Share via

PBM : role has permission to specific tables

rodrag 156 Reputation points
2020-10-09T19:25:10.657+00:00

In a couple of SQL 2014 databases on the instance, for a database role “ProductGroup”, I need to validate that it has select permissions to all tables named ‘Product%’. If exists any table named ‘Product%’ for which it does not have, then flag it. I was thinking on using PBM instead of a job. However, I was not able to find neither a role property or a table property for which I can write a condition to correlate them in order to achieve my goal.
Do you have any idea if any way to use PBM for this?

Thank you

SQL Server
SQL Server
A family of Microsoft relational database management and analysis systems for e-commerce, line-of-business, and data warehousing solutions.
14,490 questions
0 comments
Accepted answer
  1. Erland Sommarskog 118.9K Reputation points MVP
    2020-10-09T21:51:58.457+00:00

    I can't say that I have much faith in Policy-Based Management. I have not research whether it would be possible to write such a policy.

    Here is a query for the task: 

    SELECT s.name + '.' + o.name
FROM   sys.tables o
JOIN   sys.schemas s ON o.schema_id = s.schema_id
WHERE  o.name LIKE 'Product%'
  AND  NOT EXISTS (SELECT *
                   FROM   sys.database_permissions dp
                   JOIN   sys.database_principals u ON dp.grantee_principal_id = u.principal_id
                   WHERE  dp.major_id = o.object_id
                     AND  dp.type = 'SL'
                     AND  dp.state = 'G'
                     AND  u.name = 'YourRole')

    Although this query only covers SELECT permissions granted directly to the role and directly on the object. That is, it does consider permissions granted other roles the role is a member of, and nor does it consider permissions on database or schema level.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. CathyJi-MSFT 22,351 Reputation points Microsoft External Staff
    2020-10-28T08:47:33.55+00:00

    Hi @rodrag ,

    I am not familiar about changing the SQL script.

    I found a script about showing permission on the schema and object.

    SELECT
    state_desc + ' ' + permission_name +
    ' on ['+ ss.name + '].[' + so.name + ']
    to [' + sdpr.name + ']'
    COLLATE LATIN1_General_CI_AS as [Permissions T-SQL]
    FROM SYS.DATABASE_PERMISSIONS AS sdp
    JOIN sys.objects AS so
    ON sdp.major_id = so.OBJECT_ID
    JOIN SYS.SCHEMAS AS ss
    ON so.SCHEMA_ID = ss.SCHEMA_ID
    JOIN SYS.DATABASE_PRINCIPALS AS sdpr
    ON sdp.grantee_principal_id = sdpr.principal_id
    where 1=1
    AND so.name = 'ItemStock'

    UNION

    SELECT
    state_desc + ' ' + permission_name +
    ' on Schema::['+ ss.name + ']
    to [' + sdpr.name + ']'
    COLLATE LATIN1_General_CI_AS as [Permissions T-SQL]
    FROM SYS.DATABASE_PERMISSIONS AS sdp
    JOIN SYS.SCHEMAS AS ss
    ON sdp.major_id = ss.SCHEMA_ID
    AND sdp.class_desc = 'Schema'
    JOIN SYS.DATABASE_PRINCIPALS AS sdpr
    ON sdp.grantee_principal_id = sdpr.principal_id
    where 1=1

    order by [Permissions T-SQL]
    GO

    Best regards,
    Cathy

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.