Scripting SQL Server permissions
I want to copy all the permission I\'ve set on stored procedures and other stuff from my development database to my production database. It\'s incredibly cumbersome, not to ment
-
YOU CAN ALSO DOWNLOAD THE CODE IN THE BELOW LINK AND SEE HOW IT WORKS
https://gallery.technet.microsoft.com/Extract-Database-dfa53d5a
THIS IS HOW YOU WILL SEE THE OUTPUT OF THIS QUERY
set nocount off IF OBJECT_ID(N'tempdb..##temp1') IS NOT NULL DROP TABLE ##temp1 create table ##temp1(query varchar(1000)) insert into ##temp1 select 'use '+db_name() +';' insert into ##temp1 select 'go' /*creating database roles*/ insert into ##temp1 select 'if DATABASE_PRINCIPAL_ID('''+name+''') is null exec sp_addrole '''+name+'''' from sysusers where issqlrole = 1 and (sid is not null and sid <> 0x0) /*creating application roles*/ insert into ##temp1 select 'if DATABASE_PRINCIPAL_ID('+char(39)+name+char(39)+') is null CREATE APPLICATION ROLE ['+name+'] WITH DEFAULT_SCHEMA = ['+ default_schema_name+'], Password='+char(39)+'Pass$w0rd123'+char(39)+' ;' from sys.database_principals where type_desc='APPLICATION_ROLE' insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' to '+'['+USER_NAME(grantee_principal_id)+']'+' WITH GRANT OPTION ;' else state_desc+' '+permission_name+' to '+'['+USER_NAME(grantee_principal_id)+']'+' ;' END from sys.database_permissions where class=0 and USER_NAME(grantee_principal_id) not in ('dbo','guest','sys','information_schema') insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' on '+OBJECT_SCHEMA_NAME(major_id)+'.['+OBJECT_NAME(major_id) +'] to '+'['+USER_NAME(grantee_principal_id)+']'+' with grant option ;' else state_desc+' '+permission_name+' on '+OBJECT_SCHEMA_NAME(major_id)+'.['+OBJECT_NAME(major_id) +'] to '+'['+USER_NAME(grantee_principal_id)+']'+' ;' end from sys.database_permissions where class=1 and USER_NAME(grantee_principal_id) not in ('public'); insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON schema::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON schema::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.schemas sa on sa.schema_id = dp.major_id where dp.class=3 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON APPLICATION ROLE::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON APPLICATION ROLE::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.database_principals sa on sa.principal_id = dp.major_id where dp.class=4 and sa.type='A' insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON ROLE::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON ROLE::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.database_principals sa on sa.principal_id = dp.major_id where dp.class=4 and sa.type='R' insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON ASSEMBLY::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON ASSEMBLY::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.assemblies sa on sa.assembly_id = dp.major_id where dp.class=5 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON type::[' +SCHEMA_NAME(schema_id)+'].['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON type::[' +SCHEMA_NAME(schema_id)+'].['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.types sa on sa.user_type_id = dp.major_id where dp.class=6 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON XML SCHEMA COLLECTION::['+ SCHEMA_NAME(SCHEMA_ID)+'].['+sa.name+'] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON XML SCHEMA COLLECTION::['+ SCHEMA_NAME(SCHEMA_ID)+'].['+sa.name+'] to ['+user_name(dp.grantee_principal_id)+'];' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.xml_schema_collections sa on sa.xml_collection_id = dp.major_id where dp.class=10 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON message type::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON message type::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.service_message_types sa on sa.message_type_id = dp.major_id where dp.class=15 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON contract::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON contract::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.service_contracts sa on sa.service_contract_id = dp.major_id where dp.class=16 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON SERVICE::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON SERVICE::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.services sa on sa.service_id = dp.major_id where dp.class=17 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON REMOTE SERVICE BINDING::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON REMOTE SERVICE