Security9：查询Login被授予的权限

Posted 2020-07-28 悦光阴

在给一个Login授予权限时，发现该Login已经存在，其对应的User也存在于指定的DB中，查看该Login在指定DB中已被授予的权限。

1，查看Login的Server PrincipalID

select *
from sys.server_principals sp 
where sp.name=‘Domain_Name\Llogin_Name‘

2，查看Login是否属于Server Role的Member

select *
from sys.server_role_members srm 
where srm.member_principal_id=287

3，查看Login在指定DB中对应的User的Database PrincipalID

--查看在db中对应的User，并获取User的PrincipalID
select *
from sys.database_principals dp
inner join sys.server_principals sp 
    on dp.sid=sp.sid
where sp.principal_id=287

4，查看User是否是Database role的member

--查看该User是否是Database Role的member
select *
from sys.database_role_members drm 
where drm.member_principal_id=5

5，查看User的Permission

--查看该User被赋予的权限
select *
from sys.database_permissions dp 
where dp.grantee_principal_id=5

 

Appendix

sys.database_permissions

Returns a row for every permission or column-exception permission in the database. For columns, there is a row for every permission that is different from the corresponding object-level permission. If the column permission is the same as the corresponding object permission, there will be no row for it and the actual permission used will be that of the object.

major_id：ID of thing on which permission exists, interpreted according to class. For most, this is simply the kind of ID that applies to what the class represents. Interpretation for nonstandard is as follows:

0 = Always 0

1 = Object-ID

Negative IDs are assigned to system objects.

minor_id：Secondary-ID of thing on which permission exists, interpreted according to class. For most, this is zero. Otherwise, it is the following:

1 = Column-ID if a column. Otherwise, it is 0 if an object.

 

参考doc：

sys.database_permissions (Transact-SQL)