May 25, 2016 at 12:16 pm
We are in the middle of auditing our systems and recently I've been asked to provide some reports on what access people have to various SQL databases. It's easy enough to show who has various database roles. However, we have a number of developers who have read-only access to databases (via db_datareader) in production, but who also have access to view object definitions (via GRANT VIEW DEFINITION On schema::DBO TO [LOGIN])
My question is, is there any easy way to query which users have "view definition" permission for a given database?
May 25, 2016 at 1:13 pm
sure; there's a system view named sys.database_permissions.
this will give you users and groups that have the permission you are looking for...but you might need to expand group members if you want individuals who inherit from the group.
also, anyone in the sysadmin role inherently has that permission as well, but it's implied, and not explicit.
select usrz.*
from sys.database_permissions permz
inner join sys.database_principals usrz
ON permz.grantee_principal_id = usrz.principal_id
WHERE permission_name='VIEW DEFINITION'
Lowell
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply