2

我将数据库从一台服务器恢复到另一台服务器。恢复数据库后,我遇到了这个孤立用户的问题,我使用以下方法解决了这个问题 -

exec sp_change_users_login 'Update_One', 'UserName', 'LoginName'

现在,这个特定用户与给定的服务器登录链接。一切都很好,直到这里。
但是,我仍然遇到与“Securables”有关的问题

由于该用户缺少对许多数据库对象的权限,因此我在 Google 上搜索并找到了一种方法 - 通过 - 生成脚本 -

1. Select Database
2. Right click database to see context menu
3. Select 'Tasks', 
4. From the sub-menu, select 'Generate Scripts'
5. Select 'Set Scripting Options'
6. From 'Advanced' section - set 'Object Level Permissions' to true.

因此,我们将获得所有 GRANT SELECT/GRANT EXECUTE 脚本等的列表。

但是,我正在寻找另一种方法,我不必每次都运行此向导,我可以编写自己的数据库脚本来列出给定数据库用户的数据库安全和权限。

谁能指导我应该寻找哪些(系统)数据库表?

谢谢!

4

2 回答 2

2
-- database roles
-- role definitions
SELECT
dp1.name as RoleName,
dp2.name AS OwnedBy,
'CREATE ROLE [' + dp1.name + '] AUTHORIZATION [' + dp2.name + ']' AS cmd
FROM 
sys.database_principals dp1
JOIN 
sys.database_principals dp2 ON dp1.owning_principal_id = dp2.principal_id
WHERE dp1.type = 'R'
AND dp1.is_fixed_role = 0
AND dp1.name <> 'public'

-- role members
SELECT p2.name dbrole, p.name dbuser, 'EXEC sp_addrolemember ''' + p2.name + ''', ''' + p.name + '''' cmd
from 
sys.database_role_members m
join 
sys.database_principals p on m.member_principal_id = p.principal_id
join
sys.database_principals p2 on m.role_principal_id = p2.principal_id
WHERE p.name <> 'dbo'
ORDER BY p2.name, p.name


-- database permissions
SELECT
--/*
  prin.name AS UserName,
  objsch.name SchemaName,
  perm.class,
  perm.state_desc + ' ' + perm.permission_name AS Permission,
  CASE 
    WHEN perm.class = 1 AND perm.minor_id <> 0 THEN 'COLUMN'
    WHEN perm.class = 1 THEN obj.type_desc
    ELSE perm.class_desc
  END AS ObjectType,
  CASE
    WHEN perm.class = 3 THEN sch.name
    WHEN cols.object_id IS NOT NULL THEN obj.name + '.' + cols.name
    WHEN perm.class = 0 THEN DB_NAME()
    ELSE ISNULL(obj.name, 'n/a')
  END AS ObjectName,
--*/
perm.state_desc + ' ' + perm.permission_name collate SQL_Latin1_General_CP1_CI_AS + 
CASE WHEN perm.class <> 0 -- don't do this part for databases
  THEN
    ' ON ' +
    CASE
        WHEN perm.class = 3 THEN 'SCHEMA::[' + sch.name + ']'
        WHEN cols.object_id IS NOT NULL THEN '[' + objsch.name + '].[' + obj.name + '](' + cols.name + ')'
        WHEN perm.class = 0 THEN DB_NAME()
        ELSE ISNULL('[' + objsch.name + '].[' + obj.name + ']', 'n/a')
    END --AS ObjectName--,
    ELSE ''
END
+ ' TO ['
+   prin.name 
+ ']' AS cmd
FROM 
sys.database_permissions perm
JOIN
sys.database_principals prin on perm.grantee_principal_id = prin.principal_id
LEFT JOIN
sys.all_objects obj ON perm.major_id = obj.object_id
LEFT JOIN
sys.all_columns cols ON perm.major_id = cols.object_id and perm.minor_id = cols.column_id
LEFT JOIN
sys.schemas objsch ON obj.schema_id = objsch.schema_id
LEFT JOIN
sys.schemas sch ON perm.major_id = sch.schema_id
WHERE prin.name <> 'public'
AND prin.name <> 'dbo'
--AND perm.major_id >= 0
--AND perm.class_desc <> 'DATABASE'
ORDER BY 
  prin.name, 
  perm.class,
  ObjectType,
CASE
    WHEN perm.class = 3 THEN '[' + sch.name + ']'
    WHEN cols.object_id IS NOT NULL THEN '[' + objsch.name + '].[' + obj.name + '](' + cols.name + ')'
    WHEN perm.class = 0 THEN DB_NAME()
    ELSE ISNULL('[' + objsch.name + '].[' + obj.name + ']', 'n/a')
END


