This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 91%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHA%3C/text%3E%3C/svg%3E)
Hello!
Please excuse me for almost the same question as "Select permission" but there's one thing I'd like to be cleared up:
I see that I can't query a user database (at least the databases for which the Guest account is disabled) until the user mapping between an sql login and a db user is created...
...but what I still do not understand is why does the fn_my_permissions function applied to a user db (Resources) does show SELECT permission for the user (Contoso1\exchadmin) which has NOT YET been mapped to???
use msdb
go
EXECUTE AS USER = 'Contoso1\exchadmin'
select Name, physical_name, state_desc, (size)*8/1024, growth from msdb.sys.database_files ORDER BY Name
select Name, physical_name, state_desc, (size)*8/1024, growth from Resources.sys.database_files ORDER BY Name
SELECT * FROM fn_my_permissions('msdb.sys.database_files', 'object')
SELECT * FROM fn_my_permissions('Resources.sys.database_files', 'object')
Revert
Thank you in advance,
Michael
I guess this is because names in the sys schema resolves to the resource database. (That is, mssqlsystemresource, not the one you call resource!)
I tried this:
CREATE LOGIN Villevalle WITH PASSWORD = 'LÄÖÄF"?=='
EXECUTE AS LOGIN = 'Villevalle'
go
SELECT * FROM sys.fn_my_permissions('somedatabase.sys.tables', 'OBJECT')
SELECT * FROM sys.fn_my_permissions('somedatabase.dbo.sometable', 'OBJECT')
go
REVERT
DROP LOGIN Villevalle
The first SELECt did indeed return a row with SELECT permission. But the other query produced an error message:
Msg 916, Level 14, State 2, Line 89 The server principal "Villevalle" is not able to access the database "somedatabase" under the current security context.
"That is, mssqlsystemresource, not the one you call resource!" - my db is named ResourceS, not the "resource" so that's not the case, and I first saw that issue on my production cluster, just wanted to take screenshots in the test lab.
In fact I see this behaviour in any database:
Seems weird... :(
"That is, mssqlsystemresource, not the one you call resource!" - my db is named ResourceS, not the "resource" so that's not the case, and I first saw that issue on my production cluster, just wanted to take screenshots in the test lab.
I only made that comment to clarify that I was talking about a different database than yours. That is, the database that comes with SQL Server and is hidden from us normally.
In fact I see this behaviour in any database:
Yes, that was the gist of my post.
"Yes, that was the gist of my post." - sorry, didn't get it... According to your example...
SELECT * FROM sys.fn_my_permissions('somedatabase.dbo.sometable', 'OBJECT')
...returns error - and that's expected, why doesn't the same error arise for my user databases???
First: Please, don't post Answers, unless you are answering your own question.
My repro above was a little confusing, because when I anonymised the table and database name, I was inconsistent.
When I tested a little more I found something which is a little puzzling. Look at this:
CREATE DATABASE tester
go
USE tester
go
CREATE TABLE testtbl (a int NOT NULL)
go
USE tempdb
go
CREATE LOGIN testlogin WITH PASSWORD = 'ThisWeeksWeakPassword?'
EXECUTE AS LOGIN = 'testlogin'
go
PRINT 'sys.tables'
SELECT * FROM sys.fn_my_permissions('tester.sys.tables', 'OBJECT')
go
PRINT 'dbo.testtbl'
SELECT * FROM sys.fn_my_permissions('tester.dbo.testtbl', 'OBJECT')
go
PRINT 'dbo.nosuchtbl'
SELECT * FROM sys.fn_my_permissions('tester.dbo.nosuchtbl', 'OBJECT')
go
REVERT
DROP LOGIN testlogin
DROP DATABASE tester
The first and last SELECt runs without error. It is only if you are querying about an actual object that you get an error.
Agree, very strange - the login does not really have permissions on tables in the database but seems to have the select permission on this database's row in sys.tables.
The purpose of the fn_my_permissions function is to check permissions on an object before taking any actions on it, but in this cas that will not work:
Thank you very much for your help, Erland!
Regards,
Michael Firsov
P.S. "First: Please, don't post Answers, unless you are answering your own question." - how can I Accept the answer if this answer is in the Comments section??? :(((
Agree, very strange - the login does not really have permissions on tables in the database but seems to have the select permission on this database's row in sys.tables.
I'm inclined to call the behaviour a bug, but I would not expect Microsoft to fix it, so I am not filing anything for it. I guess that what happens internally is that they ask "did the name resolve to an object_id?", and when it does they go on, only to find that the user is not permitted to the database. But when object_id comes back NULL, there is nothing to check.
The security issue here is that an attacker this way can conclude which tables there are in the database, but it's quite time-consuming.
The purpose of the fn_my_permissions function is to check permissions on an object before taking any actions on it, but in this cas that will not work:
I don't know what you exactly had in mind, but it seems reasonable to check that the login has access to the database at all.
P.S. "First: Please, don't post Answers, unless you are answering your own question." - how can I Accept the answer if this answer is in the Comments section??? :(((
Currently, you cannot accept your own posts an Answer anyway. If there any of my comments you prefer to accept rather than my Answer on top, please let me know, and I will convert it to an Answer.