SQL Server query to find all permissions access for all users in a database

Question

I would like to write a query on a sql 2008 that will report all the users that have access to a specific database  or objects within the database such as tables  views  and stored procedures  either directly or due to roles  etc   This report would be used for security auditing purposes   Not sure if anyone has a query that will fit my needs completely  but hopefully something that will give me a good start  Either sql 2008  2005 or 2000 will do  I can probably convert as needed

User · Answer

CREATE PROCEDURE Get permission  AS      DECLARE  db name  VARCHAR 200                 sql text VARCHAR max        SET  sql text  Create table   db name  user name varchar max          DECLARE db cursor CURSOR FOR        SELECT name        FROM   sys databases       OPEN db cursor       FETCH next FROM db cursor INTO  db name       WHILE   FETCH STATUS   0        BEGIN            SET  sql text  sql text    db name     varchar max                FETCH next FROM db cursor INTO  db name        END       CLOSE db cursor       SET  sql text  sql text    Server perm varchar max          EXEC   sql text        DEALLOCATE db cursor       DECLARE  RoleName VARCHAR 50       DECLARE  UserName VARCHAR 50       DECLARE  CMD VARCHAR 1000        CREATE TABLE  permission                    user name    VARCHAR 50             databasename VARCHAR 50             role         VARCHAR 50                 DECLARE longspcur CURSOR FOR        SELECT name        FROM   sys server principals        WHERE  type IN    S    U    G                  AND principal id  gt  4               AND name NOT LIKE                     AND name  lt  gt   NT AUTHORITY SYSTEM                AND name  lt  gt   ONDEMAND Administrator                AND name NOT LIKE  steel         OPEN longspcur       FETCH next FROM longspcur INTO  UserName       WHILE   FETCH STATUS   0        BEGIN            CREATE TABLE  userroles kk                                databasename VARCHAR 50                   role         VARCHAR 50                             CREATE TABLE  rolemember kk                                dbrole     VARCHAR 100                   membername VARCHAR 100                   membersid  VARBINARY 2048                             SET  CMD    use   truncate table  RoleMember kk insert into  RoleMember kk exec sp helprolemember  insert into  UserRoles kk  DatabaseName  Role  select db name    dbRole from  RoleMember kk where MemberName          UserName                    EXEC Sp msforeachdb               CMD             INSERT INTO  permission            SELECT  UserName  user                     b name                    u role            FROM   sys sysdatabases b                   LEFT OUTER JOIN  userroles kk u                                ON u databasename   b name --and u Role  db owner             ORDER  BY 1             DROP TABLE  userroles kk              DROP TABLE  rolemember kk              FETCH next FROM longspcur INTO  UserName        END       CLOSE longspcur       DEALLOCATE longspcur       TRUNCATE TABLE   db name       DECLARE  d1 VARCHAR max                 d2 VARCHAR max                 d3 VARCHAR max                 ss VARCHAR max       DECLARE perm cur CURSOR FOR        SELECT          FROM    permission        ORDER  BY 2 DESC       OPEN perm cur       FETCH next FROM perm cur INTO  d1   d2   d3       WHILE   FETCH STATUS   0        BEGIN            IF NOT EXISTS SELECT 1                          FROM     db name                          WHERE  user name    d1               BEGIN                  SET  ss  insert into   db name user name  values                                  d1                           EXEC   ss                    SET  ss  update   db name set      d2            d3                                where user name        d1                          EXEC   ss               END            ELSE              BEGIN                  DECLARE  var            NVARCHAR max                             ParmDefinition NVARCHAR max                             var1           NVARCHAR max                    SET  var   N select  var1      d2                                 from   db name where USER NAME        d1                                                      SET  ParmDefinition   N  var1 nvarchar 300  OUTPUT                     EXECUTE Sp executesql                     var                      ParmDefinition                      var1  var1 output                    SET  var1 Isnull  var1                        SET  var     update   db name set      d2            var1                                     d3       where user name        d1                            EXEC   var               END             FETCH next FROM perm cur INTO  d1   d2   d3        END       CLOSE perm cur       DEALLOCATE perm cur       SELECT        FROM     db name       DROP TABLE   db name       DROP TABLE  permission

User · Answer

--ok my turn to contribute back enjoy  This report header dynamically grabs the SQL Instance name  date time  and account name the report is run by  all things a good auditor will want to know       Note - if you have a extended property called  environment  on the Master database  the value  whatever you use   PreProd  Development  Production  DR  etc   will be included in the report header    BEGIN  BEGIN TRY     SET NOCOUNT ON     SELECT  See Messages Tab      use  Ctrl SHIFT F and re-run to   send to file        DECLARE  DBName nvarchar 2000    DB NAME       DECLARE  User Name nvarchar 200    suser sname       DECLARE  Account Name nvarchar 200      DECLARE  Granted permissions nvarchar 2000      DECLARE  Permission State nvarchar 200      DECLARE  ParentObject nvarchar 200      DECLARE  env2 varchar 50    Convert varchar 50   Select ServerProperty  Servername          DECLARE  day varchar 50    FORMAT  getdate     dddd  MM  yyyy        DECLARE  clk varchar 50    FORMAT  getdate     hh mm ss tt         DECLARE  env1 VARCHAR 25     SELECT CAST value AS varchar 25        FROM  master   sys  fn listextendedproperty  environment   default  default  default  default  default  default         PRINT           DBName     Security Audit Report           PRINT        in the      env1     environment        PRINT        on SQL Instance       env2        PRINT            day     at      clk      PRINT        run under account      User Name      PRINT          CREATE TABLE  GP          DBName NVARCHAR 200           Account Name NVARCHAR 200           Granted Permissions NVARCHAR max           Permission State NVARCHAR 200           ParentObject NVARCHAR 200                 WITH SampleDataR AS          SELECT             DB NAME   AS  DBName               dp name AS  Account Name               dpm permission name AS  Granted Permissions               dpm state desc AS  Permission State               dpm class desc AS  ParentObject                ROW NUMBER   OVER  PARTITION BY DB NAME    dp  name   dpm state desc  dpm class desc ORDER BY permission name  rownum         FROM sys database principals dp             LEFT OUTER JOIN  sys   database permissions  dpm             ON dp principal id   dpm grantee principal id         WHERE dp type   R          AND dp sid IS NOT NULL         AND dp name  lt  gt   public           AND dp name NOT LIKE  db a           AND dp name NOT LIKE  db b           AND dp name NOT LIKE  db d           AND dp name NOT LIKE  db o           AND dp name NOT LIKE  db s           --AND dpm class desc    DATABASE   -- remove to see schema based permissions                     --Select   from SampleDataR      INSERT INTO  GP     SELECT DISTINCT          DBName          Account Name           SELECT Granted Permissions                CASE                  WHEN s1 rownum    select MAX rownum                   FROM SampleDataR                  WHERE DBName   s1 DBName AND                  Account Name   s1 Account Name AND                 ParentObject   s1 ParentObject                  THEN        Permission State                         ELSE        Permission State                      END      FROM SampleDataR s1     WHERE s1 DBName   s2 DBName AND            s1 Account Name   s2 Account Name AND           s1 ParentObject   s2 ParentObject         FOR xml path     type  value      1    varchar max             Granted Permissions          Permission State          ParentObject         FROM SampleDataR s2          --Select   from  GP      PRINT   Assigned Role Permissions      PRINT         SET NOCOUNT ON     DECLARE cur CURSOR FOR         SELECT DISTINCT DBName  Account Name  ParentObject  Granted permissions          FROM  GP      OPEN cur         SET NOCOUNT ON         FETCH NEXT FROM cur INTO  DBname   Account Name   ParentObject   Granted permissions          WHILE   FETCH STATUS   0         BEGIN                PRINT  DBName           Account Name                  ParentObject            Granted permissions             FETCH NEXT FROM cur INTO  DBname   Account Name    ParentObject    Granted permissions          END     CLOSE cur      DEALLOCATE cur      SET NOCOUNT ON     DROP Table  GP      SET NOCOUNT ON     DECLARE  DBName2 nvarchar 200      DECLARE  Account Name2 nvarchar 200      DECLARE  Granted permissions2 nvarchar 200       CREATE TABLE  GP2          DBName NVARCHAR 200           Account Name NVARCHAR 200            Granted Permissions NVARCHAR 200                 WITH SampleDataR AS          SELECT             DB NAME   AS  DBName               dp name AS  Account Name              -- dp type              dpm permission name              ROW NUMBER   OVER  PARTITION BY DB NAME    dp  name  ORDER BY permission name  rownum         FROM sys database principals dp             LEFT OUTER JOIN  sys   database permissions  dpm             ON dp principal id   dpm grantee principal id                 --order by dp type         WHERE dp type not in   A    R    X   --removed   G           AND dp sid is not null         AND dp name not in   guest   dbo                  INSERT INTO  GP2      SELECT DISTINCT          DBName          Account Name           SELECT permission name                CASE                  WHEN s1 rownum    select MAX rownum                   FROM SampleDataR                  WHERE DBName   s1 DBName and Account Name   s1 Account Name                           THEN                 ELSE                  END      FROM SampleDataR s1     WHERE s1 DBName   s2 DBName AND s1 Account Name   s2 Account Name         FOR xml path     type  value      1    varchar max    Granted Permissions         FROM SampleDataR s2       PRINT         PRINT         PRINT   Assigned User Permissions      PRINT         DECLARE cur CURSOR FOR         SELECT DBName  Account Name  Granted permissions          FROM  GP2     OPEN cur         SET NOCOUNT ON         FETCH NEXT FROM cur INTO  DBname2   Account Name2   Granted permissions2          WHILE   FETCH STATUS   0         BEGIN                PRINT  DBName2           Account Name2           Granted permissions2             FETCH NEXT FROM cur INTO  DBname2   Account Name2   Granted permissions2          END     CLOSE cur      DEALLOCATE cur      DROP TABLE  GP2      SET NOCOUNT ON     DECLARE  DBName3 nvarchar 200      DECLARE  Role Name3 nvarchar max      DECLARE  Members3 nvarchar max       CREATE TABLE  GP3          DBName NVARCHAR 200           Role Name NVARCHAR max           members NVARCHAR max                 WITH SampleDataR AS          SELECT             DB NAME   AS  DBName               r name AS  role name               m name AS  members               ROW NUMBER   OVER  PARTITION BY DB NAME    r  name  ORDER BY m  name   rownum         FROM sys database role members rm              INNER JOIN sys database principals r on rm role principal id   r principal id             INNER JOIN sys database principals m on rm member principal id   m principal id                 INSERT INTO  GP3     SELECT DISTINCT          DBName          Role Name           SELECT Members                CASE                  WHEN s3 rownum    select MAX rownum                   FROM SampleDataR                  WHERE DBName   s3 DBName and Role Name   s3 Role Name                               THEN                  ELSE                  END      FROM SampleDataR s1     WHERE s1 DBName   s3 DBName and s1 Role Name   s3 Role Name         FOR xml path     type  value      1    varchar max    Members         FROM SampleDataR s3      PRINT         PRINT         PRINT   Assigned Role Membership      PRINT         DECLARE cur CURSOR FOR         SELECT DBName  Role Name  Members          FROM  GP3     OPEN cur         SET NOCOUNT ON         FETCH NEXT FROM cur INTO  DBname3   Role Name3   Members3          WHILE   FETCH STATUS   0         BEGIN                PRINT  DBName3           Role Name3           Members3             FETCH NEXT FROM cur INTO  DBname3   Role Name3   Members3          END     CLOSE cur      DEALLOCATE cur      DROP Table  GP3  END TRY  BEGIN CATCH      SELECT  Real ERROR at Line      CAST ERROR LINE   AS VARCHAR 20       -- Throw raise and error caught from the Try section      THROW   END CATCH    END  --great to save as a stored proc

User · Answer

From SQL Server 2005 on  you can use system views for that   For example  this query lists all users in a database  with their rights   select  princ name         princ type desc         perm permission name         perm state desc         perm class desc         object name perm major id  from    sys database principals princ left join         sys database permissions perm on      perm grantee principal id   princ principal id   Be aware that a user can have rights through a role as well   For example  the db data reader role grants select rights on most objects

User · Answer

I tried just about all of these but I quickly noticed that some were missing  especially sysadmin users  Having a hole like that won t look good in our upcoming audit  so this is what I came up with   USE master GO  SELECT DISTINCT          p name AS  loginname            --p type          p type desc           p is disabled          s sysadmin          sp permission name FROM sys server principals p INNER JOIN sys syslogins s ON p sid   s sid INNER JOIN sys server permissions sp ON p principal id   sp grantee principal id WHERE p type desc IN   SQL LOGIN    WINDOWS LOGIN    WINDOWS GROUP       -- Logins that are not process logins     AND p name NOT LIKE       ORDER BY p name GO

User · Answer

The other answers that I have seen miss some permissions that are possible in the database  The first query in the code below will get the database level permission for everything that is not a system object  It generates the appropriate GRANT statements as well  The second query gets all the role meberships    This has to be run for each database  but is too long to use with sp MSforeachdb  If you want to do that you d have to add it to the master database as a system stored procedure   To cover all possibilities you d also have to have a script that checks the server level permissions   SELECT DB NAME   AS database name       class       class desc       major id       minor id       grantee principal id       grantor principal id       databasepermissions type       permission name       STATE       state desc       granteedatabaseprincipal name AS grantee name       granteedatabaseprincipal type desc AS grantee type desc       granteeserverprincipal name AS grantee principal name       granteeserverprincipal type desc AS grantee principal type desc       grantor name AS grantor name       granted on name       permissionstatement   N  TO     QUOTENAME granteedatabaseprincipal name    CASE          WHEN STATE   N W              THEN N  WITH GRANT OPTION          ELSE N           END AS permissionstatement FROM       SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME CONVERT NVARCHAR MAX   DB NAME     AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS AS permissionstatement     FROM sys database permissions     WHERE  sys database permissions class   0       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys schemas name    N      QUOTENAME sys objects name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON     QUOTENAME sys schemas name    N      QUOTENAME sys objects name    COALESCE N       QUOTENAME sys columns name    N     N    AS permissionstatement     FROM sys database permissions     INNER JOIN sys objects         ON sys objects object id   sys database permissions major id     INNER JOIN sys schemas         ON sys schemas schema id   sys objects schema id     LEFT OUTER JOIN sys columns         ON sys columns object id   sys database permissions major id             AND sys columns column id   sys database permissions minor id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   1       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys schemas name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON SCHEMA      QUOTENAME sys schemas name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys schemas         ON sys schemas schema id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   3       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME targetPrincipal name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON     targetPrincipal type desc   N       QUOTENAME targetPrincipal name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys database principals AS targetPrincipal         ON targetPrincipal principal id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   4       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys assemblies name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON ASSEMBLY      QUOTENAME sys assemblies name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys assemblies         ON sys assemblies assembly id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   5       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys types name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON TYPE      QUOTENAME sys types name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys types         ON sys types user type id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   6       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys types name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON TYPE      QUOTENAME sys types name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys types         ON sys types user type id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   6       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys xml schema collections name COLLATE SQL Latin1 General CP1 CI AS  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON XML SCHEMA COLLECTION      QUOTENAME sys xml schema collections name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys xml schema collections         ON sys xml schema collections xml collection id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   10       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys service message types name COLLATE SQL Latin1 General CP1 CI AS  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON MESSAGE TYPE      QUOTENAME sys service message types name COLLATE SQL Latin1 General CP1 CI AS  AS permissionstatement     FROM sys database permissions     INNER JOIN sys service message types         ON sys service message types message type id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   15       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys service contracts name COLLATE SQL Latin1 General CP1 CI AS  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON CONTRACT      QUOTENAME sys service contracts name COLLATE SQL Latin1 General CP1 CI AS  AS permissionstatement     FROM sys database permissions     INNER JOIN sys service contracts         ON sys service contracts service contract id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   16       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys services name COLLATE SQL Latin1 General CP1 CI AS  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON SERVICE      QUOTENAME sys services name COLLATE SQL Latin1 General CP1 CI AS  AS permissionstatement     FROM sys database permissions     INNER JOIN sys services         ON sys services service id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   17       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys remote service bindings name COLLATE SQL Latin1 General CP1 CI AS  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON REMOTE SERVICE BINDING      QUOTENAME sys remote service bindings name COLLATE SQL Latin1 General CP1 CI AS  AS permissionstatement     FROM sys database permissions     INNER JOIN sys remote service bindings         ON sys remote service bindings remote service binding id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   18       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys routes name COLLATE SQL Latin1 General CP1 CI AS  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON ROUTE      QUOTENAME sys routes name COLLATE SQL Latin1 General CP1 CI AS  AS permissionstatement     FROM sys database permissions     INNER JOIN sys routes         ON sys routes route id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   19       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys symmetric keys name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON ASYMMETRIC KEY      QUOTENAME sys symmetric keys name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys symmetric keys         ON sys symmetric keys symmetric key id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   24       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys certificates name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON CERTIFICATE      QUOTENAME sys certificates name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys certificates         ON sys certificates certificate id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   25       UNION ALL      SELECT sys database permissions class           sys database permissions class desc           sys database permissions major id           sys database permissions minor id           sys database permissions grantee principal id           sys database permissions grantor principal id           sys database permissions type           sys database permissions permission name           sys database permissions state           sys database permissions state desc           QUOTENAME sys asymmetric keys name  AS granted on name           CASE              WHEN sys database permissions state   N W                  THEN N GRANT              ELSE sys database permissions state desc             END   N      sys database permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  ON ASYMMETRIC KEY      QUOTENAME sys asymmetric keys name  AS permissionstatement     FROM sys database permissions     INNER JOIN sys asymmetric keys         ON sys asymmetric keys asymmetric key id   sys database permissions major id     WHERE  sys database permissions major id  gt   0          AND  sys database permissions class   26        AS databasepermissions INNER JOIN sys database principals AS granteedatabaseprincipal     ON granteedatabaseprincipal principal id   grantee principal id LEFT OUTER JOIN sys server principals AS granteeserverprincipal     ON granteeserverprincipal sid   granteedatabaseprincipal sid INNER JOIN sys database principals AS grantor     ON grantor principal id   grantor principal id ORDER BY grantee name  granted on name  SELECT roles name AS role name       roles principal id       roles type AS role type       roles type desc AS role type desc       roles is fixed role AS role is fixed role       memberdatabaseprincipal name AS member name       memberdatabaseprincipal principal id AS member principal id       memberdatabaseprincipal type AS member type       memberdatabaseprincipal type desc AS member type desc       memberdatabaseprincipal is fixed role AS member is fixed role       memberserverprincipal name AS member principal name       memberserverprincipal type desc member principal type desc       N ALTER ROLE     QUOTENAME roles name    N  ADD MEMBER     QUOTENAME memberdatabaseprincipal name  AS AddRoleMembersStatement FROM sys database principals AS roles INNER JOIN sys database role members     ON sys database role members role principal id   roles principal id INNER JOIN sys database principals AS memberdatabaseprincipal     ON memberdatabaseprincipal principal id   sys database role members member principal id LEFT OUTER JOIN sys server principals AS memberserverprincipal     ON memberserverprincipal sid   memberdatabaseprincipal sid ORDER BY role name       member name   UPDATE  The following queries will retrieve server level permissions and memberships   SELECT sys server permissions class           sys server permissions class desc           sys server permissions major id           sys server permissions minor id           sys server permissions grantee principal id           sys server permissions grantor principal id           sys server permissions type           sys server permissions permission name           sys server permissions state           sys server permissions state desc           granteeserverprincipal name AS grantee principal name           granteeserverprincipal type desc AS grantee principal type desc           grantorserverprinicipal name AS grantor name           CASE              WHEN sys server permissions state   N W                  THEN N GRANT              ELSE sys server permissions state desc             END   N      sys server permissions permission name COLLATE SQL Latin1 General CP1 CI AS   N  TO     QUOTENAME granteeserverprincipal name  AS permissionstatement FROM sys server principals AS granteeserverprincipal INNER JOIN sys server permissions     ON sys server permissions grantee principal id   granteeserverprincipal principal id INNER JOIN sys server principals AS grantorserverprinicipal     ON grantorserverprinicipal principal id   sys server permissions grantor principal id ORDER BY granteeserverprincipal name       sys server permissions permission name  SELECT roles name AS server role name       roles principal id       roles type AS role type       roles type desc AS role type desc       roles is fixed role AS role is fixed role       memberserverprincipal name AS member principal name       memberserverprincipal principal id AS member principal id       memberserverprincipal type AS member principal type       memberserverprincipal type desc AS member principal type desc       memberserverprincipal is fixed role AS member is fixed role       N ALTER SERVER ROLE     QUOTENAME roles name    N  ADD MEMBER     QUOTENAME memberserverprincipal name  AS AddRoleMembersStatement FROM sys server principals AS roles INNER JOIN sys server role members     ON sys server role members role principal id   roles principal id INNER JOIN sys server principals AS memberserverprincipal     ON memberserverprincipal principal id   sys server role members member principal id WHERE roles type   N R  ORDER BY server role name       member principal name