-- sp_helpuser

-- select distinct 'DROP USER [' + name + ']' from sys.database_principals order by 1
于 2013-06-07T14:48:14.173 回答
1

要取回给定用户的表权限:

  SELECT * FROM (

        select 
          USER_NAME(p.grantee_principal_id) as grantee,
          o.name                          AS TABLE_NAME,
          convert(varchar(10), CASE p.type
                WHEN 'RF' THEN 'REFERENCES'
                WHEN 'SL' THEN 'SELECT'
                WHEN 'IN' THEN 'INSERT'
                WHEN 'DL' THEN 'DELETE'
                WHEN 'UP' THEN 'UPDATE'
                END)                        AS PRIVILEGE_TYPE
        from 
        sys.database_permissions p,
        sys.objects o
        where 
        o.type in ('U', 'V') AND
        p.major_id = o.object_id AND
        p.minor_id = 0

  ) table_privileges  

WHERE grantee = 'myuser'

对于这些表上的列:

SELECT * FROM (
        SELECT User_name(p.grantor_principal_id) 
               AS 
               grantor, 
               User_name(p.grantee_principal_id) 
               AS grantee, 
               Db_name() 
               AS table_catalog, 
               Schema_name(o.schema_id) 
               AS table_schema, 
               o.name 
               AS table_name, 
               c.name 
               AS column_name, 
               CONVERT(VARCHAR(10), CASE p.TYPE WHEN 'SL' THEN 'SELECT' WHEN 'UP' THEN 
               'UPDATE' 
               WHEN 'RF' THEN 'REFERENCES' END) 
               AS privilege_type, 
               CONVERT(VARCHAR(3), CASE p.state WHEN 'G' THEN 'NO' WHEN 'W' THEN 'YES' 
               END) AS 
               is_grantable 
        FROM   sys.database_permissions p, 
               sys.objects o, 
               sys.columns c 
        WHERE  o.TYPE IN ( 'U', 'V' ) 
               AND o.object_id = c.object_id 
               AND p.class = 1 
               AND p.major_id = o.object_id 
               AND ( p.minor_id = c.column_id 
                      OR ( p.minor_id = 0 
                           AND NOT EXISTS (SELECT * 
                                           FROM   sys.database_permissions m 
                                           WHERE  m.class = 1 
                                                  AND m.major_id = p.major_id 
                                                  AND m.minor_id = c.column_id 
                                                  AND m.TYPE = p.TYPE 
                                                  AND m.state <> p.state) ) ) 
               AND p.TYPE IN ( 'RF', 'SL', 'UP' ) 
               AND p.state IN ( 'G', 'W' ) 
               AND 0 != ( Permissions(o.object_id, c.name) & -- back compat 
                          CASE p.TYPE 
                            WHEN 'RF' THEN 4 -- REFERENCES basebit 
                            WHEN 'SL' THEN 1 -- SELECT basebit 
                            WHEN 'UP' THEN 2 -- UPDATE basebit 
                          END ) 

    ) column_privileges
WHERE grantee = 'myuser'

这些是我从这里得到的脚本的修改版本:https ://dba.stackexchange.com/a/9118/5074

于 2012-06-25T23:21:35.923 回答