How to view the roles and permissions granted to any database user in Azure SQL server instance? How to view the roles and permissions granted to any database user in Azure SQL server instance? sql-server sql-server

How to view the roles and permissions granted to any database user in Azure SQL server instance?


sql-server azure azure-sql-database azure-sql

Per the MSDN documentation for sys.database_permissions, this query lists all permissions explicitly granted or denied to principals in the database you're connected to:

SELECT DISTINCT pr.principal_id, pr.name, pr.type_desc,     pr.authentication_type_desc, pe.state_desc, pe.permission_nameFROM sys.database_principals AS prJOIN sys.database_permissions AS pe    ON pe.grantee_principal_id = pr.principal_id;

Per Managing Databases and Logins in Azure SQL Database, the loginmanager and dbmanager roles are the two server-level security roles available in Azure SQL Database. The loginmanager role has permission to create logins, and the dbmanager role has permission to create databases. You can view which users belong to these roles by using the query you have above against the master database. You can also determine the role memberships of users on each of your user databases by using the same query (minus the filter predicate) while connected to them.

sql-server azure azure-sql-database azure-sql

To view database roles assigned to users, you can use sys.database_role_members

The following query returns the members of the database roles.

SELECT DP1.name AS DatabaseRoleName,       isnull (DP2.name, 'No members') AS DatabaseUserName   FROM sys.database_role_members AS DRM  RIGHT OUTER JOIN sys.database_principals AS DP1      ON DRM.role_principal_id = DP1.principal_id  LEFT OUTER JOIN sys.database_principals AS DP2      ON DRM.member_principal_id = DP2.principal_id  WHERE DP1.type = 'R'ORDER BY DP1.name;

sql-server azure azure-sql-database azure-sql

Building on @tmullaney 's answer, you can also left join in the sys.objects view to get insight when explicit permissions have been granted on objects. Make sure to use the LEFT join: 

SELECT DISTINCT pr.principal_id, pr.name AS [UserName], pr.type_desc AS [User_or_Role], pr.authentication_type_desc AS [Auth_Type], pe.state_desc,    pe.permission_name, pe.class_desc, o.[name] AS 'Object'     FROM sys.database_principals AS pr     JOIN sys.database_permissions AS pe ON pe.grantee_principal_id = pr.principal_id    LEFT JOIN sys.objects AS o on (o.object_id = pe.major_id)

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last