12. 查询数据库账号的所有权限

use master GO declare @svr_principal_name varchar(1024) set @svr_principal_name = 'test_login' declare @svr_principal_id int select @svr_principal_id = principal_id  from sys.server_principals p where p.name = @svr_principal_name if OBJECT_ID('tempdb..#tmp_svr_role','U') is not null     drop table #tmp_svr_role; create table #tmp_svr_role ( member_principal_id     int, member_principal_name   varchar(512), role_principal_id int,  role_principal_name     varchar(512) ) --获取登录账号的所有server role, 从sql server 2012开始，server role可以自定义，成员仅可为fixed server role ;with tmp as ( select * from sys.server_role_members  where member_principal_id = @svr_principal_id union all select rm.* from sys.server_role_members rm inner join tmp  on rm.member_principal_id = tmp.role_principal_id ) insert into #tmp_svr_role  select a.member_principal_id, b.name,  a.role_principal_id, c.name  from tmp a inner join sys.server_principals b on a.member_principal_id = b.principal_id inner join sys.server_principals c on a.role_principal_id = c.principal_id --登录账号自身权限, sys.server_permissions不包含fixed server role权限，同时手动排除掉public权限 select a.principal_id as member_principal_id, a.name as member_principal_name,  null as role_principal_id, null as role_principal_name,  b.permission_name, b.state_desc from sys.server_principals a inner join sys.server_permissions b on a.principal_id = b.grantee_principal_id where a.principal_id = @svr_principal_id and b.permission_name <> 'CONNECT SQL' union all --server role权限，包含fixed server role和自定义的server role select a.member_principal_id, a.member_principal_name,  a.role_principal_id, a.role_principal_name,  isnull(b.permission_name,'Fixed Server-Level Role: '+role_principal_name) as permission_name, isnull(b.state_desc,'GRANT') as state_desc from #tmp_svr_role a left join sys.database_permissions b on a.role_principal_id = b.grantee_principal_id union all --public server role权限，不可以取消public权限，它是每个登录账号的最小权限，仅可连接数据库实例 select @svr_principal_id as member_principal_id,@svr_principal_name as member_principal_name,  principal_id as role_principal_id, name as role_principal_name,   'CONNECT SQL' as permission_name, 'GRANT' as state_desc from sys.server_principals where name = 'public' 

use DBA GO declare @svr_principal_name varchar(1024) set @svr_principal_name = 'test_login' declare @db_principal_id    int,   @db_principal_name  varchar(512) select @db_principal_id = principal_id,  @db_principal_name = name from sys.database_principals p where SUSER_SNAME(sid) = @svr_principal_name if OBJECT_ID('tempdb..#tmp_db_role','U') is not null     drop table #tmp_db_role; create table #tmp_db_role ( member_principal_id     int, member_principal_name   varchar(512), role_principal_id int,  role_principal_name     varchar(512) ) --获取登录账号在当前数据库的所有database role ;with tmp as ( select * from sys.database_role_members  where member_principal_id = @db_principal_id union all select rm.* from sys.database_role_members rm inner join tmp  on rm.member_principal_id = tmp.role_principal_id ) insert into #tmp_db_role  select a.member_principal_id, b.name,  a.role_principal_id, c.name  from tmp a inner join sys.database_principals b on a.member_principal_id = b.principal_id inner join sys.database_principals c on a.role_principal_id = c.principal_id --登录账号在当前数据库的自身权限, sys.database_permissions不包含fixed database role权限，同时手动排除掉public权限 select a.principal_id as member_principal_id, a.name as member_principal_name,  null as role_principal_id, null as role_principal_name,  b.permission_name, b.state_desc from sys.database_principals a inner join sys.database_permissions b on a.principal_id = b.grantee_principal_id where a.principal_id = @db_principal_id and b.permission_name <> 'CONNECT' union all --database role权限，包含fixed database role和自定义的database role select a.member_principal_id, a.member_principal_name,  a.role_principal_id, a.role_principal_name,  isnull(b.permission_name,'Fixed Database-Level Role: '+role_principal_name) as permission_name, isnull(b.state_desc,'GRANT') as state_desc from #tmp_db_role a left join sys.database_permissions b on a.role_principal_id = b.grantee_principal_id union all --public database role权限，不可以取消public权限，它是每个登录账号映射到当前数据库的最小权限，仅可连接当前数据库 select @db_principal_id as member_principal_id, @db_principal_name as member_principal_name,  principal_id as role_principal_id, name as role_principal_name,   'CONNECT' as permission_name, 'GRANT' as state_desc from sys.database_principals where name = 'public' 

