Permission scripting over all databases

  • Comments posted to this topic are about the item Permission scripting over all databases

  • Indeed, this is a very helpful script!!

    I appreciate it very much!!

  • Great script.

    But need to correct it.

    I have 20 databases on one server and 3 are offline for some special pruposes.

    This script gives me error and does not work if one of db's is offline.

    I think it must work and skip this kind of databases, because for example some of db's can be mirrored db and it is not possible to bring them online etc.

    Thank you.

    Regards,

    Oleg.

  • Hi Oleg

    Thanks for the response. I did not take offline dbs into account. I have added that now and you can test it on your databases as soon as the change is approved. Code that I have added is

    " AND status&512 <> 512 ".

    An offline database has a bitfield with value 512. You can tweak this value to whatever your db situation is. These are the db states:

    1 = autoclose; set with sp_dboption.

    4 = select into/bulkcopy; set with sp_dboption.

    8 = trunc. log on chkpt; set with sp_dboption.

    16 = torn page detection, set with sp_dboption.

    32 = loading.

    64 = pre recovery.

    128 = recovering.

    256 = not recovered.

    512 = offline; set with sp_dboption.

    1024 = read only; set with sp_dboption.

    2048 = dbo use only; set with sp_dboption.

    4096 = single user; set with sp_dboption.

    32768 = emergency mode.

    4194304 = autoshrink.

    1073741824 = cleanly shutdown

    Regards

  • Hi,

    thank you , it is great.

    Regards.

  • Very helpful script, used for many DBA's.

  • It is a great script, however, I found that the scipt omit certain explicit permissions. For example, I run the following

    exec RetrievePermissions 'test', '',0

    I get the following results

    --ReportServer

    EXEC sp_addrolemember db_datareader, test

    GO

    --ReportServer

    EXEC sp_addrolemember db_datawriter, test

    GO

    --ReportServer

    GRANT EXECUTE ON AddBatchRecord TO Test

    GO

    --ReportServer1

    EXEC sp_addrolemember db_datareader, test

    GO

    --ReportServer1

    GRANT EXECUTE ON AddBatchRecord TO Test

    GO

    I used a free tool called SQLPermissions created by Idera that can be downloaded here http://www.idera.com/Products/SQLpermissions/Default.aspx

    which provided me the following T-Sql code

    IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N'Test')

    BEGIN

    CREATE LOGIN [Test] WITH PASSWORD='', DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF

    ALTER LOGIN [Test] Enabled

    END

    USE [ReportServer]

    GO

    IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'Test')

    CREATE USER [Test] FOR LOGIN [Test] WITH DEFAULT_SCHEMA=[dbo]

    USE [ReportServer]

    GO

    exec sp_addrolemember N'db_datareader', N'Test'

    GO

    exec sp_addrolemember N'db_datawriter', N'Test'

    GO

    USE [ReportServer]

    GO

    Grant CONNECT ON Database::[ReportServer] TO [Test]

    GO

    USE [ReportServer]

    GO

    Grant SHOWPLAN ON Database::[ReportServer] TO [Test]

    GO

    USE [ReportServer]

    GO

    Grant VIEW DEFINITION ON Database::[ReportServer] TO [Test]

    GO

    USE [ReportServer]

    GO

    Grant EXECUTE ON [dbo].[AddBatchRecord] TO [Test]

    GO

    USE [ReportServer]

    GO

    Grant ALTER ON [dbo].[AddModelPerspective] TO [Test]

    GO

    USE [ReportServer]

    GO

    Grant TAKE OWNERSHIP ON [dbo].[AddModelPerspective] TO [Test] WITH GRANT OPTION

    GO

    USE [ReportServer1]

    GO

    IF NOT EXISTS (SELECT * FROM sys.database_principals WHERE name = N'Test')

    CREATE USER [Test] FOR LOGIN [Test] WITH DEFAULT_SCHEMA=[dbo]

    USE [ReportServer1]

    GO

    exec sp_addrolemember N'db_datareader', N'Test'

    GO

    USE [ReportServer1]

    GO

    Grant CONNECT ON Database::[ReportServer1] TO [Test]

    GO

    USE [ReportServer1]

    GO

    Grant SHOWPLAN ON Database::[ReportServer1] TO [Test]

    GO

    USE [ReportServer1]

    GO

    Grant VIEW DEFINITION ON Database::[ReportServer1] TO [Test]

    GO

    USE [ReportServer1]

    GO

    Grant EXECUTE ON [dbo].[AddBatchRecord] TO [Test]

    GO

    USE [ReportServer1]

    GO

    Grant ALTER ON [dbo].[AddModelPerspective] TO [Test]

    GO

    USE [ReportServer1]

    GO

    Grant TAKE OWNERSHIP ON [dbo].[AddModelPerspective] TO [Test] WITH GRANT OPTION

    GO

  • So I ran this script, and nomatter what parms I use('' or 'sa') I get 1 empty output column named textcolumn. How should I execute this?!

    Greetz,
    Hans Brouwer

  • Even if you execute it like this?

    exec RetrievePermissions 'myUser', '',0

  • Great script, but I found a problem.

    If the ANSI setting CONCAT_NULL_YIELDS_NULL is ON, then I received some records with a NULL value. When I changed the setting to OFF, then the resulting statement was incomplete; i.e., the GRANT statement was missing.

    Example:

    --ARS_PROD DELETE ON AREA TO Developer GO

    Notice the 2 spaces between the database name and the permission, with no GRANT statement in between.

  • I found that this script doesn't write down schema permissions.

    You might check the following: http://www.sqlservercentral.com/scripts/Security/71562/

  • For the new user, I'd it to generate a create user statement:

    USE [dbname]

    GO

    CREATE USER [mynewuser] FOR LOGIN [domain\firstname.lastname]

    GO

    Where mynewuser is paramater 1 and domain\firstname.lastname is second parameter.

  • Has this script been tested on SQL 2012. I found I had to change this code:

    select count(*) '+

    ' from '+@database+'..sysmembers z , '+@database+'..sysusers su '+

    ' where z.memberuid = su.uid and su.name = '''+convert(varchar(255),@newuidname)+''' ) = 0

    to this in order to script out the roles:

    select count(*) '+

    ' from '+@database+'..sysmembers z , '+@database+'..sysusers su '+

    ' where z.memberuid = su.uid and su.name = '''+convert(varchar(255),@newuidname)+''' ) > 0

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply