代码改变世界

sqlserver使用脚本迁移login和user的权限

  abce  阅读(209)  评论(0编辑  收藏  举报

原文地址:http://udayarumilli.com/script-login-user-permissions-sql-server/

1.实例级别的权限

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
--https://www.datavail.com/blog/scripting-out-the-logins-server-role-assignments-and-server-permissions/
/********************************************************************************************************************/
-- Scripting Out the Logins, Server Role Assignments, and Server Permissions
/********************************************************************************************************************/
SET NOCOUNT ON
-- Scripting Out the Logins To Be Created
SELECT 'IF (SUSER_ID('+QUOTENAME(SP.name,'''')+') IS NULL) BEGIN CREATE LOGIN ' +QUOTENAME(SP.name)+
               CASE
                    WHEN SP.type_desc = 'SQL_LOGIN' THEN ' WITH PASSWORD = ' +CONVERT(NVARCHAR(MAX),SL.password_hash,1)+ ' HASHED, CHECK_EXPIRATION = '
                        + CASE WHEN SL.is_expiration_checked = 1 THEN 'ON' ELSE 'OFF' END +', CHECK_POLICY = ' +CASE WHEN SL.is_policy_checked = 1 THEN 'ON,' ELSE 'OFF,' END
                    ELSE ' FROM WINDOWS WITH'
                END
       +' DEFAULT_DATABASE=[' +SP.default_database_name+ '], DEFAULT_LANGUAGE=[' +SP.default_language_name+ '] END;' COLLATE SQL_Latin1_General_CP1_CI_AS AS [-- Logins To Be Created --]
FROM sys.server_principals AS SP LEFT JOIN sys.sql_logins AS SL
        ON SP.principal_id = SL.principal_id
WHERE SP.type IN ('S','G','U')
        AND SP.name NOT LIKE '##%##'
        AND SP.name NOT LIKE 'NT AUTHORITY%'
        AND SP.name NOT LIKE 'NT SERVICE%'
        AND SP.name <> ('sa');
 
-- Scripting Out the Role Membership to Be Added
SELECT
'EXEC master..sp_addsrvrolemember @loginame = N''' + SL.name + ''', @rolename = N''' + SR.name + '''
' AS [-- Server Roles the Logins Need to be Added --]
FROM master.sys.server_role_members SRM
    JOIN master.sys.server_principals SR ON SR.principal_id = SRM.role_principal_id
    JOIN master.sys.server_principals SL ON SL.principal_id = SRM.member_principal_id
WHERE SL.type IN ('S','G','U')
        AND SL.name NOT LIKE '##%##'
        AND SL.name NOT LIKE 'NT AUTHORITY%'
        AND SL.name NOT LIKE 'NT SERVICE%'
        AND SL.name <> ('sa');
 
 
-- Scripting out the Permissions to Be Granted
SELECT
    CASE WHEN SrvPerm.state_desc <> 'GRANT_WITH_GRANT_OPTION'
        THEN SrvPerm.state_desc
        ELSE 'GRANT'
    END
    + ' ' + SrvPerm.permission_name + ' TO [' + SP.name + ']' +
    CASE WHEN SrvPerm.state_desc <> 'GRANT_WITH_GRANT_OPTION'
        THEN ''
        ELSE ' WITH GRANT OPTION'
    END collate database_default AS [-- Server Level Permissions to Be Granted --]
FROM sys.server_permissions AS SrvPerm
    JOIN sys.server_principals AS SP ON SrvPerm.grantee_principal_id = SP.principal_id
WHERE   SP.type IN ( 'S', 'U', 'G' )
        AND SP.name NOT LIKE '##%##'
        AND SP.name NOT LIKE 'NT AUTHORITY%'
        AND SP.name NOT LIKE 'NT SERVICE%'
        AND SP.name <> ('sa');
 
SET NOCOUNT OFF

 

2.数据库/数据库对象级别的权限

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
USE Master  -- Use the required database name here
GO
SET NOCOUNT ON;
 
