How to check if I have VIEW DEFINITION?
-
assuming someone gave you a database user, when you are logged in, how can that user determine if you have VIEW DEFINITION rights?
For example, supposed a login that is supposed to validate a schema agaisnt another source...i want to check that i have the assumed VIEW DEFINITION rights,a nd log it.
I had kind of assumed that the function fn_my_permissions would show that, but it doesn't.
here's a perfect example;
CREATE ROLE [DailyPlanet]GRANT VIEW DEFINITION ON SCHEMA::[dbo] TO [DailyPlanet]CREATE USER [ClarkKent] WITHOUT LOGINEXEC sp_addrolemember N'DailyPlanet', N'ClarkKent'EXECUTE AS USER= 'ClarkKent'SELECT USER_NAME() --I'm Clark KentSELECT * FROM fn_my_permissions(NULL,'DATABASE')SELECT * FROM sys.tables --lots of tables, so i must have view definition on *something*-- i was really expecting to see something refering to my ability to *view definition* here!/*databaseCONNECT*/--cleanupREVERT;DROP USER [ClarkKent]DROP ROLE [DailyPlanet]Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible! -
I might be completely wrong here, but here's a shot in the dark!
Try:
USE [DatabaseName]GOsp_helprotectThis seems to return a list of all logins for the database in question that have been granted the VIEW DEFINITION permission, if I'm reading this article correctly:
http://www.mssqltips.com/sqlservertip/1593/granting-view-definition-permission-to-a-user-or-role-in-sql-server/
Hope that helps!
-
-
ok a follow up to my own question:
in SQL2005,
SELECT * FROM fn_my_permissions(NULL,'DATABASE') for my example above only shows connect permission, but on SQL2008 and above, it shows the "VIEW DATABASE STATE" i was expecting:
SELECT * FROM fn_my_permissions(NULL,'DATABASE')databaseCONNECTdatabaseVIEW DATABASE STATEso now my question is really leaning towards cross version compatibility: how will my user know, in 2005 or above, if I have VIEW DEFINITION?
Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible! -
i'm getting closer:
this query shows me my permissions, as well as the permissions i directly inherit from roles i've been assigned;
it does not handle any recursive role-within-a-role yet;
i'm thinking that's going to require a recursive CTE:
SELECT*FROM sys.database_permissions permzINNER JOIN sys.database_principals userzON permz.grantee_principal_id = userz.principal_idWHERE userz.principal_id IN( --the userid and also all the roles i'm directly in.--that doesn't seem to get the role-within-a-role info thoseSELECTUSER_ID() AS idUNION ALLSELECTrolezx.role_principal_idFROM sys.database_principals userzxLEFT OUTER JOIN sys.database_role_members rolezxON userzx.principal_id = rolezx.member_principal_idLEFT OUTER JOIN sys.database_principals decripzON rolezx.role_principal_id = decripz.principal_idWHERE userzx.name = USER_NAME())Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!
Viewing 4 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply