[EN] Sunday Market–SQL Permissions by Idera (part two)

CaptureSQLPermissionThe second part of my previous post is still about SQL Permission – free tool from Idera. In previous I wrote about installation post. In this post I’ll showhow look script from one of my database: by default: instance, all databases, all bermissions, all logins, all users. It’s small database (SQL Server 2012 (Denali) CTP3 Express Edition) but the result of script is very large: over seventy pages in MS Word document. Yay! I loose weight (freed some space by deleting sixty pages) of this file by deleting all part of the code begins with:

USE [msdb]

GO

Grant EXECUTE ON [dbo].[xxx] TO [yyy] 

GO

 

Hope it will help to reading quick and understanding this script. Full version of the script You can download from my SlideShare profile (HERE). OK, let’s go to the script, how it looks?

Part.1 | Creating special permissions with login MS_PolicyEventProcessingLogin, creating and executing query

/*********** Permissions Script for WRON023\KEYKO Login

##MS_PolicyEventProcessingLogin## Generated 2011-10-16 16:22:45 ***************/

 

 

–Scripting Server Login (password is null) and Default Database

/* For security reasons the login is created disabled and with a random password. */

IF NOT EXISTS (SELECT * FROM sys.server_principals

WHERE name = N’##MS_PolicyEventProcessingLogin##’)

BEGIN

CREATE LOGIN [##MS_PolicyEventProcessingLogin##]

WITH PASSWORD=N’îK”îΓN_g•Â_!é@ôz«7_§Oæö½_VˬU#4′,

DEFAULT_DATABASE=[master],

DEFAULT_LANGUAGE=[us_english],

CHECK_EXPIRATION=OFF,  CHECK_POLICY=ON

ALTER LOGIN [##MS_PolicyEventProcessingLogin##] DISABLE

END

 

 

–Scripting Server Roles

USE [master]

GO

 

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’##MS_PolicyEventProcessingLogin##’)

CREATE USER [##MS_PolicyEventProcessingLogin##]

FOR LOGIN [##MS_PolicyEventProcessingLogin##]

WITH DEFAULT_SCHEMA=[dbo]

 

–Scripting Object and Statement Permissions

USE [master]

GO

Grant CONNECT ON Database::[master] TO [##MS_PolicyEventProcessingLogin##] 

GO

 

USE [msdb]

GO

 

 

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’##MS_PolicyEventProcessingLogin##’)

CREATE USER [##MS_PolicyEventProcessingLogin##]

FOR LOGIN [##MS_PolicyEventProcessingLogin##]

WITH DEFAULT_SCHEMA=[dbo]

 

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’PolicyAdministratorRole’ AND type = ‘R’)

CREATE ROLE [PolicyAdministratorRole] AUTHORIZATION [dbo]

 

 

–Scripting Database Role Members

USE [msdb]

GO

 

exec sp_addrolemember N’PolicyAdministratorRole’, N’##MS_PolicyEventProcessingLogin##’

GO

 

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentOperatorRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentOperatorRole] AUTHORIZATION [dbo]

 

USE [msdb]

GO

Grant EXECUTE ON [dbo].[sp_enum_login_for_proxy] TO [SQLAgentOperatorRole] 

GO

 

exec sp_addrolemember N’SQLAgentOperatorRole’, N’##MS_PolicyEventProcessingLogin##’

GO

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentReaderRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentReaderRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’SQLAgentReaderRole’, N’##MS_PolicyEventProcessingLogin##’

GO

 

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentUserRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentUserRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’SQLAgentUserRole’, N’##MS_PolicyEventProcessingLogin##’

GO

Part.2 | Creating special permissions with login MS_PolicyTsqlExecutionLogin: creating and executing query

 

/*********** Permissions Script for WRON023\KEYKO

Login ##MS_PolicyTsqlExecutionLogin## Generated 2011-10-16 16:22:51 ***************/

 

 

–Scripting Server Login (password is null) and Default Database

/* For security reasons the login is created disabled and with a random password. */

IF NOT EXISTS (SELECT * FROM sys.server_principals

WHERE name = N’##MS_PolicyTsqlExecutionLogin##’)

BEGIN

CREATE LOGIN [##MS_PolicyTsqlExecutionLogin##]

WITH PASSWORD=N’_á*³*óÎõÁ·¹%"_G) š¹`&]ç(æØ]þX*0_’,

DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english],

CHECK_EXPIRATION=OFF,  CHECK_POLICY=ON

ALTER LOGIN [##MS_PolicyTsqlExecutionLogin##] DISABLE

END

 

