Hey Mr. DBA, What Permissions Do I Have On This Database?

<div>I get this question at work from time to time. Fortunately SQL 2005\2008 has a built in table valued function to help answer this. It’s called <code style="font-size: 12px">fn_my_permissions</code> and it returns the effective permissions granted to a securable. The syntax is: <pre class="brush: sql">fn_my_permissions(securable, 'securable_class')</pre>
In simple speak, securable means the table, procedure, function, etc. that you want to know what permissions you have on. Securable_class is the name of the class that corresponds to the securable. Examples of securables are: tables, views, functions, and procedures. Examples of securable classes are:  ASSEMBLY, DATABASE, OBJECT, and SERVER. Note that if you use the value “default” (minus the quotes) for either securable or securable_class SQL Server simply interprets it as NULL. 
Where this comes in really useful is when you need to know the effective permissions of someone else besides you. To do this you can use <code style="font-size: 12px">EXECUTE AS</code> to impersonate a login, then call <code style="font-size: 12px">fn_my_permissions</code> to see what that user has. When you’re done, use <code style="font-size: 12px">REVERT</code> to change the login context back to yourself. Note to do this requires IMPERSONATE permissions on the login\user that you’re trying to impersonate; for logins this is implicit if you’re a member of the sysadmin fixed server role and for database users this is implicit if you’ve got db_owner rights.


Examples
<ul>
<li>List your effective permissions on the server <pre class="brush: sql">SELECT	*
FROM	fn_my_permissions(NULL, 'SERVER');</pre>
<li>List your effective permissions on the database <pre class="brush: sql">SELECT	*
FROM	fn_my_permissions(NULL, 'DATABASE');</pre>
<li>List your effective permissions on a procedure <pre class="brush: sql">SELECT	*
FROM	fn_my_permissions('sp_MSforeachtable', 'OBJECT');</pre>
<li>List the effective permissions on the database for a server login <pre class="brush: sql">EXECUTE AS LOGIN = 'MYDOMAIN\some.user'; 
SELECT	*
FROM	fn_my_permissions(NULL, 'DATABASE'); 
REVERT; 
</pre>
<li>List the effective permissions on the database for a database user <pre class="brush: sql">EXECUTE AS USER = 'MYDOMAIN\some.user'; 
SELECT	*
FROM	fn_my_permissions(NULL, 'DATABASE'); 
REVERT; 
</pre>
<li>List all securable classes <pre class="brush: sql">SELECT DISTINCT
		class_desc
FROM	fn_builtin_permissions(DEFAULT)
ORDER BY class_desc; </pre></li></ul></div>

5 comments

Anonymous said...: As an Oracle DBA learning SQL Server, this is very nice to know. Thanks. FYI - in Oracle (as a DBA privileged user) you would query the dba_tab_privs view.; December 11, 2008 at 3:46 PM
BenHocker said...: Shouldn't the "List the effective permissions on the database for a server login" be
EXECUTE AS LOGIN = 'MYDOMAIN\some.user';
SELECT * FROM fn_my_permissions(NULL, 'SERVER');
REVERT;; December 29, 2008 at 3:03 PM
Kendal Van Dyke said...: BenHocker, good question...your example would show the effective permissions on the SERVER for that server login. My example shows the effective permissions on the DB for the server login.; December 29, 2008 at 3:12 PM
Anonymous said...: dba_tab_privs does not show the "effective" permissions - there are only permissions assigned directly to the user or role.
So, if You want to receive really ALL permissions for the user, the complex query from dba_tab_privs, dba_role_privs should be written.; December 17, 2009 at 10:30 AM
Anonymous said...: SQL Server Muppet SQL Server .. dba_role_privs = Oracle; August 9, 2011 at 5:37 AM

Kendal Van Dyke

5 comments

Popular Posts

Labels

What I'm Saying On Twitter

Kendal Van Dyke

Share This

Related Posts

5 comments

Popular Posts

Labels

What I'm Saying On Twitter