Account permissions



List account permissions in DB


Declare @user_name VARCHAR(50)
SET @user_name = 'USERNAME_TO_FIND'

PRINT 'Listing all DB permissions for account ' + @user_name

select * from (
SELECT  
    [UserName] = CASE princ.[type] 
                    WHEN 'S' THEN princ.[name]
                    WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI
                 END,
    [UserType] = CASE princ.[type]
                    WHEN 'S' THEN 'SQL User'
                    WHEN 'U' THEN 'Windows User'
                 END,  
    [DatabaseUserName] = princ.[name],       
    [Role] = null,      
    [PermissionType] = perm.[permission_name],       
    [PermissionState] = perm.[state_desc],       
    [ObjectType] = obj.type_desc,--perm.[class_desc],       
    [ObjectName] = OBJECT_NAME(perm.major_id),
    [ColumnName] = col.[name]
FROM    
    --database user
    sys.database_principals princ  
LEFT JOIN
    --Login accounts
    sys.login_token ulogin on princ.[sid] = ulogin.[sid]
LEFT JOIN        
    --Permissions
    sys.database_permissions perm ON perm.[grantee_principal_id] = princ.[principal_id]
LEFT JOIN
    --Table columns
    sys.columns col ON col.[object_id] = perm.major_id 
                    AND col.[column_id] = perm.[minor_id]
LEFT JOIN
    sys.objects obj ON perm.[major_id] = obj.[object_id]
WHERE 
    princ.[type] in ('S','U')
UNION
--List all access provisioned to a sql user or windows user/group through a database or application role
SELECT  
    [UserName] = CASE memberprinc.[type] 
                    WHEN 'S' THEN memberprinc.[name]
                    WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI
                 END,
    [UserType] = CASE memberprinc.[type]
                    WHEN 'S' THEN 'SQL User'
                    WHEN 'U' THEN 'Windows User'
                 END, 
    [DatabaseUserName] = memberprinc.[name],   
    [Role] = roleprinc.[name],      
    [PermissionType] = perm.[permission_name],       
    [PermissionState] = perm.[state_desc],       
    [ObjectType] = obj.type_desc,--perm.[class_desc],   
    [ObjectName] = OBJECT_NAME(perm.major_id),
    [ColumnName] = col.[name]
FROM    
    --Role/member associations
    sys.database_role_members members
JOIN
    --Roles
    sys.database_principals roleprinc ON roleprinc.[principal_id] = members.[role_principal_id]
JOIN
    --Role members (database users)
    sys.database_principals memberprinc ON memberprinc.[principal_id] = members.[member_principal_id]
LEFT JOIN
    --Login accounts
    sys.login_token ulogin on memberprinc.[sid] = ulogin.[sid]
LEFT JOIN        
    --Permissions
    sys.database_permissions perm ON perm.[grantee_principal_id] = roleprinc.[principal_id]
LEFT JOIN
    --Table columns
    sys.columns col on col.[object_id] = perm.major_id 
                    AND col.[column_id] = perm.[minor_id]
LEFT JOIN
    sys.objects obj ON perm.[major_id] = obj.[object_id]
UNION
--List all access provisioned to the public role, which everyone gets by default
SELECT  
    [UserName] = '{All Users}',
    [UserType] = '{All Users}', 
    [DatabaseUserName] = '{All Users}',       
    [Role] = roleprinc.[name],      
    [PermissionType] = perm.[permission_name],       
    [PermissionState] = perm.[state_desc],       
    [ObjectType] = obj.type_desc,--perm.[class_desc],  
    [ObjectName] = OBJECT_NAME(perm.major_id),
    [ColumnName] = col.[name]
FROM    
    --Roles
    sys.database_principals roleprinc
LEFT JOIN        
    --Role permissions
    sys.database_permissions perm ON perm.[grantee_principal_id] = roleprinc.[principal_id]
LEFT JOIN
    --Table columns
    sys.columns col on col.[object_id] = perm.major_id 
                    AND col.[column_id] = perm.[minor_id]                   
JOIN 
    --All objects   
    sys.objects obj ON obj.[object_id] = perm.[major_id]
WHERE
    --Only roles
    roleprinc.[type] = 'R' AND
    --Only public role
    roleprinc.[name] = 'public' AND
    --Only objects of ours, not the MS objects
    obj.is_ms_shipped = 0) a
where a.UserName like '%' + @user_name + '%'
	or a.DatabaseUserName like '%' + @user_name + '%'