 

–Scripting Server Roles

USE [msdb]

GO

 

 

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’##MS_PolicyTsqlExecutionLogin##’)

CREATE USER [##MS_PolicyTsqlExecutionLogin##]

FOR LOGIN [##MS_PolicyTsqlExecutionLogin##]

WITH DEFAULT_SCHEMA=[dbo]

 

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’PolicyAdministratorRole’ AND type = ‘R’)

CREATE ROLE [PolicyAdministratorRole] AUTHORIZATION [dbo]

 

–Scripting Database Role Members

USE [msdb]

GO

 

exec sp_addrolemember N’PolicyAdministratorRole’, N’##MS_PolicyTsqlExecutionLogin##’

GO

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentOperatorRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentOperatorRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’SQLAgentOperatorRole’, N’##MS_PolicyTsqlExecutionLogin##’

GO

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentReaderRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentReaderRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’SQLAgentReaderRole’, N’##MS_PolicyTsqlExecutionLogin##’

GO

 

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentUserRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentUserRole] AUTHORIZATION [dbo]

 

 

exec sp_addrolemember N’SQLAgentUserRole’, N’##MS_PolicyTsqlExecutionLogin##’

GO

 

–Scripting Object and Statement Permissions

USE [msdb]

GO

Grant CONNECT ON Database::[msdb] TO [##MS_PolicyTsqlExecutionLogin##] 

GO

 

Part.3 | Creating special permissions with builtin logins Users / SYSTEM / NT AUTHORITY / NT SERVICE / sa / SQLSRVReportingServices / SQLSRVAdmin / “current user”: creating and executing query

/*********** Permissions Script for WRON023\KEYKO

Login BUILTIN\Users Generated 2011-10-16 16:22:53 ***************/

 

–Scripting Server Login (password is null) and Default Database

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’BUILTIN\Users’)

BEGIN

CREATE LOGIN [BUILTIN\Users] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

END

 

 

–Scripting Server Roles

/*********** Permissions Script for WRON023\KEYKO

Login NT AUTHORITY\SYSTEM Generated 2011-10-16 16:22:55 ***************/

 

–Scripting Server Login (password is null) and Default Database

 

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’NT AUTHORITY\SYSTEM’)

BEGIN

CREATE LOGIN [NT AUTHORITY\SYSTEM] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

END

 

–Scripting Server Roles

 

exec sp_addsrvrolemember N’NT AUTHORITY\SYSTEM’, N’sysadmin’

GO

 

 

/*********** Permissions Script for WRON023\KEYKO

Login NT SERVICE\MSSQL$KEYKO Generated 2011-10-16 16:22:57 ***************/

 

 

–Scripting Server Login (password is null) and Default Database

 

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’NT SERVICE\MSSQL$KEYKO’)

BEGIN

CREATE LOGIN [NT SERVICE\MSSQL$KEYKO] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

END

 

–Scripting Server Roles

 

exec sp_addsrvrolemember N’NT SERVICE\MSSQL$KEYKO’, N’sysadmin’

GO

 

/*********** Permissions Script for WRON023\KEYKO

Login sa Generated 2011-10-16 16:22:58 ***************/

 

–Scripting Server Login (password is null) and Default Database

/* For security reasons the login is created disabled and with a random password. */

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’sa’)

BEGIN

CREATE LOGIN [sa] WITH PASSWORD=N’¶„áqùm‚G·kƒj_ÂÈò)[¤ã2

ÉY_vY

%¹’, DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english], CHECK_EXPIRATION=OFF,  CHECK_POLICY=ON

EXEC sys.sp_addsrvrolemember @loginame = N’sa’, @rolename = N’sysadmin’

ALTER LOGIN [sa] DISABLE

END

 

–Scripting Server Roles

exec sp_addsrvrolemember N’sa’, N’sysadmin’

GO

 

/*********** Permissions Script for WRON023\KEYKO

Login WRON023\KoprowskiT Generated 2011-10-16 16:23:00 ***************/

 

–Scripting Server Login (password is null) and Default Database

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’WRON023\KoprowskiT’)

BEGIN

CREATE LOGIN [WRON023\KoprowskiT] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

END

 

–Scripting Server Roles

 

exec sp_addsrvrolemember N’WRON023\KoprowskiT’, N’sysadmin’