BINDING::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.remote_service_bindings sa on sa.remote_service_binding_id = dp.major_id where dp.class=18 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON route::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON route::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.routes sa on sa.route_id = dp.major_id where dp.class=19 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON FULLTEXT CATALOG::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON FULLTEXT CATALOG::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.fulltext_catalogs sa on sa.fulltext_catalog_id = dp.major_id where dp.class=23 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON SYMMETRIC KEY::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON SYMMETRIC KEY::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.symmetric_keys sa on sa.symmetric_key_id = dp.major_id where dp.class=24 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON certificate::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON certificate::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.certificates sa on sa.certificate_id = dp.major_id where dp.class=25 insert into ##temp1 select case when state_desc='GRANT_WITH_GRANT_OPTION' then substring (state_desc,0,6)+' '+permission_name+' ON ASYMMETRIC KEY::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] with grant option ;' else state_desc+' '+permission_name+' ON ASYMMETRIC KEY::['+sa.name+ '] to ['+user_name(dp.grantee_principal_id)+'] ;' COLLATE LATIN1_General_CI_AS end from sys.database_permissions dp inner join sys.asymmetric_keys sa on sa.asymmetric_key_id = dp.major_id where dp.class=26 insert into ##temp1 select 'exec sp_addrolemember ''' +p.NAME+''','+'['+m.NAME+']'+' ;' FROM sys.database_role_members rm JOIN sys.database_principals p ON rm.role_principal_id = p.principal_id JOIN sys.database_principals m ON rm.member_principal_id = m.principal_id where m.name not like 'dbo'; select * from ##temp1讨论(0) -
You can get SQL Server Management Studio to do it for you:
- Right click the database you want to export permissions for
- Select 'Tasks' then 'Generate Scripts...'
- Confirm the database you're scripting
- Set the following scripting options:
- Script Create: FALSE
- Script Object-Level Permissions: TRUE
- Select the object types whose permission you want to script
- Select the objects whose permission you want to script
- Select where you want the script produced
This will produce a script to set permissions for all selected objects but suppresses the object scripts themselves.
This is based on the dialog for MS SQL 2008 with all other scripting options unchanged from install defaults.
讨论(0) -
Yes, you can use a script like this to generate another script
SET NOCOUNT ON; DECLARE @NewRole varchar(100), @SourceRole varchar(100); -- Change as needed SELECT @SourceRole = 'Giver', @NewRole = 'Taker'; SELECT state_desc + ' ' + permission_name + ' ON ' + OBJECT_NAME(major_id) + ' TO ' + @NewRole FROM sys.database_permissions WHERE grantee_principal_id = DATABASE_PRINCIPAL_ID(@SourceRole) AND -- 0 = DB, 1 = object/column, 3 = schema. 1 is normally enough class <= 3This is taken from my answer here
讨论(0) -
Thanks to Chris for his awesome answer, I took it one step further and automated the process of running those statements (my table had over 8,000 permissions)
if object_id('dbo.tempPermissions') is not null Drop table dbo.tempPermissions Create table tempPermissions(ID int identity , Queries Varchar(255)) Insert into tempPermissions(Queries) select 'GRANT ' + dp.permission_name collate latin1_general_cs_as + ' ON ' + s.name + '.' + o.name + ' TO ' + dpr.name FROM sys.database_permissions AS dp INNER JOIN sys.objects AS o ON dp.major_id=o.object_id INNER JOIN sys.schemas AS s ON o.schema_id = s.schema_id INNER JOIN sys.database_principals AS dpr ON dp.grantee_principal_id=dpr.principal_id WHERE dpr.name NOT IN ('public','guest') declare @count int, @max int, @query Varchar(255) set @count =1 set @max = (Select max(ID) from tempPermissions) set @query = (Select Queries from tempPermissions where ID = @count) while(@count < @max) begin exec(@query) set @count += 1 set @query = (Select Queries from tempPermissions where ID = @count) end select * from tempPermissions drop table tempPermissionsadditionally to restrict it to a single table add:
and o.name = 'tablename'after the WHERE dpr.name NOT IN ('public','guest') and remember to edit the select statement so that it generates statements for the table you want to grant permissions 'TO' Not the table the permissions are coming 'FROM' (which is what the script does).