<br />
Declare @user_name VARCHAR(50)<br />
SET @user_name = 'USERNAME_TO_FIND'</p>
<p>PRINT 'Listing all DB permissions for account ' + @user_name</p>
<p>select * from (<br />
SELECT<br />
    [UserName] = CASE princ.[type]<br />
                    WHEN 'S' THEN princ.[name]<br />
                    WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI<br />
                 END,<br />
    [UserType] = CASE princ.[type]<br />
                    WHEN 'S' THEN 'SQL User'<br />
                    WHEN 'U' THEN 'Windows User'<br />
                 END,<br />
    [DatabaseUserName] = princ.[name],<br />
    [Role] = null,<br />
    [PermissionType] = perm.[permission_name],<br />
    [PermissionState] = perm.[state_desc],<br />
    [ObjectType] = obj.type_desc,--perm.[class_desc],<br />
    [ObjectName] = OBJECT_NAME(perm.major_id),<br />
    [ColumnName] = col.[name]<br />
FROM<br />
    --database user<br />
    sys.database_principals princ<br />
LEFT JOIN<br />
    --Login accounts<br />
    sys.login_token ulogin on princ.[sid] = ulogin.[sid]<br />
LEFT JOIN<br />
    --Permissions<br />
    sys.database_permissions perm ON perm.[grantee_principal_id] = princ.[principal_id]<br />
LEFT JOIN<br />
    --Table columns<br />
    sys.columns col ON col.[object_id] = perm.major_id<br />
                    AND col.[column_id] = perm.[minor_id]<br />
LEFT JOIN<br />
    sys.objects obj ON perm.[major_id] = obj.[object_id]<br />
WHERE<br />
    princ.[type] in ('S','U')<br />
UNION<br />
--List all access provisioned to a sql user or windows user/group through a database or application role<br />
SELECT<br />
    [UserName] = CASE memberprinc.[type]<br />
                    WHEN 'S' THEN memberprinc.[name]<br />
                    WHEN 'U' THEN ulogin.[name] COLLATE Latin1_General_CI_AI<br />
                 END,<br />
    [UserType] = CASE memberprinc.[type]<br />
                    WHEN 'S' THEN 'SQL User'<br />
                    WHEN 'U' THEN 'Windows User'<br />
                 END,<br />
    [DatabaseUserName] = memberprinc.[name],<br />
    [Role] = roleprinc.[name],<br />
    [PermissionType] = perm.[permission_name],<br />
    [PermissionState] = perm.[state_desc],<br />
    [ObjectType] = obj.type_desc,--perm.[class_desc],<br />
    [ObjectName] = OBJECT_NAME(perm.major_id),<br />
    [ColumnName] = col.[name]<br />
FROM<br />
    --Role/member associations<br />
    sys.database_role_members members<br />
JOIN<br />
    --Roles<br />
    sys.database_principals roleprinc ON roleprinc.[principal_id] = members.[role_principal_id]<br />
JOIN<br />
    --Role members (database users)<br />
    sys.database_principals memberprinc ON memberprinc.[principal_id] = members.[member_principal_id]<br />
LEFT JOIN<br />
    --Login accounts<br />
    sys.login_token ulogin on memberprinc.[sid] = ulogin.[sid]<br />
LEFT JOIN<br />
    --Permissions<br />
    sys.database_permissions perm ON perm.[grantee_principal_id] = roleprinc.[principal_id]<br />
LEFT JOIN<br />
    --Table columns<br />
    sys.columns col on col.[object_id] = perm.major_id<br />
                    AND col.[column_id] = perm.[minor_id]<br />
LEFT JOIN<br />
    sys.objects obj ON perm.[major_id] = obj.[object_id]<br />
UNION<br />
--List all access provisioned to the public role, which everyone gets by default<br />
SELECT<br />
    [UserName] = '{All Users}',<br />
    [UserType] = '{All Users}',<br />
    [DatabaseUserName] = '{All Users}',<br />
    [Role] = roleprinc.[name],<br />
    [PermissionType] = perm.[permission_name],<br />
    [PermissionState] = perm.[state_desc],<br />
    [ObjectType] = obj.type_desc,--perm.[class_desc],<br />
    [ObjectName] = OBJECT_NAME(perm.major_id),<br />
    [ColumnName] = col.[name]<br />
FROM<br />
    --Roles<br />
    sys.database_principals roleprinc<br />
LEFT JOIN<br />
    --Role permissions<br />
    sys.database_permissions perm ON perm.[grantee_principal_id] = roleprinc.[principal_id]<br />
LEFT JOIN<br />
    --Table columns<br />
    sys.columns col on col.[object_id] = perm.major_id<br />
                    AND col.[column_id] = perm.[minor_id]<br />
JOIN<br />
    --All objects<br />
    sys.objects obj ON obj.[object_id] = perm.[major_id]<br />
WHERE<br />
    --Only roles<br />
    roleprinc.[type] = 'R' AND<br />
    --Only public role<br />
    roleprinc.[name] = 'public' AND<br />
    --Only objects of ours, not the MS objects<br />
    obj.is_ms_shipped = 0) a<br />
where a.UserName like '%' + @user_name + '%'<br />
	or a.DatabaseUserName like '%' + @user_name + '%'<br />