T-SQL Script当前用户数据库权限

时间:2013-03-13 13:27:23

标签: sql tsql user-permissions

有时我必须将DB从生产SQL服务器恢复到测试SQL实例。恢复数据库后,我们手动恢复已恢复数据库的正确访问权限(例如数据库所有者/读者/编写者)。此过程运行良好,除了必须在还原之前手动截断权限,然后从拍摄的图像中重新应用它们。

在数据库恢复之前,是否有一种简单的方法可以使用T-SQL为用户存储CURRENT权限,然后在恢复完成后重新应用这些相同的权限?

6 个答案:

答案 0 :(得分:3)

你的问题的答案很可能是杰夫的答案。

但Howard的脚本非常实用,我刚刚添加了一个列,它生成带有信息的TSQL语法。您可以将其复制并以SQL身份运行以复制'对另一个数据库的权限。

SELECT 
dp.permission_name collate latin1_general_cs_as    AS Permission,
t.TABLE_SCHEMA + '.' + o.name AS Object,
dpr.name AS Username
, 'GRANT ' + dp.permission_name collate latin1_general_cs_as 
    + ' ON ' 
    + t.TABLE_SCHEMA 
    + '.' 
    + o.name 
    + ' TO ' 
    +  dpr.name
FROM sys.database_permissions AS dp
INNER JOIN sys.objects AS o ON dp.major_id=o.object_id
INNER JOIN sys.schemas AS s ON o.schema_id = s.schema_id
INNER JOIN sys.database_principals AS dpr ON dp.grantee_principal_id=dpr.principal_id
INNER JOIN INFORMATION_SCHEMA.TABLES t
    ON  TABLE_NAME = o.name                
WHERE dpr.name NOT IN ('public','guest')
ORDER BY
   Permission, Object,Username

答案 1 :(得分:1)

SELECT 
dp.permission_name collate latin1_general_cs_as    AS Permission,
t.TABLE_SCHEMA + '.' + o.name AS Object,
dpr.name AS Username
FROM sys.database_permissions AS dp
INNER JOIN sys.objects AS o ON dp.major_id=o.object_id
INNER JOIN sys.schemas AS s ON o.schema_id = s.schema_id
INNER JOIN sys.database_principals AS dpr ON dp.grantee_principal_id=dpr.principal_id
INNER JOIN INFORMATION_SCHEMA.TABLES t
        ON  TABLE_NAME = o.name                
WHERE dpr.name NOT IN ('public','guest')
ORDER BY
  Permission, Object,Username

答案 2 :(得分:0)

有一个非常有用的功能: sys.fn_my_permissions(securable,'securable_class') 它使您能够查看当前用户对指定对象的EFFECTICVE权限,因此我不知道您是否可以简单地从中构建GRANT / DENY命令。我从来没用过那种方式。 在您的情况下,您将以另一个用户身份运行它:

EXECUTE AS USER = '<username>';
GO
SELECT *
FROM fn_my_permissions(null, 'SERVER') 
GO

SELECT *
FROM fn_my_permissions('<DBNAME>', 'Database')
ORDER BY subentity_name, permission_name ;

REVERT;
GO

答案 3 :(得分:0)

您正在处理的问题称为orphaned users

这是我过去使用的一个脚本(我必须将它从内存中放到一起,你应该仔细验证):

create table #users (UserName sysname, UserSID varbinary(85))

Insert into #users
exec sp_change_users_login @Action='Report';

declare mycursor cursor for select * from #users;
open mycursor;

declare @UserName sysname;
declare @UserSID varbinary(85);

fetch next from mycursor
into @UserName, @UserSID

while @@FETCH_STATUS = 0
begin
    exec  sp_change_users_login @Action='update_one', @UserNamePattern=@UserName, @LoginName=@UserName;
end
close mycursor;
deallocate mycursor;

这个脚本做了一个重要的假设。用户登录名与数据库中的用户名匹配。如果不是这样,则必须更改发送到sp_change_users_login的@LoginName参数。

答案 4 :(得分:0)

将此与有关权限的答案相结合:

SELECT 'EXEC sp_addrolemember @rolename ='
+ SPACE(1) + QUOTENAME(USER_NAME(rm.role_principal_id), '')
+ ', @membername =' + SPACE(1) + QUOTENAME(USER_NAME(rm.member_principal_id), '') 
AS 'Role Memberships'
FROM sys.database_role_members AS rm
ORDER BY rm.role_principal_id

答案 5 :(得分:0)

这是@Fabian编写的脚本的修改版本,这样我也可以编写存储过程的权限脚本。还添加了QUOTENAME,因此适当的内容放在括号中。

SELECT 
    dp.permission_name collate latin1_general_cs_as    AS Permission,
    t.TABLE_SCHEMA + '.' + o.name AS TableName,
    rt.ROUTINE_SCHEMA + '.' + o.name AS ProcedureName,
    dpr.name AS Username
    , 'GRANT ' + dp.permission_name collate latin1_general_cs_as 
        + ' ON ' 
        + QUOTENAME(CASE WHEN t.TABLE_SCHEMA IS NOT NULL THEN t.TABLE_SCHEMA ELSE rt.ROUTINE_SCHEMA END )
        + '.' 
        + QUOTENAME(o.name)
        + ' TO ' 
        +  QUOTENAME(dpr.name)
FROM sys.database_permissions AS dp
INNER JOIN sys.objects AS o ON dp.major_id=o.object_id
INNER JOIN sys.schemas AS s ON o.schema_id = s.schema_id
INNER JOIN sys.database_principals AS dpr ON dp.grantee_principal_id=dpr.principal_id
LEFT outer JOIN INFORMATION_SCHEMA.TABLES t ON  TABLE_NAME = o.name              
LEFT OUTER JOIN INFORMATION_SCHEMA.ROUTINES rt ON rt.ROUTINE_NAME = o.name
WHERE dpr.name NOT IN ('public','guest')
ORDER BY Permission, TableName, ProcedureName, Username