                  This value may not be populated for all roles.  Some built IN roles have implicit permission
                  deFinitions.
ObjectType      : Type of object the user/role is assigned permissions on.  Examples Could include USER_TABLE,sql_SCALAR_FUNCTION,sql_INLINE_TABLE_VALUED_FUNCTION,sql_STORED_PROCEDURE,VIEW,etc.   
                  This value may not be populated for all roles.  Some built IN roles have implicit permission
                  deFinitions.          
ObjectName      : Name of the object that the user/role is assigned permissions on.  
                  This value may not be populated for all roles.  Some built IN roles have implicit permission
                  deFinitions.
ColumnName      : Name of the column of the object that the user/role is assigned permissions on. This value
                  is only populated if the object is a table,view or a table value function.                 
---------------------------------------------------------------------------------------*/

-- List all access provisioned to a user (eg: sql user,windows user/group,etc) directly 
SELECT  
     1 AS src,COALESCE( princ.[name],ulogin.[name] ) COLLATE latin1_General_CI_AI AS [UserName],CASE princ.[type]
          WHEN 'A' THEN 'Appl Role'
          WHEN 'C' THEN 'User mapped to cert'
          WHEN 'E' THEN 'Ext User from AD'
          WHEN 'G' THEN 'Windows Grp'
          WHEN 'K' THEN 'User mapped to asym key'
          WHEN 'R' THEN 'Database Role'
          WHEN 'S' THEN 'sql User'
          WHEN 'U' THEN 'Windows User'
          WHEN 'X' THEN 'Ext Grp from AD'
     END                                                      AS [UserType]
    --,princ.[name]                                             AS [DatabaseUserName],NULL                                                     AS [Role],perm.[permission_name]                                   AS [PermissionType],perm.[state_desc]                                        AS [PermissionState]
    --,obj.type_desc                                            AS [ObjectType],CASE perm.[class] 
          WHEN 1 
      THEN obj.type_desc      -- Schema-contained objects
          ELSE perm.[class_desc]  -- Higher-level objects
          END                                                 AS [ObjectType] 
    --,perm.[class_desc]                                        AS [ClassDesc],SCHEMA_NAME(obj.schema_id)                               AS [Schema]
    --,OBJECT_NAME(perm.major_id)                               AS [ObjectName],CASE perm.[class] 
          WHEN 1 THEN OBJECT_NAME(perm.major_id) -- General objects
          WHEN 3 THEN SCHEMA_NAME(perm.major_id) -- Schemas
          WHEN 4 THEN imp.[name]                 -- Impersonations
          END                                                 AS [ObjectName],col.[name]                                               AS [ColumnName]

-- Database user
FROM sys.database_principals princ  

    -- Login accounts
    LEFT OUTER JOIN sys.login_token ulogin
            ON princ.[sid] = ulogin.[sid]

    -- Permissions
    LEFT OUTER JOIN sys.database_permissions perm
            ON perm.[grantee_principal_id] = princ.[principal_id]

    -- Table columns
    LEFT OUTER JOIN sys.columns col
            ON col.[object_id] = perm.major_id 
           AND col.[column_id] = perm.[minor_id]

    -- Objects
    LEFT OUTER JOIN sys.objects obj 
            ON perm.[major_id] = obj.[object_id]

    -- Impersonations
    LEFT OUTER JOIN sys.database_principals imp 
            ON imp.[principal_id] = perm.[major_id]

--WHERE dbprinc.[type] IN ('S','U','G')
  --AND princ.[name] NOT IN ('sys','informatION_SCHEMA')  -- No need for these system accounts
WHERE (princ.[name] LIKE @l_user_name OR ulogin.[name] LIKE @l_user_name)
  AND (@l_excl_public = 'N' OR COALESCE( princ.[name],ulogin.[name] ) <> 'public' COLLATE latin1_General_CI_AI )



