Determine SQL Permissions

Thursday

Dec162010

Thursday, December 16, 2010 at 9:59PM

Here's a list of queries you can run to determine who has access to what. (Note that these work on SQL 2008.)

First find out who has membership in the server-wide roles (in the context of the example below, the dbo_owner role):

exec sp_helprolemember 'db_owner';

Next determine what membership may be carried over by membership in a Windows domain group:

exec sp_helpuser 'DOMAIN\username' --for example the Tallarico user in ryanboyer.net: exec sp_helpuser 'ryanboyer\tallarico'

Finally the last query will reveal what tokens are carried over by a specific user credential - regardless of whether that user has explicit permissions mapped in the database:

select * from sys.user_token

This last should reveal any lingering permissions from rights not explicitly defined in the database (e.g. rights granted to DOMAIN\Domain Users).

A gentle reminder: server-level permissions will allow login to the server, but any permissions at the database level, even when orphaned, may allow/deny additional access, so be sure to clean up those orphaned database-level logins!

Tallarico |

References (1)

References allow you to track sources for this article, as well as articles that were written in response to this article.

Source: Understanding Execution Context

by MSDN

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

RyanBoyer.net