User · Answer

Unfortunately I couldn t comment on the Sean Rose post due to insufficient reputation  however I had to amend the  public  role portion of the script as it didn t show SCHEMA-scoped permissions due to the  INNER  JOIN against sys objects   After that was changed to a LEFT JOIN I further had to amend the WHERE-clause logic to omit system objects   My amended query for the public perms is below   --3  List all access provisioned to the public role  which everyone gets by default     SELECT           servername ServerName           db name   DatabaseName            UserType              All Users             DatabaseUserName      All Users             LoginName             All Users             Role                roleprinc  name            PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Roles         sys database principals            AS roleprinc         --Role permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    roleprinc  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          --All objects         LEFT JOIN sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         roleprinc  type     R          AND roleprinc  name     public          AND isnull obj  is ms shipped   0    0         AND isnull object schema name perm  major id         lt  gt   sys   ORDER BY      UserType        DatabaseUserName        LoginName        Role        Schema        ObjectName        ColumnName        PermissionType        PermissionState        ObjectType

User · Answer

Here is a complete version of Jeremy s Aug 2011 query with the changes suggested by Brad  Oct 2011  and iw kuchin  May 2012  incorporated    Brad   Correct  ObjectType  and  ObjectName  for schemas  iw kuchin   For  ObjectType  it s better to use obj type desc only for OBJECT OR COLUMN permission class  For all other cases use perm  class desc   iw kuchin   Handle IMPERSONATE permissions  iw kuchin   Replace sys login token with sys server principals as it will show also SQL Logins  not only Windows ones  iw kuchin   Include Windows groups  iw kuchin   Exclude users sys and INFORMATION SCHEMA    Hopefully this saves someone else an hour or two of their lives         Security Audit Report 1  List all access provisioned to a SQL user or Windows user group directly 2  List all access provisioned to a SQL user or Windows user group through a database or application role 3  List all access provisioned to the public role  Columns Returned  UserType          Value will be either  SQL User    Windows User   or  Windows Group                     This reflects the type of user group defined for the SQL Server account  DatabaseUserName  Name of the associated user as defined in the database user account   The database user may not be the                   same as the server user  LoginName         SQL or Windows Active Directory user account   This could also be an Active Directory group  Role              The role name   This will be null if the associated permissions to the object are defined at directly                   on the user account  otherwise this will be the name of the role that the user is a member of  PermissionType    Type of permissions the user role has on an object  Examples could include CONNECT  EXECUTE  SELECT                   DELETE  INSERT  ALTER  CONTROL  TAKE OWNERSHIP  VIEW DEFINITION  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  PermissionState   Reflects the state of the permission type  examples could include GRANT  DENY  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ObjectType        Type of object the user role is assigned permissions on   Examples could include USER TABLE                    SQL SCALAR FUNCTION  SQL INLINE TABLE VALUED FUNCTION  SQL STORED PROCEDURE  VIEW  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  Schema            Name of the schema the object is in  ObjectName        Name of the object that the user role is assigned permissions on                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ColumnName        Name of the column of the object that the user role is assigned permissions on  This value                   is only populated if the object is a table  view or a table value function          --1  List all access provisioned to a SQL user or Windows user group directly     SELECT          UserType    CASE princ  type                           WHEN  S  THEN  SQL User                           WHEN  U  THEN  Windows User                           WHEN  G  THEN  Windows Group                       END           DatabaseUserName    princ  name            LoginName           ulogin  name            Role                NULL           PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Database user         sys database principals            AS princ         --Login accounts         LEFT JOIN sys server principals    AS ulogin    ON ulogin  sid    princ  sid          --Permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    princ  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          LEFT JOIN sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         princ  type  IN   S   U   G           -- No need for these system accounts         AND princ  name  NOT IN   sys    INFORMATION SCHEMA    UNION      --2  List all access provisioned to a SQL user or Windows user group through a database or application role     SELECT          UserType    CASE membprinc  type                           WHEN  S  THEN  SQL User                           WHEN  U  THEN  Windows User                           WHEN  G  THEN  Windows Group                       END           DatabaseUserName    membprinc  name            LoginName           ulogin  name            Role                roleprinc  name            PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Role member associations         sys database role members          AS members         --Roles         JOIN      sys database principals  AS roleprinc ON roleprinc  principal id    members  role principal id          --Role members  database users          JOIN      sys database principals  AS membprinc ON membprinc  principal id    members  member principal id          --Login accounts         LEFT JOIN sys server principals    AS ulogin    ON ulogin  sid    membprinc  sid          --Permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    roleprinc  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          LEFT JOIN sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         membprinc  type  IN   S   U   G           -- No need for these system accounts         AND membprinc  name  NOT IN   sys    INFORMATION SCHEMA    UNION      --3  List all access provisioned to the public role  which everyone gets by default     SELECT          UserType              All Users             DatabaseUserName      All Users             LoginName             All Users             Role                roleprinc  name            PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Roles         sys database principals            AS roleprinc         --Role permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    roleprinc  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          --All objects         JOIN      sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         roleprinc  type     R          AND roleprinc  name     public          AND obj  is ms shipped    0  ORDER BY      UserType        DatabaseUserName        LoginName        Role        Schema        ObjectName        ColumnName        PermissionType        PermissionState        ObjectType