PRINT 'USE ['+DB_NAME()+']';
PRINT 'GO'
 
/********************************************************************************/
/**************** Create a new user and map it with login ***********************/
/********************************************************************************/
 
PRINT '/*************************************************************/'
PRINT '/************** Create User Script ***************************/'
PRINT '/*************************************************************/'
 
SELECT 'CREATE USER [' + NAME + '] FOR LOGIN [' + NAME + ']'
FROM sys.database_principals
WHERE   [Type] IN ('U','S')
        AND
        [NAME] NOT IN ('dbo','guest','sys','INFORMATION_SCHEMA')
 
GO
-- Troubleshooting User creation issues
PRINT '/***'+CHAR(10)+
'--Error 15023: User or role <XXXX> is already exists in the database.'+CHAR(10)+
'--Then Execute the below code can fix the issue'+CHAR(10)+
'EXEC sp_change_users_login ''Auto_Fix'',''<Failed User>'''+CHAR(10)+
'GO **/'
 
/************************************************************************/
/************  Script the User Role Information *************************/
/************************************************************************/
 
PRINT '/**********************************************************/'
PRINT '/************** Create User-Role Script *******************/'
PRINT '/**********************************************************/'
 
SELECT 'EXEC sp_AddRoleMember ''' + DBRole.NAME + ''', ''' + DBP.NAME + ''''
FROM sys.database_principals DBP
INNER JOIN sys.database_role_members DBM ON DBM.member_principal_id = DBP.principal_id
INNER JOIN sys.database_principals DBRole ON DBRole.principal_id = DBM.role_principal_id
WHERE DBP.NAME <> 'dbo'
 
GO
 
/***************************************************************************/
/************  Script Database Level Permission ****************************/
/***************************************************************************/
 
PRINT '/*************************************************************/'
PRINT '/************** Database Level Permission ********************/'
PRINT '/*************************************************************/'
 
SELECT  CASE WHEN DBP.state <> 'W' THEN DBP.state_desc ELSE 'GRANT' END
        + SPACE(1) + DBP.permission_name + SPACE(1)
        + SPACE(1) + 'TO' + SPACE(1) + QUOTENAME(USR.name) COLLATE database_default
        + CASE WHEN DBP.state <> 'W' THEN SPACE(0) ELSE SPACE(1) + 'WITH GRANT OPTION' END + ';'
FROM    sys.database_permissions AS DBP
        INNER JOIN  sys.database_principals AS USR  ON DBP.grantee_principal_id = USR.principal_id
WHERE   DBP.major_id = 0 and USR.name <> 'dbo'
ORDER BY DBP.permission_name ASC, DBP.state_desc ASC
 
 
/***************************************************************************/
/************  Script Object Level Permission ******************************/
/***************************************************************************/
 
PRINT '/*************************************************************/'
PRINT '/************** Object Level Permission **********************/'
PRINT '/*************************************************************/'
 
SELECT  CASE WHEN DBP.state <> 'W' THEN DBP.state_desc ELSE 'GRANT' END
        + SPACE(1) + DBP.permission_name + SPACE(1) + 'ON ' + QUOTENAME(USER_NAME(OBJ.schema_id)) + '.' + QUOTENAME(OBJ.name)
        + CASE WHEN CL.column_id IS NULL THEN SPACE(0) ELSE '(' + QUOTENAME(CL.name) + ')' END
        + SPACE(1) + 'TO' + SPACE(1) + QUOTENAME(USR.name) COLLATE database_default
        + CASE WHEN DBP.state <> 'W' THEN SPACE(0) ELSE SPACE(1) + 'WITH GRANT OPTION' END + ';'
FROM    sys.database_permissions AS DBP
        INNER JOIN  sys.objects AS OBJ  ON DBP.major_id = OBJ.[object_id]
        INNER JOIN  sys.database_principals AS USR  ON DBP.grantee_principal_id = USR.principal_id
        LEFT JOIN   sys.columns AS CL   ON CL.column_id = DBP.minor_id AND CL.[object_id] = DBP.major_id
ORDER BY DBP.permission_name ASC, DBP.state_desc ASC
 