--建立测试用的架构，对象，列 use DBA GO if object_id('test_grant','U') is not null     drop table test_grant GO create table test_grant(c1 int, c2 int, c3 int) grant select (c1, c2) on test_grant to test_user; if object_id('test_schema.test_t1','U') is not null     drop table test_schema.test_t1 GO if exists(select 1 from sys.schemas where name  = 'test_schema')     drop schema test_schema GO create schema test_schema create table test_schema.test_t1(c1 int, c2 int) grant select on schema::test_schema to test_user; GO --开始获取对象权限 use DBA GO declare @svr_principal_name varchar(1024) set @svr_principal_name = 'test_login' declare @db_principal_id    int,   @db_principal_name  varchar(512) select @db_principal_id = principal_id,  @db_principal_name = name from sys.database_principals p where SUSER_SNAME(sid) = @svr_principal_name if OBJECT_ID('tempdb..#tmp_db_role','U') is not null     drop table #tmp_db_role; create table #tmp_db_role ( member_principal_id     int, member_principal_name   varchar(512), role_principal_id int,  role_principal_name     varchar(512) ) --获取登录账号在当前数据库的所有database role ;with tmp as ( select * from sys.database_role_members  where member_principal_id = @db_principal_id union all select rm.* from sys.database_role_members rm inner join tmp  on rm.member_principal_id = tmp.role_principal_id ) insert into #tmp_db_role  select a.member_principal_id, b.name,  a.role_principal_id, c.name  from tmp a inner join sys.database_principals b on a.member_principal_id = b.principal_id inner join sys.database_principals c on a.role_principal_id = c.principal_id --登录账号在当前数据库的自身对象权限(OBJECT_OR_COLUMN) select a.principal_id as member_principal_id, a.name as member_principal_name,  null as role_principal_id, null as role_principal_name,  o.name as major_name, c.name as minor_name,  b.permission_name, b.state_desc from sys.database_principals a inner join sys.database_permissions b on a.principal_id = b.grantee_principal_id left join sys.objects o on b.major_id = o.object_id left join sys.columns c  on (b.major_id = c.object_id and b.minor_id = c.column_id) where a.principal_id = @db_principal_id and b.class_desc = 'OBJECT_OR_COLUMN' union all --登录账号在当前数据库的自身对象权限(SCHEMA) select a.principal_id as member_principal_id, a.name as member_principal_name,  null as role_principal_id, null as role_principal_name,  s.name as major_name, null as minor_name,  b.permission_name, b.state_desc from sys.database_principals a inner join sys.database_permissions b on a.principal_id = b.grantee_principal_id left join sys.schemas s on b.major_id = s.schema_id where a.principal_id = @db_principal_id and b.class_desc = 'SCHEMA' union all --database role的对象权限(OBJECT_OR_COLUMN) select a.member_principal_id, a.member_principal_name,  a.role_principal_id, a.role_principal_name,  o.name as major_name, c.name as minor_name,  b.permission_name, b.state_desc from #tmp_db_role a inner join sys.database_permissions b --inner join, 仅自定义的database role on a.role_principal_id = b.grantee_principal_id left join sys.objects o on b.major_id = o.object_id left join sys.columns c  on (b.major_id = c.object_id and b.minor_id = c.column_id) where b.class_desc = 'OBJECT_OR_COLUMN' union all --database role的对象权限(SCHEMA) select a.member_principal_id, a.member_principal_name,  a.role_principal_id, a.role_principal_name,  s.name as major_name, null as minor_name,  b.permission_name, b.state_desc from #tmp_db_role a inner join sys.database_permissions b --inner join, 仅自定义的database role on a.role_principal_id = b.grantee_principal_id left join sys.schemas s on b.major_id = s.schema_id where b.class_desc = 'SCHEMA' /* union all --public role有一些系统视图的select权限，可以忽略 select a.principal_id as member_principal_id, a.name as member_principal_name,  null as role_principal_id, null as role_principal_name,  o.name as major_name, c.name as minor_name,  b.permission_name, b.state_desc from sys.database_principals a inner join sys.database_permissions b on a.principal_id = b.grantee_principal_id left join sys.all_objects o on b.major_id = o.object_id left join sys.all_columns c  on (b.major_id = c.object_id and b.minor_id = c.column_id) where a.name = 'public' */