User · Answer

If you want check access to databases for a particular login has use this simple script as below   sys sp helplogins  LoginNamePattern    Domain login  -- sysname

User · Answer

Due to low rep can t reply with this to the people asking to run this on multiple databases SQL Servers   Create a registered server group and query across them all us the following and just cursor through the databases   --Make sure all   are doubled within the SQL string   DECLARE  dbname VARCHAR 50     DECLARE  statement NVARCHAR max   DECLARE db cursor CURSOR  LOCAL FAST FORWARD FOR   SELECT name FROM MASTER dbo sysdatabases where name like   DBName    OPEN db cursor   FETCH NEXT FROM db cursor INTO  dbname   WHILE   FETCH STATUS   0   BEGIN    SELECT  statement    use    dbname            Security Audit Report 1  List all access provisioned to a SQL user or Windows user group directly 2  List all access provisioned to a SQL user or Windows user group through a database or application role 3  List all access provisioned to the public role  Columns Returned  UserType          Value will be either   SQL User      Windows User    or   Windows Group                      This reflects the type of user group defined for the SQL Server account  DatabaseUserName  Name of the associated user as defined in the database user account   The database user may not be the                   same as the server user  LoginName         SQL or Windows Active Directory user account   This could also be an Active Directory group  Role              The role name   This will be null if the associated permissions to the object are defined at directly                   on the user account  otherwise this will be the name of the role that the user is a member of  PermissionType    Type of permissions the user role has on an object  Examples could include CONNECT  EXECUTE  SELECT                   DELETE  INSERT  ALTER  CONTROL  TAKE OWNERSHIP  VIEW DEFINITION  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  PermissionState   Reflects the state of the permission type  examples could include GRANT  DENY  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ObjectType        Type of object the user role is assigned permissions on   Examples could include USER TABLE                    SQL SCALAR FUNCTION  SQL INLINE TABLE VALUED FUNCTION  SQL STORED PROCEDURE  VIEW  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  Schema            Name of the schema the object is in  ObjectName        Name of the object that the user role is assigned permissions on                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ColumnName        Name of the column of the object that the user role is assigned permissions on  This value                   is only populated if the object is a table  view or a table value function          --1  List all access provisioned to a SQL user or Windows user group directly     SELECT          UserType    CASE princ  type                           WHEN   S   THEN   SQL User                            WHEN   U   THEN   Windows User                            WHEN   G   THEN   Windows Group                        END           DatabaseUserName    princ  name            LoginName           ulogin  name            Role                NULL           PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Database user         sys database principals            AS princ         --Login accounts         LEFT JOIN sys server principals    AS ulogin    ON ulogin  sid    princ  sid          --Permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    princ  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          LEFT JOIN sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         princ  type  IN    S     U     G            -- No need for these system accounts         AND princ  name  NOT IN    sys      INFORMATION SCHEMA     UNION      --2  List all access provisioned to a SQL user or Windows user group through a database or application role     SELECT          UserType    CASE membprinc  type                           WHEN   S   THEN   SQL User                            WHEN   U   THEN   Windows User                            WHEN   G   THEN   Windows Group                        END           DatabaseUserName    membprinc  name            LoginName           ulogin  name            Role                roleprinc  name            PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Role member associations         sys database role members          AS members         --Roles         JOIN      sys database principals  AS roleprinc ON roleprinc  principal id    members  role principal id          --Role members  database users          JOIN      sys database principals  AS membprinc ON membprinc  principal id    members  member principal id          --Login accounts         LEFT JOIN sys server principals    AS ulogin    ON ulogin  sid    membprinc  sid          --Permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    roleprinc  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          LEFT JOIN sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         membprinc  type  IN    S     U     G            -- No need for these system accounts         AND membprinc  name  NOT IN    sys      INFORMATION SCHEMA     UNION      --3  List all access provisioned to the public role  which everyone gets by default     SELECT          UserType               All Users              DatabaseUserName       All Users              LoginName              All Users              Role                roleprinc  name            PermissionType      perm  permission name            PermissionState     perm  state desc            ObjectType    CASE perm  class                             WHEN 1 THEN obj  type desc         -- Schema-contained objects                            ELSE perm  class desc              -- Higher-level objects                        END           Schema    objschem  name            ObjectName    CASE perm  class                             WHEN 3 THEN permschem  name        -- Schemas                            WHEN 4 THEN imp  name              -- Impersonations                            ELSE OBJECT NAME perm  major id    -- General objects                        END           ColumnName    col  name      FROM         --Roles         sys database principals            AS roleprinc         --Role permissions         LEFT JOIN sys database permissions AS perm      ON perm  grantee principal id    roleprinc  principal id          LEFT JOIN sys schemas              AS permschem ON permschem  schema id    perm  major id          --All objects         JOIN      sys objects              AS obj       ON obj  object id    perm  major id          LEFT JOIN sys schemas              AS objschem  ON objschem  schema id    obj  schema id          --Table columns         LEFT JOIN sys columns              AS col       ON col  object id    perm  major id                                                             AND col  column id    perm  minor id          --Impersonations         LEFT JOIN sys database principals  AS imp       ON imp  principal id    perm  major id      WHERE         roleprinc  type      R           AND roleprinc  name      public           AND obj  is ms shipped    0  ORDER BY      UserType        DatabaseUserName        LoginName        Role        Schema        ObjectName        ColumnName        PermissionType        PermissionState        ObjectType    exec sp executesql  statement  FETCH NEXT FROM db cursor INTO  dbname   END   CLOSE db cursor   DEALLOCATE db cursor    This thread massively helped me thanks everyone

