Security View Usage

一，在Database level上，主要有 sys.database_principals， sys.database_permissions 和 sys.database_role_members。

Script1，查询数据库中 role 和 其Member(SQL User)的关系

select dbp_r.name as RoleName,dbp_r.type_desc as RoleTypeDesc,
    dbp_r.authentication_type_desc as Role_authentication_type_desc,
    dbp_u.name as UserName,dbp_u.type_desc as UserTypeDesc,
    dbp_u.authentication_type_desc as user_authentication_type_desc
from sys.database_role_members dbrm
inner join sys.database_principals dbp_r
    on dbrm.role_principal_id=dbp_r.principal_id and dbp_r.type=N'R'
inner join sys.database_principals dbp_u
    on dbrm.member_principal_id=dbp_u.principal_id and dbp_u.type =N'S'

Script2， Listing all the permissions of database principals

SELECT pr.principal_id, pr.name, pr.type_desc, pr.authentication_type_desc, 
    pe.permission_name,pe.class_desc,pe.state_desc
FROM sys.database_principals AS pr
Inner JOIN sys.database_permissions AS pe
    ON pe.grantee_principal_id = pr.principal_id;

Script3，Listing permissions on schemas or objects within a database

--查看对Object授予的权限
SELECT pr.principal_id, pr.name, pr.type_desc, 
    pr.authentication_type_desc, pe.state_desc, 
    pe.permission_name,pe.class_desc, s.name + '.' + o.name AS ObjectName
FROM sys.database_principals AS pr
JOIN sys.database_permissions AS pe
    ON pe.grantee_principal_id = pr.principal_id
JOIN sys.objects AS o
    ON pe.major_id = o.object_id
JOIN sys.schemas AS s
    ON o.schema_id = s.schema_id
where pe.class =1;


--查看对Schema授予的权限
SELECT pr.principal_id, pr.name, pr.type_desc, 
    pr.authentication_type_desc, pe.state_desc, 
    pe.permission_name,pe.class_desc, s.name AS SchemaName
FROM sys.database_principals AS pr
JOIN sys.database_permissions AS pe
    ON pe.grantee_principal_id = pr.principal_id
JOIN sys.schemas AS s
    ON pe.major_id = s.schema_id
where pe.class =3;

参考：sys.database_permissions (Transact-SQL)

二，在Server Level上，后续研究....

 

参考文档：

Security Catalog Views (Transact-SQL)