SQL Server Instance Security: Scripting Permissions Part 2

After writing a powershell way of scripting permissions I thought I better just show the way I used to do it using T-SQL. Although this script is not complete and is kind of relic of my scripting work I thought that I would include it and perhaps maybe if it is on this blog it might make me want to come back and finish it.

--http://jongurgul.com/blog/sql-server-instance-security-scripting-permissions-part-2/
;WITH DatabaseAccounts(DatabaseName,IsOrphaned,ServerLogin,DatabaseLogin,DatabaseLoginSid,DatabaseUser,DefaultLanguage,DefaultDatabase,DefaultSchema,OwningPrincipal,PrincipalID, LoginType) AS
(
SELECT
QUOTENAME(DB_NAME()) [DatabaseName],
CAST((CASE WHEN spr.[name] IS NULL THEN 1 ELSE 0 END) AS BIT) [IsOrphaned],
QUOTENAME(SUSER_SNAME(dpr.[sid])) [ServerLogin],
QUOTENAME(ISNULL(SUSER_SNAME(dpr.[sid]),dpr.[name])) [DatabaseLogin],
dpr.[sid] [DatabaseLoginSid],
QUOTENAME(dpr.[name])[DatabaseUser],
QUOTENAME(spr.[default_language_name]) [DefaultLanguage],
QUOTENAME(spr.[default_database_name]) [DefaultDatabase],
QUOTENAME(dpr.[default_schema_name]) [DefaultSchema],
QUOTENAME(USER_NAME(dpr.[owning_principal_id])) [OwningPrincipal],
dpr.[principal_id] [PrincipalID],
dpr.[type_desc]
FROM sys.database_principals dpr
LEFT OUTER JOIN sys.server_principals spr ON dpr.[sid] = spr.[sid]
WHERE dpr.[type] IN ('S','G','U','R')
AND dpr.[is_fixed_role] = 0
AND dpr.[name] NOT IN ('public','dbo','guest','INFORMATION_SCHEMA','sys')
AND dpr.[name] NOT LIKE '##%'
)
SELECT * FROM
(
SELECT
'DatabaseCreateUser' [Description],
'USE'+ SPACE(1) +da.DatabaseName+';CREATE USER' + SPACE(1) + da.[DatabaseUser] + SPACE(1)
+ (CASE WHEN da.[ServerLogin] IS NULL THEN 'WITHOUT LOGIN' ELSE 'FOR'+ SPACE(1) +'LOGIN' + SPACE(1) + da.[DatabaseLogin] + SPACE(1) + ISNULL(('WITH DEFAULT_SCHEMA=' + da.[DefaultSchema]),'')+(CASE WHEN da.[IsOrphaned] = 1 THEN '--Orphan' ELSE '' END) END) COLLATE DATABASE_DEFAULT Commands
FROM DatabaseAccounts da
WHERE da.LoginType <> 'DATABASE_ROLE'
UNION ALL
SELECT
'DatabaseCreateRole' [Description],
'USE '+da.[DatabaseName]+';CREATE ROLE' + SPACE(1) + da.[DatabaseUser] + ISNULL((SPACE(1)+'AUTHORIZATION'+SPACE(1)+da.[OwningPrincipal]),'') COLLATE DATABASE_DEFAULT Commands
FROM DatabaseAccounts da
WHERE da.[LoginType] = 'DATABASE_ROLE'
UNION ALL
SELECT
'DatabaseAddUserToRole' [Description],
'EXEC '+QUOTENAME(DB_NAME())+'..sp_addrolemember N'''+user_name(rm.[role_principal_id])+''',N'''+user_name(rm.[member_principal_id])+'''' COLLATE DATABASE_DEFAULT Commands
FROM DatabaseAccounts da
INNER JOIN sys.database_role_members rm ON rm.[member_principal_id] = da.[PrincipalID]
UNION ALL
SELECT
'DatbaseAddUserPermission' [Description],
CASE
WHEN p.[class] = 1 AND p.[state_desc] = 'GRANT_WITH_GRANT_OPTION' THEN 'GRANT' + SPACE(1) + p.[permission_name] + SPACE(1) + 'ON' + SPACE(1) + (QUOTENAME(DB_NAME())+'.'+QUOTENAME(SCHEMA_NAME(sob.[schema_id]))+'.'+QUOTENAME(sob.[name])) + SPACE(1) + 'TO' + SPACE(1) + da.[DatabaseUser] + SPACE(1) + 'WITH GRANT OPTION'
