How to Script User and Role Object Permissions in SQL Server

4 Responses to “How to Script User and Role Object Permissions in SQL Server”

1. 

   Jigar Bhatt Reply August 3, 2011 at 11:36 am

   The script helped me alot and it saved my manual work. Thanks a lot dude.

2. 

   Custom Software Mark Reply March 8, 2012 at 5:20 pm

   Both scripts a great.

   Can I offer a formatting suggestion? When you copy your scripts from the web site into Query Analyzer, you have to changes A LOT OF things! The quotes, minus signs, double quotes, spacing get messed up.

   But after I cleaned all of that up, scripts work great!

3. 

   Robb Keller Reply December 12, 2012 at 4:41 pm

   Here is a fixed version with replacing the user to fix SID issues:

   SET NOCOUNT ON

   DECLARE
   @errStatement [varchar](8000),
   @msgStatement [varchar](8000),
   @DatabaseUserID [smallint],
   @ServerUserName [sysname],
   @RoleName [varchar](8000),
   @ObjectID [int],
   @ObjectName [varchar](261),
   @DBUserName [varchar](255),
   @DatabaseUserName [sysname]

   SET @msgStatement = ‘–Security creation script for users and roles ‘ + CHAR(13) +
   ‘–Created At: ‘ + CONVERT(varchar, GETDATE(), 112) + REPLACE(CONVERT(varchar, GETDATE(), 108), ‘:’, ”) + CHAR(13) +
   ‘–Created By: ‘ + SUSER_NAME() + CHAR(13) + CHAR(13) +
   ‘USE [' + DB_NAME() + ']‘ + CHAR(13)

   PRINT @msgStatement

   DECLARE dbUsers CURSOR
   FOR
   SELECT [name] FROM sys.database_principals WHERE type ‘R’ ORDER BY [name]

   OPEN dbUsers

   FETCH NEXT FROM dbUsers INTO @DBUserName

   WHILE @@FETCH_STATUS = 0
   BEGIN

   SET @DatabaseUserName = @DBUserName

   SELECT @DatabaseUserID = [sysusers].[uid],
   @ServerUserName = [master].[dbo].[syslogins].[loginname]
   FROM [dbo].[sysusers]
   INNER JOIN [master].[dbo].[syslogins]
   ON [sysusers].[sid] = [master].[dbo].[syslogins].[sid]
   WHERE [sysusers].[name] = @DatabaseUserName

   IF LEN(@ServerUserName) > 0 AND LEN(@DatabaseUserName) > 0
   BEGIN
   SET @msgStatement = ‘IF EXISTS (SELECT name FROM sys.database_principals WHERE name = ”’ + @DatabaseUserName + ”’)
   BEGIN
   EXEC sp_dropuser ”’ + @DatabaseUserName + ”’
   END’ + CHAR(13) + CHAR(13) +
   ‘–Add User To Database’ + CHAR(13) +
   ‘EXEC [sp_grantdbaccess]‘ + CHAR(13) +
   CHAR(9) + ‘@loginame = ”’ + @ServerUserName + ”’,’ + CHAR(13) +
   CHAR(9) + ‘@name_in_db = ”’ + @DatabaseUserName + ”” + CHAR(13) + CHAR(13) +
   ‘–Add User To Roles’
   END

   PRINT @msgStatement

   DECLARE _sysusers CURSOR LOCAL FORWARD_ONLY READ_ONLY

   FOR

   SELECT [name]
   FROM [dbo].[sysusers]
   WHERE [uid] IN( SELECT [groupuid]
   FROM [dbo].[sysmembers]
   WHERE [memberuid] = @DatabaseUserID)

   OPEN _sysusers

   FETCH NEXT FROM _sysusers INTO @RoleName

   WHILE @@FETCH_STATUS = 0
   BEGIN
   IF LEN(@RoleName) > 0 AND LEN(@DatabaseUserName) > 0
   BEGIN
   SET @msgStatement = ‘EXEC [sp_addrolemember]‘ + CHAR(13) +
   CHAR(9) + ‘@rolename = ”’ + @RoleName + ”’,’ + CHAR(13) +
   CHAR(9) + ‘@membername = ”’ + @DatabaseUserName + ”” + CHAR(13) +
   CHAR(13) + ‘–Set Object Specific Permissions’