GO

 

/*********** Permissions Script for WRON023\KEYKO

Login WRON023\SQLSRVAdmin Generated 2011-10-16 16:23:02 ***************/

 

–Scripting Server Login (password is null) and Default Database

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’WRON023\SQLSRVAdmin’)

BEGIN

CREATE LOGIN [WRON023\SQLSRVAdmin] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

END

 

–Scripting Server Roles

 

exec sp_addsrvrolemember N’WRON023\SQLSRVAdmin’, N’sysadmin’

GO

 

/*********** Permissions Script for WRON023\KEYKO

Login WRON023\SQLSRVReporting Generated 2011-10-16 16:23:04 ***************/

 

–Scripting Server Login (password is null) and Default Database

IF NOT EXISTS (SELECT * FROM sys.server_principals WHERE name = N’WRON023\SQLSRVReporting’)

BEGIN

CREATE LOGIN [WRON023\SQLSRVReporting] FROM WINDOWS WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english]

END

 

–Scripting Server Roles

 

USE [master]

GO

 

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’WRON023\SQLSRVReporting’)

CREATE USER [WRON023\SQLSRVReporting]

FOR LOGIN [WRON023\SQLSRVReporting]

WITH DEFAULT_SCHEMA=[WRON023\SQLSRVReporting]

 

–Create Database Role

USE [master]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’RSExecRole’ AND type = ‘R’)

CREATE ROLE [RSExecRole] AUTHORIZATION [dbo]

 

 

–Scripting Database Role Members

USE [master]

GO

 

exec sp_addrolemember N’RSExecRole’, N’WRON023\SQLSRVReporting’

GO

 

 

–Scripting Object and Statement Permissions

USE [master]

GO

Grant CONNECT ON Database::[master] TO [WRON023\SQLSRVReporting] 

GO

 

USE [msdb]

GO

 

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’WRON023\SQLSRVReporting’)

CREATE USER [WRON023\SQLSRVReporting]

FOR LOGIN [WRON023\SQLSRVReporting]

WITH DEFAULT_SCHEMA=[WRON023\SQLSRVReporting]

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’RSExecRole’ AND type = ‘R’)

CREATE ROLE [RSExecRole] AUTHORIZATION [dbo]

  

 

–Scripting Database Role Members

USE [msdb]

GO

 

exec sp_addrolemember N’RSExecRole’, N’WRON023\SQLSRVReporting’

GO

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentOperatorRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentOperatorRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’SQLAgentOperatorRole’, N’WRON023\SQLSRVReporting’

GO

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentReaderRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentReaderRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’SQLAgentReaderRole’, N’WRON023\SQLSRVReporting’

GO

 

–Create Database Role

USE [msdb]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’SQLAgentUserRole’ AND type = ‘R’)

CREATE ROLE [SQLAgentUserRole] AUTHORIZATION [dbo]

 

 

exec sp_addrolemember N’SQLAgentUserRole’, N’WRON023\SQLSRVReporting’

GO

 

–Scripting Object and Statement Permissions

USE [msdb]

GO

Grant CONNECT ON Database::[msdb] TO [WRON023\SQLSRVReporting] 

GO

 

USE [ReportServer$KEYKO]

GO

  

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’WRON023\SQLSRVReporting’)

CREATE USER [WRON023\SQLSRVReporting]

FOR LOGIN [WRON023\SQLSRVReporting]

WITH DEFAULT_SCHEMA=[WRON023\SQLSRVReporting]

 

–Scripting Database Role Members

USE [ReportServer$KEYKO]

GO

 

exec sp_addrolemember N’db_owner’, N’WRON023\SQLSRVReporting’

GO

 

–Create Database Role

USE [ReportServer$KEYKO]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’RSExecRole’ AND type = ‘R’)

CREATE ROLE [RSExecRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’RSExecRole’, N’WRON023\SQLSRVReporting’

GO

 

 

–Scripting Object and Statement Permissions

USE [ReportServer$KEYKO]

GO

Grant CONNECT ON Database::[ReportServer$KEYKO] TO [WRON023\SQLSRVReporting] 

GO

 

USE [ReportServer$KEYKOTempDB]

GO

 

 

–Grant Database Access

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’WRON023\SQLSRVReporting’)

CREATE USER [WRON023\SQLSRVReporting]

FOR LOGIN [WRON023\SQLSRVReporting]