UNION


-- List all access provisioned to a user (eg: sql user,etc)
-- through a database or application role
SELECT  
     2 AS src,COALESCE( memberprinc.[name],CASE memberprinc.[type]
          WHEN 'A' THEN 'Appl Role'
          WHEN 'C' THEN 'User mapped to cert'
          WHEN 'E' THEN 'Ext User from AD'
          WHEN 'G' THEN 'Windows Grp'
          WHEN 'K' THEN 'User mapped to asym key'
          WHEN 'R' THEN 'Database Role'
          WHEN 'S' THEN 'sql User'
          WHEN 'U' THEN 'Windows User'
          WHEN 'X' THEN 'Ext Grp from AD'
     END                                                      AS [UserType]
    --,memberprinc.[name]                                       AS [DatabaseUserName],roleprinc.[name]                                         AS [Role],perm.[state_desc]                                        AS [PermissionState],obj.type_desc                                            AS [ObjectType]
    --,SCHEMA_NAME(obj.schema_id)                               AS [Schema],col.[name]                                               AS [ColumnName]

-- Role/member associations
FROM sys.database_role_members members

    -- Roles
    LEFT OUTER JOIN sys.database_principals roleprinc
            ON roleprinc.[principal_id] = members.[role_principal_id]

    -- Role members (database users)
    LEFT OUTER JOIN sys.database_principals memberprinc
            ON memberprinc.[principal_id] = members.[member_principal_id]

    -- Login accounts
    LEFT OUTER JOIN sys.login_token ulogin
            ON memberprinc.[sid] = ulogin.[sid]

    -- Permissions
    LEFT OUTER JOIN sys.database_permissions perm
            ON perm.[grantee_principal_id] = roleprinc.[principal_id]

    -- Table columns
    LEFT OUTER JOIN sys.columns col
            ON col.[object_id] = perm.major_id 
           AND col.[column_id] = perm.[minor_id]

    LEFT OUTER JOIN sys.objects obj
            ON perm.[major_id] = obj.[object_id]

WHERE (memberprinc.[name] LIKE @l_user_name OR ulogin.[name] LIKE @l_user_name)


UNION


-- List all access provisioned to the public role,which everyone gets by default
SELECT  
     3 AS src,'{All Users}'                                            AS [UserName],'{All Users}'                                            AS [UserType]
    --,'{All Users}'                                            AS [DatabaseUserName],CASE perm.[class]
          WHEN 1 
          THEN obj.[type_desc]    -- Schema-contained objects
          ELSE perm.[class_desc]  -- Higher-level objects
          END                                                 AS [ObjectType],CASE perm.[class]
          WHEN 3 THEN SCHEMA_NAME(perm.[major_id])-- Schemas
          WHEN 4 THEN imp.[name]                  -- Impersonations
          ELSE OBJECT_NAME(perm.[major_id])       -- General objects
          END                                                 AS [ObjectName],col.[name]                                               AS [ColumnName]

-- Roles
FROM sys.database_principals roleprinc

    -- Role permissions
    LEFT OUTER JOIN sys.database_permissions perm
            ON perm.[grantee_principal_id] = roleprinc.[principal_id]

    -- Table columns
    LEFT OUTER JOIN sys.columns col
            ON col.[object_id] = perm.major_id 
           AND col.[column_id] = perm.[minor_id]                   

    -- All objects   
    LEFT OUTER JOIN sys.objects obj
            ON obj.[object_id] = perm.[major_id]

    --Impersonations
    LEFT OUTER JOIN sys.database_principals AS imp
            ON imp.[principal_id] = perm.[major_id]

WHERE roleprinc.[type]  = 'R'            -- Only roles
  AND roleprinc.[name]  = 'public'       -- Only public role
  AND ISNULL(obj.[is_ms_shipped],0) = 0 -- Only objects of ours,not the MS objects
  AND ISNULL(OBJECT_SCHEMA_NAME(perm.[major_id]),'') <> 'sys'
  AND @l_excl_public    <> 'Y'
  --AND '{All Users}'     LIKE @l_user_name


