Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

public user - SQL Server 2008 R2

Posted on 2014-03-19
1
338 Views
Last Modified: 2014-03-25
Good afternoon,

I ran the query listed below to retrieve the permissions that have been granted explicitly to users:

select usr.name as UserName,
case when perm.state <> 'W' then perm.state_desc else 'GRANT' end as PerType,
schema_name(perm.major_id) as SchemaName,
perm.permission_name as PermissionName,
Schema_name(obj.schema_id) as ObjectSchemaName,
obj.name as ObjectName,
user_name(obj.principal_id) as ObjectOwner,
perm.class_desc as ClassDescription,
obj.type_desc as ObjectType,
case when cl.column_id is null then '--' else cl.name end as ColName,
case when perm.state = 'W' then 'X' else '--' end as 'IsGrantOption'
from sys.database_permissions as perm
left outer join sys.all_objects as obj
on perm.major_id = obj.[object_id]
inner join sys.database_principals as usr
on perm.grantee_principal_id = usr.principal_id
left join sys.columns as cl
on cl.column_id = perm.minor_id and cl.[object_id] = perm.major_id
order by UserName asc
go

The query works fine but I do have a question:

Is this query enough to determine if other explicit permissions --besides those granted by default-- have been granted to the public database user? I have a left join with the columns and the objects so I am aware that I'll get more permissions than those that are particular to the database that I am evaluating.

In addition, since I am somewhat new to SQL Server in general, I was wondering what the risks are, if any, with having the public user with permissions to views, tables, stored procedures from the "sys" object schema name?

Thanks!
0
Comment
Question by:VicBel
1 Comment
 
LVL 39

Accepted Solution

by:
lcohan earned 500 total points
ID: 39940369
you can simply run

exec sp_helprotect;

against your SQL database in order to get accurate security information.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
This video shows, step by step, how to configure Oracle Heterogeneous Services via the Generic Gateway Agent in order to make a connection from an Oracle session and access a remote SQL Server database table.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question