Sql-server – How to GRANT object permission to a user defined server role

permissionsroleSecuritysql serversql-server-2016

I want to create logins that are granted permission to access

all user databases
view all definitions
select all records of all tables

To me it seems to be too much overhead to assign the login to each database and add it to a custom db role or to a default db role like db_datareader in each db.

Instead I tried to use a user defined server role.

But how can I assign the required permissions to a user-defined
server role to allow view any definition and db_datareader for all
dbs?
Is this even possible?

Best Answer

To access all databases you should give the CONNECT ANY DATABASE permission.

To view all the definitions you should grant the VIEW ANY DEFINITION permission.

To select all data from all user tables you can grant SELECT ALL USER SECURABLES starting with SQL Server 2014, but it will permit you to select data only from all accessible databases, so without CONNECT ANY DATABASE it gives you nothing.

So, even if you have SQL Server 2014 and higher, you should give all three permissions to accomplish what you want:

CONNECT ANY DATABASE
VIEW ANY DEFINITION
SELECT ALL USER SECURABLES

There is no need to grant VIEW ANY DATABASE as it's already granted to public.

Related Solutions

Sql-server – User can alter procedures without permission

Do you see anything that has been granted or role membership that shouldn't exist?

EXECUTE AS USER = N'your user';
GO
SELECT * FROM sys.fn_my_permissions(NULL, NULL);
GO
REVERT;
GO

SELECT * FROM sys.database_permissions
WHERE grantee_principal_id = USER_ID(N'your user');
GO

SELECT r.name
FROM sys.database_role_members AS m
INNER JOIN sys.database_principals AS p
ON m.member_principal_id = p.principal_id
INNER JOIN sys.database_principals AS r
ON m.role_principal_id = r.principal_id
WHERE p.name = N'your user';

SELECT r.name
FROM sys.server_role_members AS m
INNER JOIN sys.server_principals AS p
ON m.member_principal_id = p.principal_id
INNER JOIN sys.server_principals AS r
ON m.role_principal_id = r.principal_id
WHERE p.name = N'your login';

It is possible these developers are in the db_owner role without your knowledge or have been granted ALL on the dbo or another schema.

Make sure you execute these statements in the right database, and also validate that your users are logging in as who they say they are logging in as. Perhaps they have the sa password and you don't know it. Finally, you should make sure that the database principal maps to the correct server-level login.

SELECT dp.name, sp.name
FROM sys.database_principals AS dp
FULL OUTER JOIN sys.server_principals AS sp
ON dp.sid = sp.sid
WHERE 
(
  dp.type <> 'R' 
  OR sp.type NOT IN ('C', 'K')
)
ORDER BY 
  dp.name COLLATE DATABASE_DEFAULT + sp.name COLLATE DATABASE_DEFAULT DESC;

Sql-server – View server login permission

GRANT VIEW ANY DEFINITION will allow you to grant the ability to view any metadata on the server. This includes security information at the server level. This means that the user will be able to view other metadata as well, such as object definitions, which might be outside the scope of your goal.

Best Answer

Related Solutions

Sql-server – User can alter procedures without permission

Sql-server – View server login permission

Related Question