讨论(0) -
declare @DBRoleName varchar(40) = 'yourUserName' SELECT 'GRANT ' + dbprm.permission_name + ' ON ' + OBJECT_SCHEMA_NAME(major_id) + '.' + OBJECT_NAME(major_id) + ' TO ' + dbrol.name + char(13) COLLATE Latin1_General_CI_AS from sys.database_permissions dbprm join sys.database_principals dbrol on dbprm.grantee_principal_id = dbrol.principal_id where dbrol.name = @DBRoleNamehttp://www.sqlserver-dba.com/2014/10/how-to-script-database-role-permissions-and-securables.html
I found this to be an excellent solution for generating a script to replicate access between environments
讨论(0) -
Expanding on the answer provided in https://stackoverflow.com/a/1987215/275388 which fails for database/schema wide rights and database user types you can use:
SELECT CASE WHEN dp.class_desc = 'OBJECT_OR_COLUMN' THEN dp.state_desc + ' ' + dp.permission_name collate latin1_general_cs_as + ' ON ' + '[' + obj_sch.name + ']' + '.' + '[' + o.name + ']' + ' TO ' + '[' + dpr.name + ']' WHEN dp.class_desc = 'DATABASE' THEN dp.state_desc + ' ' + dp.permission_name collate latin1_general_cs_as + ' TO ' + '[' + dpr.name + ']' WHEN dp.class_desc = 'SCHEMA' THEN dp.state_desc + ' ' + dp.permission_name collate latin1_general_cs_as + ' ON SCHEMA :: ' + '[' + SCHEMA_NAME(dp.major_id) + ']' + ' TO ' + '[' + dpr.name + ']' WHEN dp.class_desc = 'TYPE' THEN dp.state_desc + ' ' + dp.permission_name collate Latin1_General_CS_AS + ' ON TYPE :: [' + s_types.name + '].[' + t.name + ']' + ' TO [' + dpr.name + ']' WHEN dp.class_desc = 'CERTIFICATE' THEN dp.state_desc + ' ' + dp.permission_name collate latin1_general_cs_as + ' TO ' + '[' + dpr.name + ']' WHEN dp.class_desc = 'SYMMETRIC_KEYS' THEN dp.state_desc + ' ' + dp.permission_name collate latin1_general_cs_as + ' TO ' + '[' + dpr.name + ']' ELSE 'ERROR: Unhandled class_desc: ' + dp.class_desc END AS GRANT_STMT FROM sys.database_permissions AS dp JOIN sys.database_principals AS dpr ON dp.grantee_principal_id=dpr.principal_id LEFT JOIN sys.objects AS o ON dp.major_id=o.object_id LEFT JOIN sys.schemas AS obj_sch ON o.schema_id = obj_sch.schema_id LEFT JOIN sys.types AS t ON dp.major_id = t.user_type_id LEFT JOIN sys.schemas AS s_types ON t.schema_id = s_types.schema_id WHERE dpr.name NOT IN ('public','guest') -- AND o.name IN ('My_Procedure') -- Uncomment to filter to specific object(s) -- AND (o.name NOT IN ('My_Procedure') or o.name is null) -- Uncomment to filter out specific object(s), but include rows with no o.name (VIEW DEFINITION etc.) -- AND dp.permission_name='EXECUTE' -- Uncomment to filter to just the EXECUTEs -- AND dpr.name LIKE '%user_name%' -- Uncomment to filter to just matching users ORDER BY dpr.name, dp.class_desc, dp.permission_name讨论(0)
加载中...
- 热议问题