User · Answer

The GetPermissions Stored Procedure above is good however it uses Sp msforeachdb which means that it will break if your SQL Instance has any databases names that include spaces or dashes and other non-best-practices characters   I have created a version that avoids the use of Sp msforeachdb and also includes two columns that indicate 1 - if the Login is a sysadmin login  IsSysAdminLogin  and 2 - if the login is an orphan user  IsEmptyRow    USE  master    GO IF EXISTS       SELECT   FROM sys objects     WHERE object id   OBJECT ID N dbo uspGetPermissionsOfAllLogins DBsOnColumns       AND  type  in  N P  N PC     BEGIN     DROP PROCEDURE dbo uspGetPermissionsOfAllLogins DBsOnColumns   END GO CREATE PROCEDURE dbo uspGetPermissionsOfAllLogins DBsOnColumns AS SET NOCOUNT ON   BEGIN TRY     IF EXISTS               SELECT   FROM tempdb dbo sysobjects         WHERE id   object id N  tempdb  dbo   permission              DROP TABLE  permission           IF EXISTS               SELECT   FROM tempdb dbo sysobjects         WHERE id   object id N  tempdb  dbo   userroles kk              DROP TABLE  userroles kk           IF EXISTS               SELECT   FROM tempdb dbo sysobjects         WHERE id   object id N  tempdb  dbo   rolemember kk              DROP TABLE  rolemember kk           IF EXISTS               SELECT   FROM tempdb dbo sysobjects         WHERE id   object id N  tempdb  dbo    db name              DROP TABLE   db name           DECLARE      db name VARCHAR 255        sql text VARCHAR MAX             SET  sql text        CREATE TABLE   db name               LoginUserName VARCHAR MAX                        DECLARE cursDBs CURSOR FOR          SELECT  name          FROM sys databases         ORDER BY  name            OPEN cursDBs            FETCH NEXT FROM cursDBs INTO  db name      WHILE   FETCH STATUS   0          BEGIN                  SET  sql text            sql text   QUOTENAME  db name      VARCHAR MAX                              FETCH NEXT FROM cursDBs INTO  db name          END      CLOSE cursDBs            SET  sql text            sql text    IsSysAdminLogin CHAR 1           IsEmptyRow CHAR 1               --PRINT  sql text     EXEC   sql text            DEALLOCATE cursDBs            DECLARE      RoleName VARCHAR 255         UserName VARCHAR 255             CREATE TABLE  permission             LoginUserName VARCHAR 255        databasename VARCHAR 255         role  VARCHAR 255                   DECLARE cursSysSrvPrinName CURSOR FOR          SELECT  name          FROM sys server principals          WHERE          type  IN    S    U    G            AND principal id  gt  4         AND  name  NOT LIKE               ORDER BY  name            OPEN cursSysSrvPrinName           FETCH NEXT FROM cursSysSrvPrinName INTO  UserName      WHILE   FETCH STATUS   0      BEGIN          CREATE TABLE  userroles kk                          databasename VARCHAR 255                 role  VARCHAR 255                               CREATE TABLE  rolemember kk                          dbrole VARCHAR 255                membername VARCHAR 255                membersid VARBINARY 2048                               DECLARE cursDatabases CURSOR FAST FORWARD LOCAL FOR         SELECT  name          FROM sys databases         ORDER BY  name                    OPEN cursDatabases                   DECLARE           DBN VARCHAR 255            sqlText NVARCHAR 4000                    FETCH NEXT FROM cursDatabases INTO  DBN         WHILE   FETCH STATUS   0         BEGIN             SET  sqlText       N USE     QUOTENAME  DBN           TRUNCATE TABLE  RoleMember kk      INSERT INTO  RoleMember kk      EXEC sp helprolemember      INSERT INTO  UserRoles kk      DatabaseName  Role       SELECT db name   dbRole     FROM  RoleMember kk     WHERE MemberName          UserName                          --PRINT  sqlText               EXEC sp executesql  sqlText           FETCH NEXT FROM cursDatabases INTO  DBN         END         CLOSE cursDatabases                   DEALLOCATE cursDatabases                   INSERT INTO  permission          SELECT          UserName  user           b name          u  role          FROM         sys sysdatabases b         LEFT JOIN          userroles kk u              ON QUOTENAME u databasename    QUOTENAME b name          ORDER  BY 1                    DROP TABLE  userroles kk                    DROP TABLE  rolemember kk                   FETCH NEXT FROM cursSysSrvPrinName INTO  UserName      END      CLOSE cursSysSrvPrinName            DEALLOCATE cursSysSrvPrinName            TRUNCATE TABLE   db name            DECLARE      d1 VARCHAR MAX        d2 VARCHAR MAX        d3 VARCHAR MAX        ss VARCHAR MAX            DECLARE cursPermisTable CURSOR FOR         SELECT   FROM  permission          ORDER BY 2 DESC            OPEN cursPermisTable           FETCH NEXT FROM cursPermisTable INTO  d1  d2  d3     WHILE   FETCH STATUS   0      BEGIN          IF NOT EXISTS                       SELECT 1 FROM   db name WHERE LoginUserName    d1                   BEGIN              SET  ss                INSERT INTO   db name LoginUserName  VALUES         d1                      EXEC   ss                             SET  ss                UPDATE   db name SET      d2              d3       WHERE LoginUserName          d1                     EXEC   ss                        END          ELSE          BEGIN              DECLARE              var NVARCHAR MAX                ParmDefinition NVARCHAR MAX                var1 NVARCHAR MAX                            SET  var               N SELECT  var1       QUOTENAME  d2      FROM   db name WHERE LoginUserName          d1                                   SET  ParmDefinition               N  var1 NVARCHAR 600  OUTPUT                              EXECUTE Sp executesql  var  ParmDefinition  var1    var1 OUTPUT                           SET  var1               ISNULL  var1                                 SET  var                  UPDATE   db name SET      d2            var1          d3       WHERE LoginUserName          d1                                    EXEC   var                        END         FETCH NEXT FROM cursPermisTable INTO  d1  d2  d3     END      CLOSE cursPermisTable           DEALLOCATE cursPermisTable            UPDATE   db name SET     IsSysAdminLogin    Y      FROM       db name TT     INNER JOIN     dbo syslogins SL         ON TT LoginUserName   SL  name      WHERE     SL sysadmin   1           DECLARE cursDNamesAsColumns CURSOR FAST FORWARD LOCAL FOR     SELECT  name      FROM tempdb sys columns     WHERE     OBJECT ID   OBJECT ID  tempdb    db name       AND  name  NOT IN   LoginUserName   IsEmptyRow       ORDER BY  name            OPEN cursDNamesAsColumns           DECLARE       ColN VARCHAR 255        tSQLText NVARCHAR 4000            FETCH NEXT FROM cursDNamesAsColumns INTO  ColN     WHILE   FETCH STATUS   0     BEGIN         SET  tSQLText   N UPDATE   db name SET IsEmptyRow     N   WHERE IsEmptyRow IS NULL AND     QUOTENAME  ColN      IS NOT NULL              --PRINT  tSQLText           EXEC sp executesql  tSQLText       FETCH NEXT FROM cursDNamesAsColumns INTO  ColN     END     CLOSE cursDNamesAsColumns           DEALLOCATE cursDNamesAsColumns           UPDATE   db name SET     IsEmptyRow    Y      WHERE IsEmptyRow IS NULL           UPDATE   db name SET     IsSysAdminLogin    N      FROM       db name TT     INNER JOIN     dbo syslogins SL         ON TT LoginUserName   SL  name      WHERE     SL sysadmin   0           SELECT   FROM   db name           DROP TABLE   db name           DROP TABLE  permission       END TRY BEGIN CATCH     DECLARE      cursDBs Status INT       cursSysSrvPrinName Status INT       cursDatabases Status INT       cursPermisTable Status INT       cursDNamesAsColumns Status INT           SELECT      cursDBs Status   CURSOR STATUS  GLOBAL   cursDBs         cursSysSrvPrinName Status   CURSOR STATUS  GLOBAL   cursSysSrvPrinName         cursDatabases Status   CURSOR STATUS  GLOBAL   cursDatabases         cursPermisTable Status   CURSOR STATUS  GLOBAL   cursPermisTable         cursDNamesAsColumns Status   CURSOR STATUS  GLOBAL   cursPermisTable             IF  cursDBs Status  gt  -2         BEGIN             CLOSE cursDBs               DEALLOCATE cursDBs           END     IF  cursSysSrvPrinName Status  gt  -2         BEGIN             CLOSE cursSysSrvPrinName               DEALLOCATE cursSysSrvPrinName           END     IF  cursDatabases Status  gt  -2         BEGIN             CLOSE cursDatabases               DEALLOCATE cursDatabases           END     IF  cursPermisTable Status  gt  -2         BEGIN             CLOSE cursPermisTable               DEALLOCATE cursPermisTable           END     IF  cursDNamesAsColumns Status  gt  -2         BEGIN             CLOSE cursDNamesAsColumns               DEALLOCATE cursDNamesAsColumns           END     SELECT ErrorNum   ERROR NUMBER   ErrorMsg   ERROR MESSAGE     END CATCH GO    EXEC  master  dbo uspGetPermissionsOfAllLogins DBsOnColumns

