The document reviews SQL Server permissions. It discusses reviewing login information using the sys.server_principals view, determining database users using sys.database_principals, viewing roles assignments with other system views, and identifying object permissions with sys.database_permissions. Examples are provided to test adding a login, user, and role membership. The document aims to help administrators understand permissions on their SQL Server instance.

1. Reviewing SQL Server Permissions | TechRepublic
ZDNet Asia SmartPlanet TechRepublic Log In Join TechRepublic FAQ Go Pro!
Blogs Downloads Newsletters Galleries Q&A Discussions News
Research Library
IT Management Development IT Support Data Center Networks Security
Home / Blogs / The Enterprise Cloud Follow this blog:
The Enterprise Cloud
Reviewing SQL Server
Permissions
By Tim Chapman
November 3, 2008, 10:19 AM PST
Takeaway: SQL Server consultant Tim Chapman looks at the importance of database
permissions and how you can use internal SQL Server system views to easily which users have
access on your system.
Permissions on data are one of the most critical aspects of database administration. If you’re too
strict as a database administrator then your users will not be able to do their jobs. If you’re not
lenient, then data can be compromised or even leaked. It is a very fine balance to control. The
ability to determine these permissions on your database systems is absolutely paramount.
Btrieve 6.15 Forever
Who has access to my SQL Server? Still using Btrieve? So are we! Get the Ultimate
Btrieve Patch
First things first, you need to know which users are able to login into your SQL Server instance. pervasivedb.com/btrieve
Logins come in two flavors; Windows authentication and SQL Server Logins. Windows logins are Google Docs For Business
tied to Windows accounts while SQL Server logins are housed in SQL Server internally. Whether Start with 5 GB of Included Storage Get
the login is Windows based or is an internal SQL account, you can access login information by Additional 20 GB Just $4/month!
querying internal SQL Server views. To find the login information, the sys.server_principals system www.google.com/apps
view can be used. The following script queries this view and returns login information along with re-lion Builder
the type of associated login. Leading in easy to use terrain database
generation tools
SELECT name, type_desc, is_disabled www.re-lion.com
FROM sys.server_principals
To test this query, run the following script followed by the script above. The new login TestLogin
should appear in the result-set. Keep Up with TechRepublic
CREATE LOGIN TestLogin WITH Password = ‘asdevex33′, CHECK_POLICY = OFF
Who has access to my Databases?
Once a login is able to gain entry into the server, they then need access to databases. Before a
Five Apps
login is able to access a database, a user must be mapped to that login inside the database. The
Google in the Enterprise
following script queries the sys.database_principals system view, which holds user related
information for the current database. Note that this information will likely differ for each database Subscribe Today
you run it in. Users are database-level, so different users will have different access in different
databases.
Follow us however you choose!
SELECT
http://www.techrepublic.com/blog/datacenter/reviewing-sql-server-permissions/466[08/29/2012 3:46:21 PM]