UNION


-- List permissions for non database_principals
SELECT  
     4 AS src,USER_NAME(perm.GRANTEE_PRINCIPAL_ID)                     AS [UserName],NULL                                                     AS [UserType]
    --,NULL                                                     AS [DatabaseUserName],CASE WHEN CLASS = 0 THEN DB_NAME()
          WHEN CLASS = 1 THEN OBJECT_NAME(perm.major_id)
          WHEN CLASS = 3 THEN SCHEMA_NAME(perm.major_id) 
          END                                                 AS [ObjectName],col.[name]                                               AS [ColumnName]

-- Permissions
FROM sys.database_permissions perm

    -- Table columns
    LEFT OUTER JOIN sys.columns col
            ON col.[object_id] = perm.major_id 
           AND col.[column_id] = perm.[minor_id]                   

    -- All objects   
    LEFT OUTER JOIN sys.objects obj
            ON obj.[object_id] = perm.[major_id]

    -- Roles
    LEFT OUTER JOIN sys.database_principals roleprinc
            ON roleprinc.[principal_id] = perm.[grantee_principal_id]

WHERE roleprinc.principal_id               IS NULL
  AND USER_NAME(perm.GRANTEE_PRINCIPAL_ID) LIKE @l_user_name


UNION


-- List SysAdmin Users
SELECT --disTINCT 
     5 AS src,sprinc.[name]                                            AS [UserName],CASE sprinc.[type]
          WHEN 'A' THEN 'Appl Role'
          WHEN 'C' THEN 'User mapped to cert'
          WHEN 'E' THEN 'Ext User from AD'
          WHEN 'G' THEN 'Windows Grp'
          WHEN 'K' THEN 'User mapped to asym key'
          WHEN 'R' THEN 'Database Role'
          WHEN 'S' THEN 'sql User'
          WHEN 'U' THEN 'Windows User'
          WHEN 'X' THEN 'Ext Grp from AD'
     END                                                      AS [UserType]
    --,sprinc2.[permission_name]                                AS [PermissionType],sprinc2.[state_desc]                                     AS [PermissionState],NULL                                                     AS [ObjectType]
    --,NULL                                                     AS [ClassDesc],NULL                                                     AS [Schema],NULL                                                     AS [ObjectName],NULL                                                     AS [ColumnName]

FROM sys.server_principals sprinc

    --LEFT OUTER JOIN sys.syslogins sl
    --        ON sprinc.sid = sl.sid
    
    LEFT OUTER JOIN sys.server_permissions sprinc2
            ON sprinc.principal_id = sprinc2.grantee_principal_id

WHERE sprinc.[name] LIKE @l_user_name
  --AND sprinc.type_desc IN ('sql_LOGIN','WINDOWS_LOGIN','WINDOWS_GROUP')
  --AND sprinc.[name] NOT LIKE '##%'                            -- Logins that are not process logins



ORDER BY
    [UserName],[ObjectName],[ColumnName],[PermissionType],[PermissionState],[ObjectType]
   --,[ClassDesc]

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

auditpermissionspermissionssecuritysecuritysql-server

相关问答

Selenium Web驱动程序和Java元素在(x,y)点处不可单击其他元素将获得点击?
Selenium Web驱动程序和Java。元素在(x,y)点处不可单击。其...
Python-如何使用点“” 访问字典成员?
Python-如何使用点“。” 访问字典成员?
Java 字符串是不可变的到底是什么意思?
Java 字符串是不可变的。到底是什么意思?
Java中的“ final”关键字如何工作?我仍然可以修改对象
Java中的“ final”关键字如何工作?(我仍然可以修改对象。...
“loop:”在Java代码中这是什么,为什么要编译?
“loop:”在Java代码中。这是什么,为什么要编译?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbcDriver发生异常为什么?
java.lang.ClassNotFoundException:sun.jdbc.odbc.JdbcOdbc...