   PRINT @msgStatement
   END

   FETCH NEXT FROM _sysusers INTO @RoleName
   END

   CLOSE _sysusers
   DEALLOCATE _sysusers

   DECLARE _sysobjects CURSOR LOCAL FORWARD_ONLY READ_ONLY

   FOR

   SELECT DISTINCT([sysobjects].[id]),
   ‘[' + USER_NAME([sysobjects].[uid]) + ‘].[' + [sysobjects].[name] + ‘]’
   FROM [dbo].[sysprotects]
   INNER JOIN [dbo].[sysobjects]
   ON [sysprotects].[id] = [sysobjects].[id]
   WHERE [sysprotects].[uid] = @DatabaseUserID

   OPEN _sysobjects

   FETCH NEXT FROM _sysobjects INTO @ObjectID, @ObjectName

   WHILE @@FETCH_STATUS = 0
   BEGIN
   SET @msgStatement = ”
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 193 AND [protecttype] = 205)
   SET @msgStatement = @msgStatement + ‘SELECT,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 195 AND [protecttype] = 205)
   SET @msgStatement = @msgStatement + ‘INSERT,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 197 AND [protecttype] = 205)
   SET @msgStatement = @msgStatement + ‘UPDATE,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 196 AND [protecttype] = 205)
   SET @msgStatement = @msgStatement + ‘DELETE,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 224 AND [protecttype] = 205)
   SET @msgStatement = @msgStatement + ‘EXECUTE,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 26 AND [protecttype] = 205)
   SET @msgStatement = @msgStatement + ‘REFERENCES,’

   IF LEN(@msgStatement) > 0
   BEGIN
   IF RIGHT(@msgStatement, 1) = ‘,’
   SET @msgStatement = LEFT(@msgStatement, LEN(@msgStatement) – 1)
   SET @msgStatement = ‘GRANT’ + CHAR(13) +
   CHAR(9) + @msgStatement + CHAR(13) +
   CHAR(9) + ‘ON ‘ + @ObjectName + CHAR(13) +
   CHAR(9) + ‘TO [' + @DatabaseUserName + ']‘

   PRINT @msgStatement
   END

   SET @msgStatement = ”

   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 193 AND [protecttype] = 206)
   SET @msgStatement = @msgStatement + ‘SELECT,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 195 AND [protecttype] = 206)
   SET @msgStatement = @msgStatement + ‘INSERT,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 197 AND [protecttype] = 206)
   SET @msgStatement = @msgStatement + ‘UPDATE,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 196 AND [protecttype] = 206)
   SET @msgStatement = @msgStatement + ‘DELETE,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 224 AND [protecttype] = 206)
   SET @msgStatement = @msgStatement + ‘EXECUTE,’
   IF EXISTS(SELECT * FROM [dbo].[sysprotects] WHERE [id] = @ObjectID AND [uid] = @DatabaseUserID AND [action] = 26 AND [protecttype] = 206)

   SET @msgStatement = @msgStatement + ‘REFERENCES,’

   IF LEN(@msgStatement) > 0
   BEGIN
   IF RIGHT(@msgStatement, 1) = ‘,’
   SET @msgStatement = LEFT(@msgStatement, LEN(@msgStatement) – 1)
   SET @msgStatement = ‘DENY’ + CHAR(13) +
   CHAR(9) + @msgStatement + CHAR(13) +
   CHAR(9) + ‘ON ‘ + @ObjectName + CHAR(13) +
   CHAR(9) + ‘TO [' + @DatabaseUserName + ']‘

   PRINT @msgStatement

   END

   FETCH NEXT FROM _sysobjects INTO @ObjectID, @ObjectName
   END

   CLOSE _sysobjects
   DEALLOCATE _sysobjects

   FETCH NEXT FROM dbUsers INTO @DBUserName
   END

   CLOSE dbUsers
   DEALLOCATE dbUsers

4. 

   Grant Fidler Reply January 15, 2013 at 8:31 am

   Useful stuff. However, in the database role script (possibly the other one as well, I didn’t use that), you need to substitute SCHEMA_NAME() for USER_NAME() when generating the cursors list of objects.

Leave a Reply