WITH DEFAULT_SCHEMA=[WRON023\SQLSRVReporting]

 

 

–Scripting Database Role Members

USE [ReportServer$KEYKOTempDB]

GO

 

exec sp_addrolemember N’db_owner’, N’WRON023\SQLSRVReporting’

GO

 

–Create Database Role

USE [ReportServer$KEYKOTempDB]

GO

IF NOT EXISTS (SELECT * FROM sys.database_principals

WHERE name = N’RSExecRole’ AND type = ‘R’)

CREATE ROLE [RSExecRole] AUTHORIZATION [dbo]

 

exec sp_addrolemember N’RSExecRole’, N’WRON023\SQLSRVReporting’

GO

 

–Scripting Object and Statement Permissions

USE [ReportServer$KEYKOTempDB]

GO

Grant CONNECT ON Database::[ReportServer$KEYKOTempDB] TO [WRON023\SQLSRVReporting] 

GO

 

 

/*** WARNING: SQLpermssions is freeware – use it at your own risk. ***/

/*** There are potential security issues with copying logins and permissions ***/

/*** from one SQL Server to another. By using SQLpermissions, you acknowledge ***/

/*** and knowingly accept these risks. It is recommended that users take steps ***/

/*** to thoroughly evaluate the necessity of replicating logins and permissions ***/

/*** before using this tool. Idera shall not be liable for any damages you may ***/

/*** sustain by using this tool, whether direct, indirect, special, incidental ***/

/*** or consequential, even if it has been advised of the possibility of such damages.***/

[EN] Sunday Market–SQL Permissions by Idera (part one)

CaptureSQLPermissionThe third (and fourth) episodes in my non-frequently series: Sunday Market is about Idera too. Yes I know, not only Idera giving You free tools, I’ll try show other tools in future episodes. But this tim I’m writing about nice tool for checking permissions for our SQL Server.

If You need (like some of my client or collegues) move logins and permissions between servers, providing simple audity (like view logins and permissions) or scripting (Yes it’s for You ScriptingGuys), You can use free SQL Premission 2.0 tool. In this case I’ll show in few pictures and some functions of free Idera product SQL Permission s2.0. For free download You must:
>> go to Idera SQL Permissions 2.0 site HERE
>> fill registration data
>> checking Your mail box for download link

Very easy, isn’t? Just exactly same process like in first two episodes. When You get software, just install it:
 
PHASE ONE:
Capture_Idera_PermissionCheck_01
Pic.1 | Pre-Installation software checking for SQL Server 2005 Backward Compability Components (I’ll write shortly in next post about BCC)
Capture_Idera_PermissionCheck_02
Pic.2 | Installation failed – because is not supported on… Windows 7 SP1 x64
Capture_Idera_PermissionCheck_03
Pic.3 | We can install BCC before and re-run installator …
Capture_Idera_PermissionCheck_04
Pic.4 | …and if we not use SQL Server 2005, we can ignore tis eror.
 
PHASE TWO:
Capture_Idera_PermissionCheck_05
Pic.5 | Installation process is typical
Capture_Idera_PermissionCheck_06
Pic.6 | Welcome screen…
Capture_Idera_PermissionCheck_07
Pic.7| Licensing agreement…
Capture_Idera_PermissionCheck_08
Pic.8 | User name, organizasion and… first permission
Capture_Idera_PermissionCheck_09
Pic.9 | We can choose destination folder…
Capture_Idera_PermissionCheck_10
Pic.10 | …and run software
Capture_Idera_PermissionCheck_11
Pic.11 | At the end we can finish only, or finish and run application
 
PHASE THREE:
Capture_Idera_PermissionCheck_12
Pic.12 | First window with parameters
Capture_Idera_PermissionCheck_13
Pic.13 | When we click Select SQL Server Instances we have possibility to choose one from the list
Capture_Idera_PermissionCheck_14
Pic.14 | We must connect to the Instance…
Capture_Idera_PermissionCheck_15
Pic.15 | It’s good way to check connections
Capture_Idera_PermissionCheck_16
Pic.16 | Next we can choose which database and which user are interesting for us (all ar one from many or many from many)
Capture_Idera_PermissionCheck_17
Pic.17 | Next we should choose destination folder…
Capture_Idera_PermissionCheck_18

Pic.18 | and at the end we get some information about risk of use

It’s almost all, except… the result of our SQL Permissions check. Lets go to the second post with the code…