User · Answer

This is my first crack at a query  based on Andomar s suggestions   This query is intended to provide a list of permissions that a user has either applied directly to the user account  or through roles that the user has      Security Audit Report 1  List all access provisioned to a sql user or windows user group directly  2  List all access provisioned to a sql user or windows user group through a database or application role 3  List all access provisioned to the public role  Columns Returned  UserName          SQL or Windows Active Directory user account   This could also be an Active Directory group  UserType          Value will be either  SQL User  or  Windows User    This reflects the type of user defined for the                    SQL Server user account  DatabaseUserName  Name of the associated user as defined in the database user account   The database user may not be the                   same as the server user  Role              The role name   This will be null if the associated permissions to the object are defined at directly                   on the user account  otherwise this will be the name of the role that the user is a member of  PermissionType    Type of permissions the user role has on an object  Examples could include CONNECT  EXECUTE  SELECT                   DELETE  INSERT  ALTER  CONTROL  TAKE OWNERSHIP  VIEW DEFINITION  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  PermissionState   Reflects the state of the permission type  examples could include GRANT  DENY  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ObjectType        Type of object the user role is assigned permissions on   Examples could include USER TABLE                     SQL SCALAR FUNCTION  SQL INLINE TABLE VALUED FUNCTION  SQL STORED PROCEDURE  VIEW  etc                       This value may not be populated for all roles   Some built in roles have implicit permission                   definitions            ObjectName        Name of the object that the user role is assigned permissions on                      This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ColumnName        Name of the column of the object that the user role is assigned permissions on  This value                   is only populated if the object is a table  view or a table value function                       --List all access provisioned to a sql user or windows user group directly  SELECT        UserName    CASE princ  type                       WHEN  S  THEN princ  name                      WHEN  U  THEN ulogin  name  COLLATE Latin1 General CI AI                  END       UserType    CASE princ  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                   END         DatabaseUserName    princ  name               Role    null             PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    obj type desc --perm  class desc               ObjectName    OBJECT NAME perm major id        ColumnName    col  name  FROM         --database user     sys database principals princ   LEFT JOIN     --Login accounts     sys login token ulogin on princ  sid    ulogin  sid  LEFT JOIN             --Permissions     sys database permissions perm ON perm  grantee principal id    princ  principal id  LEFT JOIN     --Table columns     sys columns col ON col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  WHERE      princ  type  in   S   U   UNION --List all access provisioned to a sql user or windows user group through a database or application role SELECT        UserName    CASE memberprinc  type                       WHEN  S  THEN memberprinc  name                      WHEN  U  THEN ulogin  name  COLLATE Latin1 General CI AI                  END       UserType    CASE memberprinc  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                   END        DatabaseUserName    memberprinc  name           Role    roleprinc  name              PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    obj type desc --perm  class desc           ObjectName    OBJECT NAME perm major id        ColumnName    col  name  FROM         --Role member associations     sys database role members members JOIN     --Roles     sys database principals roleprinc ON roleprinc  principal id    members  role principal id  JOIN     --Role members  database users      sys database principals memberprinc ON memberprinc  principal id    members  member principal id  LEFT JOIN     --Login accounts     sys login token ulogin on memberprinc  sid    ulogin  sid  LEFT JOIN             --Permissions     sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN     --Table columns     sys columns col on col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  UNION --List all access provisioned to the public role  which everyone gets by default SELECT        UserName      All Users         UserType      All Users          DatabaseUserName      All Users                Role    roleprinc  name              PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    obj type desc --perm  class desc          ObjectName    OBJECT NAME perm major id        ColumnName    col  name  FROM         --Roles     sys database principals roleprinc LEFT JOIN             --Role permissions     sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN     --Table columns     sys columns col on col  object id    perm major id                      AND col  column id    perm  minor id                     JOIN      --All objects        sys objects obj ON obj  object id    perm  major id  WHERE     --Only roles     roleprinc  type     R  AND     --Only public role     roleprinc  name     public  AND     --Only objects of ours  not the MS objects     obj is ms shipped   0 ORDER BY     princ  Name       OBJECT NAME perm major id       col  name       perm  permission name       perm  state desc       obj type desc--perm  class desc

User · Answer

I just added the following to Jeremy s answer because I had a role assigned to the database db datareader which wasn t showing the permissions that role had   I tried going through all of the answers in everyone s posts but couldn t find anything that would do this so I added my own query      SELECT      UserType  Role        DatabaseUserName     Role Members        LoginName   DP2 name      Role   DP1 name       SELECT  AS  PermissionType         PermissionState      GRANT        ObjectType     Table        Schema     dbo        ObjectName     All Tables        ColumnName    NULL FROM sys database role members AS DRM   RIGHT OUTER JOIN sys database principals AS DP1       ON DRM role principal id   DP1 principal id   LEFT OUTER JOIN sys database principals AS DP2       ON DRM member principal id   DP2 principal id   WHERE DP1 type    R  AND DP2 name IS NOT NULL

User · Answer

Great thanks for awesome audit scripts   I highly recommend for audit user use awesome Kenneth Fisher  b   t  stored procedures    sp DBPermissions sp SrvPermissions

User · Answer

Here is my version  adapted from others   I spent 30 minutes just now trying to remember how I came up with this  and  Jeremy  s answer seems to be the core inspiration   I didn t want to update Jeremy s answer  just in case I introduced bugs  so I am posting my version of it here   I suggest pairing the full script with some inspiration taken from Kenneth Fisher s T-SQL Tuesday  What Permissions Does a Specific User Have   This will allow you to answer compliance audit questions bottom-up  as opposed to top-down   EXECUTE AS LOGIN     lt loginname gt    SELECT token name AS GroupNames FROM sys login token token JOIN sys server principals grp     ON token sid   grp sid WHERE token  type     WINDOWS GROUP    AND grp  type     G   REVERT   To understand what this covers  consider Contoso DB AdventureWorks Accounting Windows AD Group with member Contoso John Doe   John Doe authenticates to AdventureWorks via server principal Contoso DB AdventureWorks Logins Windows AD Group   If someone asks you   What permissions does John Doe have    you cannot answer that question with just the below script   You need to then iterate through each row returned by the below script and join it to the above script    You may also need to normalize for stale name values via looking up the SID in your Active Directory provider    Here is the script  without incorporating such reverse look-up logic        --Script source found at    http   stackoverflow com a 7059579 1387418 Security Audit Report 1  List all access provisioned to a sql user or windows user group directly  2  List all access provisioned to a sql user or windows user group through a database or application role 3  List all access provisioned to the public role    Columns Returned  UserName           SQL or Windows Active Directory user account   This could also be an Active Directory group  UserType           Value will be either  SQL User  or  Windows User    This reflects the type of user defined for the                    SQL Server user account  PrinciaplUserName  if UserName is not blank  then UserName else DatabaseUserName PrincipalType      Possible values are  SQL User    Windows User    Database Role    Windows Group  DatabaseUserName   Name of the associated user as defined in the database user account   The database user may not be the                    same as the server user  Role               The role name   This will be null if the associated permissions to the object are defined at directly                    on the user account  otherwise this will be the name of the role that the user is a member of  PermissionType     Type of permissions the user role has on an object  Examples could include CONNECT  EXECUTE  SELECT                    DELETE  INSERT  ALTER  CONTROL  TAKE OWNERSHIP  VIEW DEFINITION  etc                     This value may not be populated for all roles   Some built in roles have implicit permission                    definitions  PermissionState    Reflects the state of the permission type  examples could include GRANT  DENY  etc                     This value may not be populated for all roles   Some built in roles have implicit permission                    definitions  ObjectType         Type of object the user role is assigned permissions on   Examples could include USER TABLE                      SQL SCALAR FUNCTION  SQL INLINE TABLE VALUED FUNCTION  SQL STORED PROCEDURE  VIEW  etc                        This value may not be populated for all roles   Some built in roles have implicit permission                    definitions            ObjectName         Name of the object that the user role is assigned permissions on                       This value may not be populated for all roles   Some built in roles have implicit permission                    definitions  ColumnName         Name of the column of the object that the user role is assigned permissions on  This value                    is only populated if the object is a table  view or a table value function                       DECLARE  HideDatabaseDiagrams BIT   1   --List all access provisioned to a sql user or windows user group directly  SELECT        UserName    CASE dbprinc  type                       WHEN  S  THEN dbprinc  name  -- SQL User                     WHEN  U  THEN sprinc  name  -- Windows User                     WHEN  R  THEN NULL -- Database Role                     WHEN  G  THEN NULL -- Windows Group                     ELSE NULL                  END       UserType    CASE dbprinc  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                      WHEN  R  THEN NULL -- Database Role                     WHEN  G  THEN NULL -- Windows Group                     ELSE dbprinc  type                   END       PrincipalUserName    COALESCE                      CASE dbprinc  type                          WHEN  S  THEN dbprinc  name  -- SQL User                         WHEN  U  THEN sprinc  name  -- Windows User                         WHEN  R  THEN NULL -- Database Role                         WHEN  G  THEN NULL -- Windows Group                         ELSE NULL                      END                       dbprinc  name                           PrincipalType    CASE dbprinc  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                      WHEN  R  THEN  Database Role                      WHEN  G  THEN  Windows Group                   END       DatabaseUserName    dbprinc  name        Role    null       PermissionType    perm  permission name        PermissionState    perm  state desc        ObjectType    obj  type desc  --perm  class desc        ObjectSchema    OBJECT SCHEMA NAME perm major id        ObjectName    OBJECT NAME perm major id        ColumnName    col  name  FROM         --database user     sys database principals dbprinc   LEFT JOIN     --Login accounts     sys server principals sprinc on dbprinc  sid    sprinc  sid  LEFT JOIN             --Permissions     sys database permissions perm ON perm  grantee principal id    dbprinc  principal id  LEFT JOIN     --Table columns     sys columns col ON col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  WHERE      dbprinc  type  in   S   U       AND CASE         WHEN  HideDatabaseDiagrams   1 AND         dbprinc  name     guest          AND                                 obj type desc    SQL SCALAR FUNCTION                  AND OBJECT NAME perm major id     fn diagramobjects                            OR                   obj type desc    SQL STORED PROCEDURE                  AND OBJECT NAME perm major id  IN                                       N sp alterdiagram                       N sp creatediagram                       N sp dropdiagram                       N sp helpdiagramdefinition                       N sp helpdiagrams                       N sp renamediagram                                                    THEN 0         ELSE 1     END   1 UNION --List all access provisioned to a sql user or windows user group through a database or application role SELECT        UserName    CASE memberprinc  type                      WHEN  S  THEN memberprinc  name                      WHEN  U  THEN sprinc  name                      WHEN  R  THEN NULL -- Database Role                     WHEN  G  THEN NULL -- Windows Group                     ELSE NULL                  END       UserType    CASE memberprinc  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                      WHEN  R  THEN NULL -- Database Role                     WHEN  G  THEN NULL -- Windows Group                  END        PrincipalUserName    COALESCE                      CASE memberprinc  type                          WHEN  S  THEN memberprinc  name                          WHEN  U  THEN sprinc  name                          WHEN  R  THEN NULL -- Database Role                         WHEN  G  THEN NULL -- Windows Group                         ELSE NULL                      END                       memberprinc  name                           PrincipalType    CASE memberprinc  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                      WHEN  R  THEN  Database Role                      WHEN  G  THEN  Windows Group                   END        DatabaseUserName    memberprinc  name        Role    roleprinc  name        PermissionType    perm  permission name        PermissionState    perm  state desc        ObjectType    obj type desc --perm  class desc        ObjectSchema    OBJECT SCHEMA NAME perm major id        ObjectName    OBJECT NAME perm major id        ColumnName    col  name  FROM         --Role member associations     sys database role members members JOIN     --Roles     sys database principals roleprinc ON roleprinc  principal id    members  role principal id  JOIN     --Role members  database users      sys database principals memberprinc ON memberprinc  principal id    members  member principal id  LEFT JOIN     --Login accounts     sys server principals sprinc on memberprinc  sid    sprinc  sid  LEFT JOIN     --Permissions     sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN     --Table columns     sys columns col on col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  WHERE         CASE         WHEN  HideDatabaseDiagrams   1 AND         memberprinc  name     guest          AND                                 obj type desc    SQL SCALAR FUNCTION                  AND OBJECT NAME perm major id     fn diagramobjects                            OR                   obj type desc    SQL STORED PROCEDURE                  AND OBJECT NAME perm major id  IN                                       N sp alterdiagram                       N sp creatediagram                       N sp dropdiagram                       N sp helpdiagramdefinition                       N sp helpdiagrams                       N sp renamediagram                                                    THEN 0         ELSE 1     END   1 UNION --List all access provisioned to the public role  which everyone gets by default SELECT        UserName      All Users         UserType      All Users         PrincipalUserName      All Users         PrincipalType      All Users         DatabaseUserName      All Users         Role    roleprinc  name        PermissionType    perm  permission name        PermissionState    perm  state desc        ObjectType    obj type desc --perm  class desc        ObjectSchema    OBJECT SCHEMA NAME perm major id        ObjectName    OBJECT NAME perm major id        ColumnName    col  name  FROM         --Roles     sys database principals roleprinc LEFT JOIN             --Role permissions     sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN     --Table columns     sys columns col on col  object id    perm major id                     AND col  column id    perm  minor id  JOIN      --All objects     sys objects obj ON obj  object id    perm  major id  WHERE     --Only roles     roleprinc  type     R  AND     --Only public role     roleprinc  name     public  AND     --Only objects of ours  not the MS objects     obj is ms shipped   0     AND CASE         WHEN  HideDatabaseDiagrams   1 AND         roleprinc  name     public          AND                                 obj type desc    SQL SCALAR FUNCTION                  AND OBJECT NAME perm major id     fn diagramobjects                            OR                   obj type desc    SQL STORED PROCEDURE                  AND OBJECT NAME perm major id  IN                                       N sp alterdiagram                       N sp creatediagram                       N sp dropdiagram                       N sp helpdiagramdefinition                       N sp helpdiagrams                       N sp renamediagram                                                    THEN 0         ELSE 1     END   1 ORDER BY     dbprinc  Name       OBJECT NAME perm major id       col  name       perm  permission name       perm  state desc       obj type desc--perm  class desc