 
 
SET NOCOUNT OFF;

  

 

其他:权限查看

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
--服务器级权限
WITH CTE AS
(
SELECT u.name AS 用户名,
u.is_disabled AS 是否禁用,
g.name as 服务器角色,
'√' as 'flag'
FROM sys.server_principals u
INNER JOIN sys.server_role_members m ON u.principal_id = m.member_principal_id
INNER JOIN sys.server_principals g ON g.principal_id = m.role_principal_id
)
SELECT * FROM CTE PIVOT(MAX(flag) FOR 服务器角色 IN ([public],
[sysadmin],
[securityadmin],
[serveradmin],
[setupadmin],
[processadmin],
[diskadmin],
[dbcreator],
[bulkadmin])) AS T
 
--数据库级权限
WITH CTE AS
(
SELECT u.name AS 用户名,
g.name AS 数据库角色,
'√' as 'flag'
FROM sys.database_principals u
INNER JOIN sys.database_role_members m ON u.principal_id = m.member_principal_id
INNER JOIN sys.database_principals g ON g.principal_id = m.role_principal_id
)
SELECT * FROM CTE PIVOT(MAX(flag) FOR 数据库角色 IN ([public],
[db_owner],
[db_accessadmin],
[db_securityadmin],
[db_ddladmin],
[db_backupoperator],
[db_datareader],
[db_datawriter],
[db_denydatareader],
[db_denydatawriter])) AS T
 
--数据库级单独权限
select c.name as 用户名,b.name as 对象名,
CASE b.type
WHEN 'U' THEN 'Table'
WHEN 'P' THEN 'Procedure'
ELSE 'OTHER'
END AS 对象类型,
CASE WHEN a.ACTION = 26 AND a.PROTECTTYPE = 205 THEN '√' ELSE '' END AS 'REFERENCES',
CASE WHEN a.ACTION = 193 AND a.PROTECTTYPE = 205 THEN '√' ELSE '' END AS 'SELECT',
CASE WHEN a.ACTION = 195 AND a.PROTECTTYPE = 205 THEN '√' ELSE '' END AS 'INSERT',
CASE WHEN a.ACTION = 197 AND a.PROTECTTYPE = 205 THEN '√' ELSE '' END AS 'UPDATE',
CASE WHEN a.ACTION = 196 AND a.PROTECTTYPE = 205 THEN '√' ELSE '' END AS 'DELETE',
CASE WHEN a.ACTION = 224 AND a.PROTECTTYPE = 205 THEN '√' ELSE '' END AS 'EXECUTE',
CASE a.PROTECTTYPE
WHEN 204 THEN 'GRANT_W_GRANT'
WHEN 205 THEN 'GRANT'
WHEN 206 THEN 'DENY'
ELSE 'OTHER'
END AS PROTECTTYPE
from sysprotects a inner join sysobjects b on a.id = b.id
inner join sysusers c on a.uid = c.uid

  

相关博文:
· How to Script Login and User Permissions in SQL Server
· 导出sqlserver数据库中的登录用户和密码信息(2)
· sql server 创建用户 指定权限
· 关于SQL Server数据库中的用户权限和角色管理
· SQL Server注入
阅读排行:
· DeepSeek 开源周回顾「GitHub 热点速览」
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!
· AI与.NET技术实操系列(二):开始使用ML.NET
· .NET10 - 预览版1新功能体验(一)
历史上的今天:
2020-11-16 PostgreSQL中对IN、EXISTS、ANY/ALL、JOIN的sql优化
2016-11-16 Python Decorator 和函数式编程
2015-11-16 runcluvfy.sh运行结果
点击右上角即可分享
微信分享提示
AI FOR CODE 大赛