2. Reviewing SQL Server Permissions | TechRepublic
UserName = dp.name, UserType = dp.type_desc, LoginName = sp.name, LoginType =
sp.type_desc
FROM sys.database_principals dp
JOIN sys.server_principals sp ON dp.principal_id = sp.principal_id Media Gallery
To test the above view, run the following script followed by the script immediately above. The new
user TestUser (which is now mapped to the login TestLogin) should appear in the result-set.
CREATE USER TestUser FOR LOGIN TestLogin
Server Roles PHOTO GALLERY (1 of 15)
Curiosity's autonomous
Now that I have covered server logins and database users, I need to cover the different server and 'seven minutes of...
database roles on the system. A login can be a member of a server role, which gives the login
elevated permissions for the SQL Server instance. The following query can be used to view which More Galleries »
logins are tied to which server roles.
select p.name, p.type_desc, pp.name, pp.type_desc
from sys.server_role_members roles
join sys.server_principals p on roles.member_principal_id = p.principal_id
VIDEO (1 of 13)
Cracking Open: HTC Titan II
join sys.server_principals pp on roles.role_principal_id = pp.principal_id
More Videos »
The following script adds the TestLogin I created above to the dbcreator server role. Once this
script is ran, rerun the immediate script above. The new login role will be included in the result-
set.
Hot Questions View All
EXECUTE sp_addsrvrolemember
3 SSL redirection
@loginame = ‘TestLogin’,
@rolename = ‘dbcreator’
3 Switching from a Job to a career in
Database Roles the IT field: Need an IT pro's
advice
The previous query illustrated which users had specific permissions inside of your database.
However, when you’re a member of a database role, you’re given permissions that are not windows 7 won't shutdown and
2
contained in the sys.database_permissions view, but are absolutely vital for knowing which users keeps switching on
have permissions inside your database. You can use the following query to determine which
users are assigned to database roles.
2 can anyone suggest if any such
software exist with similar
SELECT
functionality?
p.name, p.type_desc, pp.name, pp.type_desc, pp.is_fixed_role
Ask a Question
FROM sys.database_role_members roles
JOIN sys.database_principals p ON roles.member_principal_id = p.principal_id
Hot Discussions View All
JOIN sys.database_principals pp ON roles.role_principal_id = pp.principal_id
The following script adds the TestUser to the db_datareader database role. Once this script has 221 Should developers be sued for
been executed, run the previous script to see the new entry in the sys.database_role_members security holes?
system view.
79 The sitting duck that is open
source
EXECUTE sp_addrolemember
27 Five fast Windows desktop search
@rolename = ‘db_datareader’, utilities
@membername = ‘TestUser’ Is the death knell sounding for
30
traditional antivirus?
What can these users do?
http://www.techrepublic.com/blog/datacenter/reviewing-sql-server-permissions/466[08/29/2012 3:46:21 PM]

3. Reviewing SQL Server Permissions | TechRepublic
The following query uses the sys.database_permissions system view to indicate which users had
Start a Discussion
specific permissions inside the current database.
SELECT
Blog Archive
dp.class_desc, dp.permission_name, dp.state_desc,
ObjectName = OBJECT_NAME(major_id), GranteeName = grantee.name, GrantorName = August 2012 December 2011
grantor.name July 2012 November 2011
June 2012 October 2011
FROM sys.database_permissions dp
May 2012 September 2011
JOIN sys.database_principals grantee on dp.grantee_principal_id = grantee.principal_id April 2012 August 2011
March 2012 July 2011
JOIN sys.database_principals grantor on dp.grantor_principal_id = grantor.principal_id
February 2012 June 2011
Conclusion January 2012
Today I looked at some system views included in SQL Server 2005 and SQL Server 2008 which
can be used to view permissions on your SQL Server instance. The more you know about the
permissions on your SQL Server system, the more prepared you’ll be if problems arise.
Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free
newsletters.
About Tim Chapman
Full Bio Contact
EMC AX4 - A failover update Use the Print Management
console for Windows Server
2008 print server
5 Join the conversation! Add Your Opinion
Comments Follow via:
Staff Picks Top Rated Most Recent My Contacts See All Comments
Very useful 0
ckmutunga 24th Aug 2011 Votes
It is exactly what I was looking for.
View in thread
Who has access to my Databases? 0
JeffNguyen 10th Jun 2011 Votes
I think for the part Who has access to my Databases?, the SQL should be. Please
correct me if I'm wrong SELECT UserName = dp.name, UserType = dp.type_desc,
LoginName = sp.name, LoginType =... Read Whole Comment +
http://www.techrepublic.com/blog/datacenter/reviewing-sql-server-permissions/466[08/29/2012 3:46:21 PM]

4. Reviewing SQL Server Permissions | TechRepublic
View in thread
minor correction? 0
Malkie 27th Jan 2011 Votes
Permissions on data are one of the most critical aspects of database administration.
If you???re too strict as a database administrator then your users will not be able to
do their jobs. If you???re... Read Whole Comment +
View in thread
See all comments
Join the TechRepublic Community and join the conversation! Signing-up is
free and quick, Do it now, we want to hear your opinion.
Join Login
http://www.techrepublic.com/blog/datacenter/reviewing-sql-server-permissions/466[08/29/2012 3:46:21 PM]