User · Answer

Awesome script Jeremy and contributors  Thanks   I have a s-ton of users  so running this for all users was a nightmare  I couldn t add comments  so I am posting the whole script with the changes  I added a variable   where clause so I can search for anything matching up to 5 characters in the user name  or all users when left blank   Nothing special  but I thought it would be helpful in some use cases   DECLARE  p userName NVARCHAR 5     UName  -- Specify up to five characters here  or none for all users      Security Audit Report 1  List all access provisioned to a sql user or windows user group directly  2  List all access provisioned to a sql user or windows user group through a database or application role 3  List all access provisioned to the public role  Columns Returned  UserName          SQL or Windows Active Directory user cccount   This could also be an            Active Directory group  UserType          Value will be either  SQL User  or  Windows User    This reflects the type of user defined for the  SQL Server user account  DatabaseUserName  Name of the associated user as defined in the database user account   The database user may not be the same as the server user  Role              The role name   This will be null if the associated permissions to the object are defined at directly on the user account  otherwise this will be the name of the role that the user is a member of  PermissionType    Type of permissions the user role has on an object  Examples could include CONNECT  EXECUTE  SELECT  DELETE  INSERT  ALTER  CONTROL  TAKE OWNERSHIP  VIEW DEFINITION  etc  This value may not be populated for all roles   Some built in roles have implicit permission definitions  PermissionState   Reflects the state of the permission type  examples could include GRANT  DENY  etc  This value may not be populated for all roles   Some built in roles have implicit permission definitions  ObjectType        Type of object the user role is assigned permissions on   Examples could include USER TABLE  SQL SCALAR FUNCTION  SQL INLINE TABLE VALUED FUNCTION  SQL STORED PROCEDURE  VIEW  etc  This value may not be populated for all roles   Some built in roles have implicit permission definitions            ObjectName        Name of the object that the user role is assigned permissions on  This value may not be populated for all roles   Some built in roles have implicit permission definitions  ColumnName        Name of the column of the object that the user role is assigned permissions on  This value is only populated if the object is a table  view or a table value function        DECLARE  userName NVARCHAR 4     p UserName       --List all access provisioned to a sql user or windows user group directly   SELECT    UserName    CASE princ  type                   WHEN  S  THEN princ  name                  WHEN  U  THEN ulogin  name  COLLATE Latin1 General CI AI              END   UserType    CASE princ  type                  WHEN  S  THEN  SQL User                  WHEN  U  THEN  Windows User               END     DatabaseUserName    princ  name           Role    null         PermissionType    perm  permission name           PermissionState    perm  state desc           ObjectType    obj type desc --perm  class desc           ObjectName    OBJECT NAME perm major id    ColumnName    col  name  FROM     --database user sys database principals princ   LEFT JOIN --Login accounts sys login token ulogin on princ  sid    ulogin  sid  LEFT JOIN         --Permissions sys database permissions perm ON perm  grantee principal id    princ  principal id  LEFT JOIN --Table columns sys columns col ON col  object id    perm major id                  AND col  column id    perm  minor id  LEFT JOIN sys objects obj ON perm  major id    obj  object id  WHERE  princ  type  in   S   U     AND princ  name  LIKE  userName  -- Added this line --CSLAGLE UNION --List all access provisioned to a sql user or windows user group through a database or application role SELECT    UserName    CASE memberprinc  type                   WHEN  S  THEN memberprinc  name                  WHEN  U  THEN ulogin  name  COLLATE Latin1 General CI AI              END   UserType    CASE memberprinc  type                  WHEN  S  THEN  SQL User                  WHEN  U  THEN  Windows User               END    DatabaseUserName    memberprinc  name       Role    roleprinc  name          PermissionType    perm  permission name           PermissionState    perm  state desc           ObjectType    obj type desc --perm  class desc       ObjectName    OBJECT NAME perm major id    ColumnName    col  name  FROM     --Role member associations sys database role members members JOIN --Roles sys database principals roleprinc ON roleprinc  principal id    members  role principal id  JOIN --Role members  database users  sys database principals memberprinc ON memberprinc  principal id    members  member principal id  LEFT JOIN --Login accounts sys login token ulogin on memberprinc  sid    ulogin  sid  LEFT JOIN         --Permissions sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN --Table columns sys columns col on col  object id    perm major id                  AND col  column id    perm  minor id  LEFT JOIN sys objects obj ON perm  major id    obj  object id  WHERE memberprinc  name  LIKE  userName -- Added this line --CSLAGLE UNION --List all access provisioned to the public role  which everyone gets by default SELECT    UserName      All Users      UserType      All Users      DatabaseUserName      All Users            Role    roleprinc  name          PermissionType    perm  permission name           PermissionState    perm  state desc           ObjectType    obj type desc --perm  class desc      ObjectName    OBJECT NAME perm major id    ColumnName    col  name  FROM     --Roles sys database principals roleprinc LEFT JOIN         --Role permissions sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN --Table columns sys columns col on col  object id    perm major id                  AND col  column id    perm  minor id                     JOIN  --All objects    sys objects obj ON obj  object id    perm  major id  WHERE --Only roles roleprinc  type     R  AND --Only public role roleprinc  name     public  AND --Only objects of ours  not the MS objects obj is ms shipped   0 ORDER BY princ  Name   OBJECT NAME perm major id   col  name   perm  permission name   perm  state desc   obj type desc--perm  class desc

