'Security'에 해당되는 글 1건
- 2012.08.23 권한 조회
SQL Server 2005 이상
1. 서버 수준 권한
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | --======================--1. 서버수준의권한--======================select spr.name, spr.type, spr.type_desc, spr.default_database_name, spr.default_language_name, spm.class_desc, spm.permission_name, spm.state_desc, suser_name(srm.role_principal_id) as server_role_namefrom sys.server_principals as spr with (nolock) inner join sys.server_permissions as spm (nolock) on spm.grantee_principal_id = spr.principal_id left join sys.server_role_members as srm with (nolocK) on spr.name = suser_name(srm.member_principal_id)where spr.type in ('S','U','K', 'G') --C, R --and spr.name = '' -- 유저로하나찾기order by spr.type,spr.name-- 유저하나의role member 보기select suser_name(role_principal_id), suser_name(member_principal_id)from sys.server_role_members where member_principal_id = suser_id('') |
2. DB 수준 권한
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 | use testdbgoEXEC sp_dbfixedrolepermission;GOSELECT * FROM sys.fn_builtin_permissions(DEFAULT)SELECT * FROM sys.fn_builtin_permissions(DEFAULT) WHERE permission_name = 'SELECT';-- 사용자 role 고정 role 권한 정보SELECT DPR.NAME, IS_FIXED_ROLE --,DPR.TYPE_DESC --,USER_NAME(DRM.MEMBER_PRINCIPAL_ID) AS USER_NAME ,USER_NAME(DRM.ROLE_PRINCIPAL_ID) AS ROLE_NAMEFROM SYS.DATABASE_PRINCIPALS AS DPR WITH (NOLOCK) LEFT JOIN SYS.DATABASE_ROLE_MEMBERS DRM WITH (NOLOCK) ON DPR.PRINCIPAL_ID = DRM.MEMBER_PRINCIPAL_IDWHERE DPR.TYPE ='R'ORDER BY DPR.NAME-- role별 사용자 정보SELECT USER_NAME(DRM.ROLE_PRINCIPAL_ID) AS 'ROLE_NAME' ,USER_NAME(DRM.MEMBER_PRINCIPAL_ID) AS 'LOGIN'FROM SYS.DATABASE_ROLE_MEMBERS AS DRM WITH(NOLOCK) JOIN SYS.DATABASE_PRINCIPALS AS DPM WITH(NOLOCK) ON DRM.ROLE_PRINCIPAL_ID = DPM.PRINCIPAL_IDWHERE DPM.TYPE ='R' AND DPM.IS_FIXED_ROLE = 0ORDER BY USER_NAME(DRM.ROLE_PRINCIPAL_ID) select dpr.name, dpr.type_desc, dpr.default_schema_name, user_name(drm.member_principal_id) as user_name, user_name(drm.role_principal_id) as role_namefrom sys.database_principals as dpr with (nolock) inner join sys.database_role_members drm with (nolock) on dpr.principal_id = drm.member_principal_id--where name = '' -- role이나 유저정보order by 1,2-- DB별로 사용자와 ROLE이 어떤 객체의 권한을 가지고 있는지 여부select dpr.name, dpr.type_desc, dpr.default_schema_name, dpm.class_desc, case when dpm.major_id = 0 then 'ALL' else obj.name end as object_name, dpm.permission_name, dpm.state_descfrom sys.database_principals as dpr with (nolock) left join sys.database_permissions as dpm with (nolock) on dpr.principal_id = dpm.grantee_principal_id left outer join sys.all_objects as obj with (nolock) on dpm.major_id = obj.object_id--where dpr.name = '' -- 하나의유저나 혹은 role 이름이나 모두 가능order by dpr.type, dpr.name-- 사용자 role member 상세 보기select dpr.name, dpr.type_desc, dpr.default_schema_name, user_name(drm.member_principal_id) as user_name, user_name(drm.role_principal_id) as role_name, case when dpm.major_id = 0 then 'ALL' else OBJECT_NAME(dpm.major_id) end as object_name, dpm.permission_name, dpm.state_descfrom sys.database_principals as dpr with (nolock) left join sys.database_permissions as dpm with (nolock) on dpr.principal_id = dpm.grantee_principal_id inner join sys.database_role_members drm with (nolock) on dpr.principal_id = drm.member_principal_id --left outer join sys.all_objects as obj with (nolock) on dpm.major_id = obj.object_id -- 안해도 된다.--where dpr.type = 'R' -- DATABASE_ROLE --and dpr.name = '' /* S = SQL 사용자 U = Windows 사용자 G = Windows 그룹 A = 응용 프로그램 역할 R = 데이터베이스 역할 C = 인증서로 매핑된 사용자 K = 비대칭 키로 매핑된 사용자 */ORDER BY dpr.name, 5 |
3. 권한 제거 Script 생성
1 2 3 4 5 6 7 8 9 10 11 12 | -- object 권한 제거select schema_name(obj.schema_id) as schema1, case when dpm.major_id = 0 then 'ALL' else OBJECT_NAME(dpm.major_id) end as object_name, dpm.state_desc, ('REVOKE ' + dpm.permission_name COLLATE Korean_Wansung_CI_AS + ' ON OBJECT::' + schema_name(obj.schema_id)+ '.' + OBJECT_NAME(dpm.major_id) + ' FROM ' + dpr.name ) from sys.database_principals as dpr with (nolock) inner join sys.database_permissions as dpm with (nolock) on dpr.principal_id = dpm.grantee_principal_id inner join sys.objects as obj with (nolock) on dpm.major_id = obj.object_idwhere dpr.name ='' and dpm.permission_name = 'EXECUTE' |
SQL Server 2000 이상
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | --==========================-- 2000용--==========================select name, createdate, updatedate, dbname from master..sysloginswhere name != 'sa' and name not like '#%' order by name;exec sp_helpsrvrolememberexec sp_helprolemember-- 객체정보select distinct table_catalog, grantee, table_name , PRIVILEGE_TYPE --('REVOKE ' + PRIVILEGE_TYPE + ' ON ' + table_name+ ' FROM ' + grantee ) from INFORMATION_SCHEMA.COLUMN_PRIVILEGESselect grantee, table_catalog, table_schema, table_name, privilege_type, is_grantablefrom INFORMATION_SCHEMA.TABLE_PRIVILEGESwhere grantee = ''select specific_catalog, specific_name, * from INFORMATION_SCHEMA.PARAMETERS |
Prev