WHEN p.[class] = 1 AND p.[state_desc] <> 'GRANT_WITH_GRANT_OPTION' THEN p.[state_desc] + SPACE(1) + p.[permission_name] + SPACE(1) + 'ON' + SPACE(1) + (QUOTENAME(DB_NAME())+'.'+QUOTENAME(SCHEMA_NAME(sob.[schema_id]))+'.'+QUOTENAME(sob.[name])) + SPACE(1) + 'TO' + SPACE(1) + da.[DatabaseUser]
WHEN p.[class] = 3 THEN 'GRANT' + SPACE(1) + p.[permission_name] + SPACE(1) + 'ON SCHEMA::' + QUOTENAME(SCHEMA_NAME(p.[major_id]))+ 'TO' + SPACE(1) + da.[DatabaseUser]
WHEN p.[class] <> 1 or p.[class] <> 3 THEN p.[state_desc] + SPACE(1) + p.[permission_name] + SPACE(1) + 'TO' + SPACE(1) + da.[DatabaseUser]
ELSE NULL
END COLLATE DATABASE_DEFAULT Commands
FROM sys.database_permissions AS p
LEFT OUTER JOIN sys.all_objects sob ON p.[major_id] = sob.[object_id]
INNER JOIN DatabaseAccounts da ON da.[PrincipalID] = p.[grantee_principal_id]
) x
UNION ALL
SELECT 'ServerCreateLogin' [Description],
CASE WHEN sp.[type] IN ('G','U') THEN 'CREATE LOGIN '+QUOTENAME(sp.[name])+' FROM WINDOWS WITH DEFAULT_DATABASE='+QUOTENAME(sp.[default_database_name])+', DEFAULT_LANGUAGE='+QUOTENAME(sp.[default_language_name])
WHEN sp.[type] = 'S' THEN 'CREATE LOGIN '+QUOTENAME(sp.[name])+' WITH PASSWORD = '+ master.dbo.[fn_varbintohexstr](CAST(LOGINPROPERTY(sp.[name],'passwordhash') AS VARBINARY(256)))+' HASHED'+',SID = '+master.dbo.[fn_varbintohexstr](sp.[sid])+',DEFAULT_DATABASE = '+QUOTENAME(sp.[default_database_name])+',DEFAULT_LANGUAGE = '+QUOTENAME(sp.[default_language_name])
END
FROM master.sys.server_principals sp
WHERE sp.[name] NOT LIKE '##%'
AND sp.[name] <> 'sa'
AND sp.[type] IN ('G','U','S')
UNION ALL
--Add ServerRoles
SELECT 'ServerAddToRole' [Description],'EXEC master..sp_addsrvrolemember @loginame = N''' + sp.[name] + ''', @rolename = N''' + sp2.[name] + ''''
FROM master.sys.server_role_members srm
INNER JOIN master.sys.server_principals sp2 ON srm.[role_principal_id] = sp2.[principal_id]
INNER JOIN master.sys.server_principals sp ON srm.[member_principal_id] = sp.[principal_id]
WHERE sp.[name] <> 'sa'
UNION ALL
SELECT
'ServerAddPermission' [Description],
CASE
WHEN p.[class_desc] = 'SERVER' AND p.[state_desc] = 'GRANT_WITH_GRANT_OPTION' THEN 'GRANT'+SPACE(1)+p.[permission_name]+SPACE(1)+'TO'+SPACE(1)+QUOTENAME(sp.name)+SPACE(1)+'WITH GRANT OPTION' COLLATE DATABASE_DEFAULT
WHEN p.[class_desc] = 'SERVER' THEN p.[state_desc]+SPACE(1)+p.[permission_name]+SPACE(1)+'TO'+SPACE(1)+QUOTENAME(sp.[name]) COLLATE DATABASE_DEFAULT
WHEN p.[class_desc] = 'ENDPOINT' AND p.[state_desc] = 'GRANT_WITH_GRANT_OPTION' THEN 'GRANT'+SPACE(1)+p.[permission_name]+SPACE(1)+'ON ENDPOINT::'+QUOTENAME(e.[name])+SPACE(1)+'TO'+SPACE(1)+QUOTENAME(sp.[name])+SPACE(1)+'WITH GRANT OPTION' COLLATE DATABASE_DEFAULT
WHEN p.[class_desc] = 'ENDPOINT' THEN p.[state_desc]+SPACE(1)+p.[permission_name]+SPACE(1)+'ON ENDPOINT::'+QUOTENAME(e.[name])+SPACE(1)+'TO'+SPACE(1)+QUOTENAME(sp.[name]) COLLATE DATABASE_DEFAULT
END
FROM sys.server_principals AS sp
INNER JOIN sys.server_permissions AS p ON sp.[principal_id] = p.[grantee_principal_id]
LEFT JOIN sys.endpoints e ON e.[endpoint_id]= p.[major_id]
WHERE sp.[name] NOT LIKE '##%'

Leave a Reply