User · Answer

Here s the most popular answer submitted by Jeremy  but modified to include the sysadmin and disabled flags mentioned by Greg Sipes as well as a log date time column  Best of both worlds     Source  https   stackoverflow com questions 7048839 sql-server-query-to-find-all-permissions-access-for-all-users-in-a-database   Security Audit Report 1  List all access provisioned to a sql user or windows user group directly  2  List all access provisioned to a sql user or windows user group through a database or application role 3  List all access provisioned to the public role  Columns Returned  UserName          SQL or Windows Active Directory user account   This could also be an Active Directory group  UserType          Value will be either  SQL User  or  Windows User    This reflects the type of user defined for the                    SQL Server user account  DatabaseUserName  Name of the associated user as defined in the database user account   The database user may not be the                   same as the server user  Role              The role name   This will be null if the associated permissions to the object are defined at directly                   on the user account  otherwise this will be the name of the role that the user is a member of  PermissionType    Type of permissions the user role has on an object  Examples could include CONNECT  EXECUTE  SELECT                   DELETE  INSERT  ALTER  CONTROL  TAKE OWNERSHIP  VIEW DEFINITION  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  PermissionState   Reflects the state of the permission type  examples could include GRANT  DENY  etc                    This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ObjectType        Type of object the user role is assigned permissions on   Examples could include USER TABLE                     SQL SCALAR FUNCTION  SQL INLINE TABLE VALUED FUNCTION  SQL STORED PROCEDURE  VIEW  etc                       This value may not be populated for all roles   Some built in roles have implicit permission                   definitions            ObjectName        Name of the object that the user role is assigned permissions on                      This value may not be populated for all roles   Some built in roles have implicit permission                   definitions  ColumnName        Name of the column of the object that the user role is assigned permissions on  This value                   is only populated if the object is a table  view or a table value function                       --List all access provisioned to a sql user or windows user group directly  SELECT        UserName    CASE princ  type                       WHEN  S  THEN princ  name                      WHEN  U  THEN ulogin  name  COLLATE Latin1 General CI AI                  END       UserType    CASE princ  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                   END         DatabaseUserName    princ  name               Role    null             PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    obj type desc --perm  class desc               ObjectName    OBJECT NAME perm major id        ColumnName    col  name       sp is disabled      s sysadmin      GETDATE   AS  log date time  FROM         --database user     sys database principals princ   LEFT JOIN     --Login accounts     sys login token ulogin on princ  sid    ulogin  sid  LEFT JOIN             --Permissions     sys database permissions perm ON perm  grantee principal id    princ  principal id  LEFT JOIN     --Table columns     sys columns col ON col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  LEFT JOIN sys syslogins s ON princ sid   s sid LEFT JOIN sys server principals sp ON princ name   sp name WHERE      princ  type  in   S   U   UNION --List all access provisioned to a sql user or windows user group through a database or application role SELECT        UserName    CASE memberprinc  type                       WHEN  S  THEN memberprinc  name                      WHEN  U  THEN ulogin  name  COLLATE Latin1 General CI AI                  END       UserType    CASE memberprinc  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                   END        DatabaseUserName    memberprinc  name           Role    roleprinc  name              PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    obj type desc --perm  class desc           ObjectName    OBJECT NAME perm major id        ColumnName    col  name       sp is disabled      s sysadmin      GETDATE   AS  log date time  FROM         --Role member associations     sys database role members members JOIN     --Roles     sys database principals roleprinc ON roleprinc  principal id    members  role principal id  JOIN     --Role members  database users      sys database principals memberprinc ON memberprinc  principal id    members  member principal id  LEFT JOIN     --Login accounts     sys login token ulogin on memberprinc  sid    ulogin  sid  LEFT JOIN             --Permissions     sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN     --Table columns     sys columns col on col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  LEFT JOIN sys syslogins s ON memberprinc  sid    s sid LEFT JOIN sys server principals sp ON memberprinc  name    sp name UNION --List all access provisioned to the public role  which everyone gets by default SELECT        UserName      All Users         UserType      All Users          DatabaseUserName      All Users                Role    roleprinc  name              PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    obj type desc --perm  class desc          ObjectName    OBJECT NAME perm major id        ColumnName    col  name       sp is disabled      s sysadmin      GETDATE   AS  log date time  FROM         --Roles     sys database principals roleprinc LEFT JOIN             --Role permissions     sys database permissions perm ON perm  grantee principal id    roleprinc  principal id  LEFT JOIN     --Table columns     sys columns col on col  object id    perm major id                      AND col  column id    perm  minor id       LEFT JOIN sys syslogins s ON roleprinc sid   s sid LEFT JOIN sys server principals sp ON roleprinc name   sp name JOIN      --All objects        sys objects obj ON obj  object id    perm  major id  WHERE     --Only roles     roleprinc  type     R  AND     --Only public role     roleprinc  name     public  AND     --Only objects of ours  not the MS objects     obj is ms shipped   0 ORDER BY     princ  Name       OBJECT NAME perm major id       col  name       perm  permission name       perm  state desc       obj type desc--perm  class desc

User · Answer

Can t comment on accepted answer so I ll add some comments here    I second Brad on schemas issue  From MS reference sys objects table contains only schema-scoped objects  So to get info about  higher level  objects  i e  schemas in our case  you need to use sys schemas table  For  ObjectType  it s better to use obj type desc only for OBJECT OR COLUMN permission class  For all other cases use perm  class desc  Another type of permission which is not handled so well with this query is IMPERSONATE  To get info about impersonations one should LEFT JOIN with sys database principals on perm major id   imp principal id With my experience it s better to replace sys login token with sys server principals as it will show also SQL Logins  not only Windows ones One should add  G  to allowed principal types to allow Windows groups Also  one can exclude users sys and INFORMATION SCHEMA from resulting table  as these users are used only for service    I ll post first piece of script with all proposed fixes  other parts should be changed as well   SELECT        UserName    ulogin  name        UserType    CASE princ  type                      WHEN  S  THEN  SQL User                      WHEN  U  THEN  Windows User                      WHEN  G  THEN  Windows Group                   END         DatabaseUserName    princ  name               Role    null             PermissionType    perm  permission name               PermissionState    perm  state desc               ObjectType    CASE perm  class                           WHEN 1 THEN obj type desc               -- Schema-contained objects                         ELSE perm  class desc                   -- Higher-level objects                    END              ObjectName    CASE perm  class                           WHEN 1 THEN OBJECT NAME perm major id   -- General objects                         WHEN 3 THEN schem  name                 -- Schemas                         WHEN 4 THEN imp  name                   -- Impersonations                    END       ColumnName    col  name  FROM         --database user     sys database principals princ   LEFT JOIN     --Login accounts     sys server principals ulogin on princ  sid    ulogin  sid  LEFT JOIN             --Permissions     sys database permissions perm ON perm  grantee principal id    princ  principal id  LEFT JOIN     --Table columns     sys columns col ON col  object id    perm major id                      AND col  column id    perm  minor id  LEFT JOIN     sys objects obj ON perm  major id    obj  object id  LEFT JOIN     sys schemas schem ON schem  schema id    perm  major id  LEFT JOIN     sys database principals imp ON imp  principal id    perm  major id  WHERE      princ  type  IN   S   U   G   AND     -- No need for these system accounts     princ  name  NOT IN   sys    INFORMATION SCHEMA

User · Answer

A simple query that shows only whether you are a SysAdmin or not     IF IS SRVROLEMEMBER   sysadmin     1      print  Current user  s login is a member of the sysadmin role    ELSE IF IS SRVROLEMEMBER   sysadmin     0      print  Current user  s login is NOT a member of the sysadmin role    ELSE IF IS SRVROLEMEMBER   sysadmin   IS NULL      print  ERROR  The server role specified is not valid

[sql-server] SQL Server query to find all permissions/access for all users in a database

Examples related to sql-server

Examples related to sql-server-2005

Examples related to sql-server-2008